diff --git a/packages/1password/1.2.2/changelog.yml b/packages/1password/1.2.2/changelog.yml
new file mode 100755
index 0000000000..c9cfe0f5e6
--- /dev/null
+++ b/packages/1password/1.2.2/changelog.yml
@@ -0,0 +1,56 @@
+# newer versions go on top
+- version: "1.2.2"
+  changes:
+    - description: Fix typo in config template for ignoring host enrichment
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3092
+- version: "1.2.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.0"
+  changes:
+    - description: Add new "event.action" to item_usages events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2775
+- version: "1.1.1"
+  changes:
+    - description: Fix field mapping conflict for ECS `event.created`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2687
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2368
+- version: "1.0.0"
+  changes:
+    - description: GA integration
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2360
+- version: "0.2.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "0.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2214
+- version: "0.1.1"
+  changes:
+    - description: Update Title and Description.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1997
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1722
diff --git a/packages/1password/1.2.2/data_stream/item_usages/agent/stream/httpjson.yml.hbs b/packages/1password/1.2.2/data_stream/item_usages/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..5a8a7d1ff4
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/item_usages/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,57 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/api/v1/itemusages
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+  - set:
+      target: "header.Content-Type"
+      value: "application/json"
+  - set:
+      target: "header.User-Agent"
+      value: "1Password-Elastic-Filebeat/0.1.0"
+  - set:
+      target: "header.Authorization"
+      value: 'Bearer {{token}}'
+  - set:
+      target: body.cursor
+      value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]'
+  - set:
+      target: body.limit
+      value_type: int
+      value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]'
+cursor:
+  last_cursor:
+    value: '[[.last_response.body.cursor]]'
+response.decode_as: application/json
+response.split:
+  target: body.items
+response.pagination:
+  - set:
+      target: body.cursor
+      value: '[[.last_response.body.cursor]]'
+      fail_on_template_error: true
+  - delete:
+      target: body.limit
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/1password/1.2.2/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml b/packages/1password/1.2.2/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..ba9038d069
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,142 @@
+---
+description: Pipeline for normalizing 1Password Item Usage Events
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+  - json:
+      field: event.original
+      target_field: onepassword
+  - drop:
+      description: Drop if no timestamp (invalid json)
+      if: "ctx?.onepassword?.timestamp == null"
+
+  #######################
+  ## ECS Event Mapping ##
+  #######################
+  - set:
+      field: ecs.version
+      value: "8.0.0"
+  # Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
+  - set:
+      field: event.created
+      copy_from: "@timestamp"
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [file]
+  - append:
+      field: event.type
+      value: [access]
+  - rename:
+      field: onepassword.action
+      target_field: event.action
+      ignore_missing: true
+
+  #########################
+  ## ECS Related Mapping ##
+  #########################
+  - append:
+      field: related.user
+      value: "{{onepassword.user.uuid}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.uuid != null
+  - append:
+      field: related.user
+      value: "{{onepassword.user.email}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.email != null
+  - append:
+      field: related.user
+      value: "{{onepassword.user.name}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.name != null
+  - append:
+      field: related.ip
+      value: "{{onepassword.client.ip_address}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.client?.ip_address != null
+
+  ######################
+  ## ECS User Mapping ##
+  ######################
+  - rename:
+      field: onepassword.user.uuid
+      target_field: user.id
+      ignore_missing: true
+  - rename:
+      field: onepassword.user.name
+      target_field: user.full_name
+      ignore_missing: true
+  - rename:
+      field: onepassword.user.email
+      target_field: user.email
+      ignore_missing: true
+
+  ####################
+  ## ECS OS Mapping ##
+  ####################
+  - rename:
+      field: onepassword.client.os_name
+      target_field: os.name
+      ignore_missing: true
+  - rename:
+      field: onepassword.client.os_version
+      target_field: os.version
+      ignore_missing: true
+
+  ########################
+  ## ECS Source Mapping ##
+  ########################
+  - rename:
+      field: onepassword.client.ip_address
+      target_field: source.ip
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+
+  ######################
+  ## ECS Base Mapping ##
+  ######################
+  - date:
+      field: onepassword.timestamp
+      formats:
+        - ISO8601
+
+  #############
+  ## Cleanup ##
+  #############
+  - remove:
+      field:
+        - onepassword.timestamp
+        - onepassword.user
+        - onepassword.location # Use the included GeoIP processor
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/1password/1.2.2/data_stream/item_usages/fields/base-fields.yml b/packages/1password/1.2.2/data_stream/item_usages/fields/base-fields.yml
new file mode 100755
index 0000000000..902686e8af
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/item_usages/fields/base-fields.yml
@@ -0,0 +1,23 @@
+- name: input.type
+  type: keyword
+  description: Input type
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: 1password
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: 1password.item_usages
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/1password/1.2.2/data_stream/item_usages/fields/ecs.yml b/packages/1password/1.2.2/data_stream/item_usages/fields/ecs.yml
new file mode 100755
index 0000000000..a5fd6a2817
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/item_usages/fields/ecs.yml
@@ -0,0 +1,98 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: os.version
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/1password/1.2.2/data_stream/item_usages/fields/fields.yml b/packages/1password/1.2.2/data_stream/item_usages/fields/fields.yml
new file mode 100755
index 0000000000..3c2f0bfa25
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/item_usages/fields/fields.yml
@@ -0,0 +1,30 @@
+- name: onepassword
+  type: group
+  fields:
+    - name: uuid
+      type: keyword
+      description: The UUID of the event
+    - name: used_version
+      type: integer
+      description: The version of the item that was accessed
+    - name: vault_uuid
+      type: keyword
+      description: The UUID of the vault the item is in
+    - name: item_uuid
+      type: keyword
+      description: The UUID of the item that was accessed
+    - name: client
+      type: group
+      fields:
+        - name: app_name
+          type: keyword
+          description: The name of the 1Password app the item was accessed from
+        - name: app_version
+          type: keyword
+          description: The version number of the 1Password app
+        - name: platform_name
+          type: keyword
+          description: The name of the platform the item was accessed from
+        - name: platform_version
+          type: keyword
+          description: The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed
diff --git a/packages/1password/1.2.2/data_stream/item_usages/manifest.yml b/packages/1password/1.2.2/data_stream/item_usages/manifest.yml
new file mode 100755
index 0000000000..1189af5c34
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/item_usages/manifest.yml
@@ -0,0 +1,47 @@
+title: "Collect 1Password item usages events"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect 1Password item usages events"
+    description: "Collect item usages from 1Password via the 1Password Events API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: limit
+        type: integer
+        title: Limit
+        description: Number of events to fetch on each request
+        show_user: false
+        required: true
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval to query 1Password Events API
+        description: Go Duration syntax (eg. 10s)
+        show_user: false
+        required: true
+        default: 10s
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - 1password-item_usages
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/1password/1.2.2/data_stream/item_usages/sample_event.json b/packages/1password/1.2.2/data_stream/item_usages/sample_event.json
new file mode 100755
index 0000000000..ad1f50d54c
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/item_usages/sample_event.json
@@ -0,0 +1,81 @@
+{
+    "@timestamp": "2021-08-30T18:57:42.484Z",
+    "agent": {
+        "ephemeral_id": "cbcdd98f-456d-47bb-9f43-cf589ccd810d",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.item_usages",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "reveal",
+        "agent_id_status": "verified",
+        "category": [
+            "file"
+        ],
+        "created": "2022-03-03T21:25:12.198Z",
+        "dataset": "1password.item_usages",
+        "ingested": "2022-03-03T21:25:13Z",
+        "kind": "event",
+        "type": [
+            "access"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
+        "used_version": 1,
+        "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV",
+        "vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-item_usages"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/data_stream/signin_attempts/agent/stream/httpjson.yml.hbs b/packages/1password/1.2.2/data_stream/signin_attempts/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..6a8f41aee5
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/signin_attempts/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,57 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/api/v1/signinattempts
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+  - set:
+      target: "header.Content-Type"
+      value: "application/json"
+  - set:
+      target: "header.User-Agent"
+      value: "1Password-Elastic-Filebeat/0.1.0"
+  - set:
+      target: "header.Authorization"
+      value: 'Bearer {{token}}'
+  - set:
+      target: body.cursor
+      value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]'
+  - set:
+      target: body.limit
+      value_type: int
+      value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]'
+cursor:
+  last_cursor:
+    value: '[[.last_response.body.cursor]]'
+response.decode_as: application/json
+response.split:
+  target: body.items
+response.pagination:
+  - set:
+      target: body.cursor
+      value: '[[.last_response.body.cursor]]'
+      fail_on_template_error: true
+  - delete:
+      target: body.limit
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/1password/1.2.2/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml b/packages/1password/1.2.2/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..c1c0b88e02
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,152 @@
+---
+description: Pipeline for normalizing 1Password Sign-in Attempts Events
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+  - json:
+      field: event.original
+      target_field: onepassword
+  - drop:
+      description: Drop if no timestamp (invalid json)
+      if: "ctx?.onepassword?.timestamp == null"
+
+  #######################
+  ## ECS Event Mapping ##
+  #######################
+  - set:
+      field: ecs.version
+      value: "8.0.0"
+  # Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
+  - set:
+      field: event.created
+      copy_from: "@timestamp"
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [authentication]
+  - append:
+      field: event.type
+      value: [info]
+  - rename:
+      field: onepassword.category
+      target_field: event.action
+      ignore_missing: true
+  - set:
+      field: event.outcome
+      value: success
+      if: "['success', 'firewall_reported_success'].contains(ctx.event?.action)"
+      ignore_failure: true
+  - set:
+      field: event.outcome
+      value: failure
+      if: "!['success', 'firewall_reported_success'].contains(ctx.event?.action)"
+      ignore_failure: true
+
+  #########################
+  ## ECS Related Mapping ##
+  #########################
+  - append:
+      field: related.user
+      value: "{{onepassword.target_user.uuid}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.target_user?.uuid != null
+  - append:
+      field: related.user
+      value: "{{onepassword.target_user.email}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.target_user?.email != null
+  - append:
+      field: related.user
+      value: "{{onepassword.target_user.name}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.target_user?.name != null
+  - append:
+      field: related.ip
+      value: "{{onepassword.client.ip_address}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.client?.ip_address != null
+
+  ######################
+  ## ECS User Mapping ##
+  ######################
+  - rename:
+      field: onepassword.target_user.uuid
+      target_field: user.id
+      ignore_missing: true
+  - rename:
+      field: onepassword.target_user.name
+      target_field: user.full_name
+      ignore_missing: true
+  - rename:
+      field: onepassword.target_user.email
+      target_field: user.email
+      ignore_missing: true
+
+  ####################
+  ## ECS OS Mapping ##
+  ####################
+  - rename:
+      field: onepassword.client.os_name
+      target_field: os.name
+      ignore_missing: true
+  - rename:
+      field: onepassword.client.os_version
+      target_field: os.version
+      ignore_missing: true
+
+  ########################
+  ## ECS Source Mapping ##
+  ########################
+  - rename:
+      field: onepassword.client.ip_address
+      target_field: source.ip
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+
+  ######################
+  ## ECS Base Mapping ##
+  ######################
+  - date:
+      field: onepassword.timestamp
+      formats:
+        - ISO8601
+
+  #############
+  ## Cleanup ##
+  #############
+  - remove:
+      field:
+        - onepassword.timestamp
+        - onepassword.target_user
+        - onepassword.location # Use the included GeoIP processor
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/1password/1.2.2/data_stream/signin_attempts/fields/base-fields.yml b/packages/1password/1.2.2/data_stream/signin_attempts/fields/base-fields.yml
new file mode 100755
index 0000000000..7cd57ab5cd
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/signin_attempts/fields/base-fields.yml
@@ -0,0 +1,23 @@
+- name: input.type
+  type: keyword
+  description: Input type
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: 1password
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: 1password.signin_attempts
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/1password/1.2.2/data_stream/signin_attempts/fields/ecs.yml b/packages/1password/1.2.2/data_stream/signin_attempts/fields/ecs.yml
new file mode 100755
index 0000000000..2d2bdc60f2
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/signin_attempts/fields/ecs.yml
@@ -0,0 +1,106 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: os.version
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/1password/1.2.2/data_stream/signin_attempts/fields/fields.yml b/packages/1password/1.2.2/data_stream/signin_attempts/fields/fields.yml
new file mode 100755
index 0000000000..740d91aad1
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/signin_attempts/fields/fields.yml
@@ -0,0 +1,33 @@
+- name: onepassword
+  type: group
+  fields:
+    - name: uuid
+      type: keyword
+      description: The UUID of the event
+    - name: session_uuid
+      type: keyword
+      description: The UUID of the session that created the event
+    - name: type
+      type: keyword
+      description: Details about the sign-in attempt
+    - name: country
+      type: keyword
+      description: The country code of the event. Uses the ISO 3166 standard
+    - name: details
+      type: object
+      description: Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in
+    - name: client
+      type: group
+      fields:
+        - name: app_name
+          type: keyword
+          description: The name of the 1Password app that attempted to sign in to the account
+        - name: app_version
+          type: keyword
+          description: The version number of the 1Password app
+        - name: platform_name
+          type: keyword
+          description: The name of the platform running the 1Password app
+        - name: platform_version
+          type: keyword
+          description: The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed
diff --git a/packages/1password/1.2.2/data_stream/signin_attempts/manifest.yml b/packages/1password/1.2.2/data_stream/signin_attempts/manifest.yml
new file mode 100755
index 0000000000..fcbd59840a
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/signin_attempts/manifest.yml
@@ -0,0 +1,47 @@
+title: "1Password sign-in attempt events"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect 1Password sign-in attempt events"
+    description: "Collect sign-in attempts from 1Password via the 1Password Events API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: limit
+        type: integer
+        title: Limit
+        description: Number of events to fetch on each request
+        show_user: false
+        required: true
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval to query 1Password Events API
+        description: Go Duration syntax (eg. 10s)
+        show_user: false
+        required: true
+        default: 10s
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - 1password-signin_attempts
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/1password/1.2.2/data_stream/signin_attempts/sample_event.json b/packages/1password/1.2.2/data_stream/signin_attempts/sample_event.json
new file mode 100755
index 0000000000..72c46afdaa
--- /dev/null
+++ b/packages/1password/1.2.2/data_stream/signin_attempts/sample_event.json
@@ -0,0 +1,83 @@
+{
+    "@timestamp": "2021-08-11T14:28:03.000Z",
+    "agent": {
+        "ephemeral_id": "6a1b2121-406e-47fc-8ab0-3ab3b521f341",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.signin_attempts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "success",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication"
+        ],
+        "created": "2022-03-03T21:25:49.160Z",
+        "dataset": "1password.signin_attempts",
+        "ingested": "2022-03-03T21:25:52Z",
+        "kind": "event",
+        "outcome": "success",
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "country": "AR",
+        "details": null,
+        "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7",
+        "type": "credentials_ok",
+        "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-signin_attempts"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/docs/README.md b/packages/1password/1.2.2/docs/README.md
new file mode 100755
index 0000000000..0571e26b4d
--- /dev/null
+++ b/packages/1password/1.2.2/docs/README.md
@@ -0,0 +1,301 @@
+1Password Events Reporting
+==========================
+
+With [1Password Business](https://support.1password.com/explore/business/), you can send your account activity to your security information and event management (SIEM) system using the 1Password Events API. Get reports about 1Password activity like sign-in attempts and item usage while you manage all your company’s applications and services from a central location.
+
+With 1Password Events Reporting and Elastic SIEM, you can:
+
+-	Control your 1Password data retention
+-	Build custom graphs and dashboards
+-	Set up custom alerts that trigger specific actions
+-	Cross-reference 1Password events with the data from other services
+
+You can set up Events Reporting if you’re an owner or administrator.  
+Learn how to [obtain your 1Password Events API credentials](https://support.1password.com/events-reporting/#step-1-set-up-an-events-reporting-integration).
+
+Events
+------
+
+### Sign-in Attempts
+
+Uses the 1Password Events API to retrieve information about sign-in attempts. Events include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and – for failed attempts – the cause of the failure.
+
+*Exported fields*
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| input.type | Input type | keyword |
+| onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword |
+| onepassword.client.app_version | The version number of the 1Password app | keyword |
+| onepassword.client.platform_name | The name of the platform running the 1Password app | keyword |
+| onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword |
+| onepassword.country | The country code of the event. Uses the ISO 3166 standard | keyword |
+| onepassword.details | Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in | object |
+| onepassword.session_uuid | The UUID of the session that created the event | keyword |
+| onepassword.type | Details about the sign-in attempt | keyword |
+| onepassword.uuid | The UUID of the event | keyword |
+| os.name | Operating system name, without the version. | keyword |
+| os.name.text | Multi-field of `os.name`. | match_only_text |
+| os.version | Operating system version as a raw string. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+
+
+An example event for `signin_attempts` looks as following:
+
+```json
+{
+    "@timestamp": "2021-08-11T14:28:03.000Z",
+    "agent": {
+        "ephemeral_id": "6a1b2121-406e-47fc-8ab0-3ab3b521f341",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.signin_attempts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "success",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication"
+        ],
+        "created": "2022-03-03T21:25:49.160Z",
+        "dataset": "1password.signin_attempts",
+        "ingested": "2022-03-03T21:25:52Z",
+        "kind": "event",
+        "outcome": "success",
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "country": "AR",
+        "details": null,
+        "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7",
+        "type": "credentials_ok",
+        "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-signin_attempts"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
+```
+
+### Item Usages
+
+Uses the 1Password Events API to retrieve information about items in shared vaults that have been modified, accessed, or used. Events include the name and IP address of the user who accessed the item, when it was accessed, and the vault where the item is stored.
+
+*Exported fields*
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| input.type | Input type | keyword |
+| onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword |
+| onepassword.client.app_version | The version number of the 1Password app | keyword |
+| onepassword.client.platform_name | The name of the platform the item was accessed from | keyword |
+| onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword |
+| onepassword.item_uuid | The UUID of the item that was accessed | keyword |
+| onepassword.used_version | The version of the item that was accessed | integer |
+| onepassword.uuid | The UUID of the event | keyword |
+| onepassword.vault_uuid | The UUID of the vault the item is in | keyword |
+| os.name | Operating system name, without the version. | keyword |
+| os.name.text | Multi-field of `os.name`. | match_only_text |
+| os.version | Operating system version as a raw string. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+
+
+An example event for `item_usages` looks as following:
+
+```json
+{
+    "@timestamp": "2021-08-30T18:57:42.484Z",
+    "agent": {
+        "ephemeral_id": "cbcdd98f-456d-47bb-9f43-cf589ccd810d",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.item_usages",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "reveal",
+        "agent_id_status": "verified",
+        "category": [
+            "file"
+        ],
+        "created": "2022-03-03T21:25:12.198Z",
+        "dataset": "1password.item_usages",
+        "ingested": "2022-03-03T21:25:13Z",
+        "kind": "event",
+        "type": [
+            "access"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
+        "used_version": 1,
+        "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV",
+        "vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-item_usages"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
+```
diff --git a/packages/1password/1.2.2/img/1password-itemusages-screenshot.png b/packages/1password/1.2.2/img/1password-itemusages-screenshot.png
new file mode 100755
index 0000000000..1fa5c21e90
Binary files /dev/null and b/packages/1password/1.2.2/img/1password-itemusages-screenshot.png differ
diff --git a/packages/1password/1.2.2/img/1password-logo-light-bg.svg b/packages/1password/1.2.2/img/1password-logo-light-bg.svg
new file mode 100755
index 0000000000..27735b307c
--- /dev/null
+++ b/packages/1password/1.2.2/img/1password-logo-light-bg.svg
@@ -0,0 +1 @@
+<svg width="116" height="116" xmlns="http://www.w3.org/2000/svg"><g fill="none" fill-rule="evenodd"><path d="M2 58c0 30.929 25.072 56 56 56s56-25.071 56-56c0-30.928-25.072-56-56-56S2 27.072 2 58z" fill="#FFF"/><path d="M58 14c24.3 0 44 19.7 44 44 0 24.301-19.7 44-44 44S14 82.301 14 58c0-24.3 19.7-44 44-44" fill="#1A8CFF"/><path d="M0 58c0 32.034 25.967 58 58 58s58-25.966 58-58c0-32.033-25.967-58-58-58S0 25.967 0 58zm2 0C2 27.075 27.069 2 58 2s56 25.075 56 56-25.068 56-56 56S2 88.925 2 58z" fill="#000" fill-rule="nonzero" opacity=".5"/><path d="M113.921 55c.052.993.079 1.994.079 3 0 30.928-25.072 56-56 56S2 88.928 2 58c0-1.006.027-2.007.079-3 1.559 29.533 26 53 55.921 53 29.69 0 53.985-23.106 55.88-52.318l.041-.682zM58 8c27.062 0 49 21.938 49 49 0 15.13-6.857 28.657-17.632 37.646C98.37 86.249 104 74.282 104 61c0-25.405-20.595-46-46-46S12 35.595 12 61c0 13.282 5.629 25.249 14.631 33.646C15.857 85.657 9 72.129 9 57 9 29.938 30.938 8 58 8z" fill-opacity=".052" fill="#000"/><path d="M58 14c24.304 0 44 19.703 44 44 0 24.298-19.696 44-44 44-24.06 0-43.606-19.31-43.994-43.272L14 58c0-24.297 19.696-44 44-44zm0 2c-23.196 0-42 18.804-42 42 0 23.197 18.804 42 42 42s42-18.803 42-42c0-23.196-18.804-42-42-42z" fill="#000" fill-rule="nonzero" opacity=".256"/><path d="M58.223 23A35.096 35.096 0 0023 58.223C23 77.403 38.743 93 58.223 93 77.33 93 93 77.33 93 58.223 93 38.743 77.402 23 58.223 23zm-.002 2C76.225 25 91 39.775 91 58.221 91 76.226 76.225 91 58.221 91 39.775 91 25 76.226 25 58.221A33.096 33.096 0 0158.221 25z" fill-opacity=".25" fill="#000" fill-rule="nonzero"/><path d="M58.221 25C76.225 25 91 39.775 91 58.221 91 76.226 76.225 91 58.221 91 39.775 91 25 76.226 25 58.221A33.096 33.096 0 0158.221 25z" fill="#F7F7F7"/><g><path d="M73 58c0 8.284-6.716 15-15 15-8.284 0-15-6.716-15-15 0-8.284 6.716-15 15-15 8.284 0 15 6.716 15 15z" fill-opacity=".05" fill="#000"/><path d="M58 41c-9.389 0-17 7.611-17 17s7.611 17 17 17 17-7.611 17-17-7.611-17-17-17zm0 2c8.284 0 15 6.716 15 15 0 8.284-6.716 15-15 15-8.284 0-15-6.716-15-15 0-8.284 6.716-15 15-15z" fill="#FFF" fill-rule="nonzero"/><path d="M58 43c8.284 0 15 6.716 15 15 0 8.284-6.716 15-15 15-8.284 0-15-6.716-15-15 0-8.284 6.716-15 15-15zm0 2c-7.18 0-13 5.82-13 13s5.82 13 13 13 13-5.82 13-13-5.82-13-13-13z" fill-opacity=".15" fill="#000" fill-rule="nonzero"/></g><g><path d="M63.577 32H52.423C49.951 32 48 34.165 48 36.772v10.792c0 .982.354 1.93.996 2.642l1.64 1.819c.037.042.037.161 0 .204l-1.64 1.818A3.95 3.95 0 0048 56.69v22.539C48 81.835 49.951 84 52.423 84h11.154C66.049 84 68 81.835 68 79.228V68.436a3.95 3.95 0 00-.996-2.642l-1.64-1.819c-.037-.042-.037-.161 0-.204l1.64-1.818A3.95 3.95 0 0068 59.31V36.772C68 34.165 66.049 32 63.577 32zm-.127 2.038c1.408 0 2.55 1.294 2.55 2.89v22.374c0 .51-.18 1-.498 1.362l-1.594 1.806c-.664.752-.664 1.972 0 2.725L65.502 67c.319.361.498.851.498 1.362v10.71c0 1.595-1.142 2.89-2.55 2.89h-10.9c-1.408 0-2.55-1.295-2.55-2.89V56.697c0-.51.18-1 .498-1.362l1.594-1.806c.664-.752.664-1.972 0-2.725L50.498 49A2.064 2.064 0 0150 47.637v-10.71c0-1.595 1.142-2.89 2.55-2.89h10.9z" fill="#FFF" fill-rule="nonzero"/><path d="M50 47.62V36.895C50 35.296 51.142 34 52.55 34h10.9c1.408 0 2.55 1.296 2.55 2.894v22.41a2.07 2.07 0 01-.498 1.364l-1.594 1.81c-.664.753-.664 1.974 0 2.728l1.594 1.809c.319.362.498.853.498 1.364v10.727C66 80.704 64.858 82 63.45 82h-10.9C51.142 82 50 80.704 50 79.106v-22.41c0-.511.18-1.002.498-1.364l1.594-1.81c.664-.753.664-1.974 0-2.728l-1.594-1.809A2.07 2.07 0 0150 47.621z" fill="#0A2D4D"/><path d="M63.45 34c1.408 0 2.55 1.296 2.55 2.894v22.41a2.07 2.07 0 01-.498 1.364l-1.594 1.81c-.664.753-.664 1.974 0 2.728l1.594 1.809c.319.362.498.853.498 1.364v10.727C66 80.704 64.858 82 63.45 82h-10.9C51.142 82 50 80.704 50 79.106v-22.41c0-.511.18-1.002.498-1.364l1.594-1.81c.664-.753.664-1.974 0-2.728l-1.594-1.809A2.07 2.07 0 0150 47.621V36.894C50 35.296 51.142 34 52.55 34h10.9zm-.288 2.054l-10.324-.013c-.404 0-.784.38-.833.916l-.005.118v10.63c0 .032.007.059.015.078l.014.023L53.7 49.6c1.306 1.403 1.35 3.601.135 5.059l-.135.153-1.67 1.794c-.01.01-.02.031-.025.058l-.004.043v22.218c0 .559.353.975.752 1.028l.086.006 10.324.013c.404 0 .784-.379.833-.916l.005-.117V68.308a.196.196 0 00-.015-.078l-.014-.023-1.67-1.794c-1.306-1.403-1.35-3.6-.135-5.058l.135-.154 1.67-1.794c.01-.01.02-.03.025-.057l.004-.044V37.088c0-.558-.353-.975-.752-1.028l-.086-.006z" fill-opacity=".4" fill="#000" fill-rule="nonzero"/></g></g></svg>
\ No newline at end of file
diff --git a/packages/1password/1.2.2/img/1password-signinattempts-screenshot.png b/packages/1password/1.2.2/img/1password-signinattempts-screenshot.png
new file mode 100755
index 0000000000..4c7a9a0d7e
Binary files /dev/null and b/packages/1password/1.2.2/img/1password-signinattempts-screenshot.png differ
diff --git a/packages/1password/1.2.2/kibana/dashboard/1password-item-usages-full-dashboard.json b/packages/1password/1.2.2/kibana/dashboard/1password-item-usages-full-dashboard.json
new file mode 100755
index 0000000000..300dd197b6
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/dashboard/1password-item-usages-full-dashboard.json
@@ -0,0 +1,52 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"33e47a7b-72d2-4721-818c-8df8d710c5ea\",\"w\":31,\"x\":0,\"y\":0},\"panelIndex\":\"33e47a7b-72d2-4721-818c-8df8d710c5ea\",\"panelRefName\":\"panel_33e47a7b-72d2-4721-818c-8df8d710c5ea\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":0.5},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"5270ad02-a029-4aab-a42a-b0b38988d36d\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"5270ad02-a029-4aab-a42a-b0b38988d36d\",\"panelRefName\":\"panel_5270ad02-a029-4aab-a42a-b0b38988d36d\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"1591a01e-b61e-4f3a-88d5-f825e39e60b6\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1591a01e-b61e-4f3a-88d5-f825e39e60b6\",\"panelRefName\":\"panel_1591a01e-b61e-4f3a-88d5-f825e39e60b6\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3e1ea7df-1443-41c2-a4b4-45389042d2d4\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3e1ea7df-1443-41c2-a4b4-45389042d2d4\",\"panelRefName\":\"panel_3e1ea7df-1443-41c2-a4b4-45389042d2d4\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"36297d46-8bb5-476c-b772-479be5811393\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"36297d46-8bb5-476c-b772-479be5811393\",\"panelRefName\":\"panel_36297d46-8bb5-476c-b772-479be5811393\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"d7f0be27-d6ed-4ef6-a217-3ee1837a7988\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"d7f0be27-d6ed-4ef6-a217-3ee1837a7988\",\"panelRefName\":\"panel_d7f0be27-d6ed-4ef6-a217-3ee1837a7988\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "Item Usages [1Password Events Reporting]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-full-dashboard",
+  "migrationVersion": {
+    "dashboard": "7.15.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "33e47a7b-72d2-4721-818c-8df8d710c5ea:panel_33e47a7b-72d2-4721-818c-8df8d710c5ea",
+      "type": "search"
+    },
+    {
+      "id": "1password-item-usages-source-IPs-map",
+      "name": "5270ad02-a029-4aab-a42a-b0b38988d36d:panel_5270ad02-a029-4aab-a42a-b0b38988d36d",
+      "type": "map"
+    },
+    {
+      "id": "1password-item-usages-over-time",
+      "name": "1591a01e-b61e-4f3a-88d5-f825e39e60b6:panel_1591a01e-b61e-4f3a-88d5-f825e39e60b6",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-item-usages-hot-users",
+      "name": "3e1ea7df-1443-41c2-a4b4-45389042d2d4:panel_3e1ea7df-1443-41c2-a4b4-45389042d2d4",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-item-usages-hot-items",
+      "name": "36297d46-8bb5-476c-b772-479be5811393:panel_36297d46-8bb5-476c-b772-479be5811393",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-item-usages-hot-vaults",
+      "name": "d7f0be27-d6ed-4ef6-a217-3ee1837a7988:panel_d7f0be27-d6ed-4ef6-a217-3ee1837a7988",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/dashboard/1password-signin-attempts-full-dashboard.json b/packages/1password/1.2.2/kibana/dashboard/1password-signin-attempts-full-dashboard.json
new file mode 100755
index 0000000000..64ffa9a727
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/dashboard/1password-signin-attempts-full-dashboard.json
@@ -0,0 +1,52 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"944e346e-36df-430b-9734-5d91da79bdc1\",\"w\":31,\"x\":0,\"y\":0},\"panelIndex\":\"944e346e-36df-430b-9734-5d91da79bdc1\",\"panelRefName\":\"panel_944e346e-36df-430b-9734-5d91da79bdc1\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":18.69679,\"lon\":-18.18807,\"zoom\":0.62},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"5a635dbb-4cb6-46f8-9d4c-dd12078b184f\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"5a635dbb-4cb6-46f8-9d4c-dd12078b184f\",\"panelRefName\":\"panel_5a635dbb-4cb6-46f8-9d4c-dd12078b184f\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1249ea4b-cf49-4d87-8125-7f1dba37353f\",\"w\":11,\"x\":0,\"y\":15},\"panelIndex\":\"1249ea4b-cf49-4d87-8125-7f1dba37353f\",\"panelRefName\":\"panel_1249ea4b-cf49-4d87-8125-7f1dba37353f\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"51433376-546a-492a-906e-9ca7f5d34f68\",\"w\":20,\"x\":11,\"y\":15},\"panelIndex\":\"51433376-546a-492a-906e-9ca7f5d34f68\",\"panelRefName\":\"panel_51433376-546a-492a-906e-9ca7f5d34f68\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"8f8ae43c-e8d4-4425-b418-224a7db57e86\",\"w\":17,\"x\":31,\"y\":15},\"panelIndex\":\"8f8ae43c-e8d4-4425-b418-224a7db57e86\",\"panelRefName\":\"panel_8f8ae43c-e8d4-4425-b418-224a7db57e86\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd\",\"panelRefName\":\"panel_683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "Sign-in Attempts [1Password Events Reporting]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-full-dashboard",
+  "migrationVersion": {
+    "dashboard": "7.15.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "944e346e-36df-430b-9734-5d91da79bdc1:panel_944e346e-36df-430b-9734-5d91da79bdc1",
+      "type": "search"
+    },
+    {
+      "id": "1password-signin-attempts-source-IPs-map",
+      "name": "5a635dbb-4cb6-46f8-9d4c-dd12078b184f:panel_5a635dbb-4cb6-46f8-9d4c-dd12078b184f",
+      "type": "map"
+    },
+    {
+      "id": "1password-signin-attempts-failed-gauge",
+      "name": "1249ea4b-cf49-4d87-8125-7f1dba37353f:panel_1249ea4b-cf49-4d87-8125-7f1dba37353f",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-signin-attempts-count-over-time",
+      "name": "51433376-546a-492a-906e-9ca7f5d34f68:panel_51433376-546a-492a-906e-9ca7f5d34f68",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-signin-attempts-categories-over-time",
+      "name": "8f8ae43c-e8d4-4425-b418-224a7db57e86:panel_8f8ae43c-e8d4-4425-b418-224a7db57e86",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-signin-attempts-hot-users",
+      "name": "683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd:panel_683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/map/1password-item-usages-source-IPs-map.json b/packages/1password/1.2.2/kibana/map/1password-item-usages-source-IPs-map.json
new file mode 100755
index 0000000000..8b21f3b8e2
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/map/1password-item-usages-source-IPs-map.json
@@ -0,0 +1,23 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"11a86591-809c-4c7b-9668-0d0cc31980c9\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"55025914-752d-4a12-88f4-c9fe89ddbb9d\",\"joins\":[],\"label\":\"Source Locations\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.item_usages\"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"ae93e398-4d52-4616-99c3-783c0f34d767\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+    "title": "Audit item usages Source Locations [1Password Events Reporting]",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "id": "1password-item-usages-source-IPs-map",
+  "migrationVersion": {
+    "map": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/map/1password-signin-attempts-source-IPs-map.json b/packages/1password/1.2.2/kibana/map/1password-signin-attempts-source-IPs-map.json
new file mode 100755
index 0000000000..0580583fc4
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/map/1password-signin-attempts-source-IPs-map.json
@@ -0,0 +1,23 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"db596930-2b43-4b31-b555-5bfb2ef9a3b3\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"a912dae9-61dd-4f45-96d4-15968e14aa79\",\"joins\":[],\"label\":\"Source Locations\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.signin_attempts\"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"98b57871-9ec7-49ce-b371-bd052adaf795\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+    "title": "Audit sign-in attempts Source Locations [1Password Events Reporting]",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "id": "1password-signin-attempts-source-IPs-map",
+  "migrationVersion": {
+    "map": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/search/1password-all-events.json b/packages/1password/1.2.2/kibana/search/1password-all-events.json
new file mode 100755
index 0000000000..07937ec0c5
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/search/1password-all-events.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [
+      "data_stream.dataset",
+      "user.email",
+      "onepassword.client.app_name",
+      "source.geo.country_iso_code"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.module:1password\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "1Password all events [1Password Events Reporting]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.14.0",
+  "id": "1password-all-events",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/search/1password-item-usages.json b/packages/1password/1.2.2/kibana/search/1password-item-usages.json
new file mode 100755
index 0000000000..3537396b78
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/search/1password-item-usages.json
@@ -0,0 +1,37 @@
+{
+  "attributes": {
+    "columns": [
+      "user.email",
+      "event.action",
+      "onepassword.vault_uuid",
+      "onepassword.item_uuid",
+      "source.geo.country_iso_code"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.item_usages\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "1Password item usages [1Password Events Reporting]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.14.0",
+  "id": "1password-item-usages",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/search/1password-signin-attempts.json b/packages/1password/1.2.2/kibana/search/1password-signin-attempts.json
new file mode 100755
index 0000000000..b5ce5ab980
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/search/1password-signin-attempts.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [
+      "user.email",
+      "event.action",
+      "onepassword.type",
+      "source.geo.country_iso_code"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.signin_attempts\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "1Password sign-in attempts [1Password Events Reporting]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.14.0",
+  "id": "1password-signin-attempts",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-items.json b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-items.json
new file mode 100755
index 0000000000..e777fb6e3b
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-items.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages hot items [1Password Events Reporting]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Last usage\",\"field\":\"@timestamp\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Item UUID\",\"field\":\"onepassword.item_uuid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-hot-items",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-users.json b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-users.json
new file mode 100755
index 0000000000..8a3bb34920
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-users.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages hot users [1Password Events Reporting]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"3\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Name\",\"field\":\"user.full_name\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Email\",\"field\":\"user.email\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User UUID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-hot-users",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-vaults.json b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-vaults.json
new file mode 100755
index 0000000000..99311ebab2
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-hot-vaults.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages hot vaults [1Password Events Reporting]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Top Item UUID\",\"field\":\"onepassword.item_uuid\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Vault UUID\",\"field\":\"onepassword.vault_uuid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-hot-vaults",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-item-usages-over-time.json b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-over-time.json
new file mode 100755
index 0000000000..7d85abe48c
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-item-usages-over-time.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages over time [1Password Events Reporting]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"3h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-over-time",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-categories-over-time.json b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-categories-over-time.json
new file mode 100755
index 0000000000..f0eff05d70
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-categories-over-time.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts categories over time [1Password Events Reporting]",
+    "uiStateJSON": "{\"vis\":{\"colors\":{\"credentials_failed\":\"#e7664c\",\"firewall_failed\":\"#d36086\",\"firewall_reported_success\":\"#6092c0\",\"mfa_failed\":\"#9170b8\",\"modern_version_failed\":\"#d6bf57\",\"success\":\"#54b399\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"3h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-categories-over-time",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-count-over-time.json b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-count-over-time.json
new file mode 100755
index 0000000000..0dc014fd93
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-count-over-time.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts over time [1Password Events Reporting]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"3h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-count-over-time",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-failed-gauge.json b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-failed-gauge.json
new file mode 100755
index 0000000000..88a6de39c7
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-failed-gauge.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts unsuccessful gauge [1Password Events Reporting]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"NOT event.action: (\\\"success\\\" \\\"firewall_reported_success\\\")\"},\"label\":\"Failed Sign-in attempts\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"alignment\":\"automatic\",\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10},{\"from\":10,\"to\":30},{\"from\":30,\"to\":100}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"rgba(105,112,125,0.2)\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":true,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"mask\":false,\"maskBars\":50,\"subText\":\"\",\"width\":0.9},\"type\":\"meter\"},\"isDisplayWarning\":false,\"type\":\"gauge\"},\"title\":\"\",\"type\":\"gauge\"}"
+  },
+  "id": "1password-signin-attempts-failed-gauge",
+  "migrationVersion": {
+    "visualization": "7.7.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-hot-users.json b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-hot-users.json
new file mode 100755
index 0000000000..00fe5a4341
--- /dev/null
+++ b/packages/1password/1.2.2/kibana/visualization/1password-signin-attempts-hot-users.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts hot users [1Password Events Reporting]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"3\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Name\",\"field\":\"user.full_name\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Email\",\"field\":\"user.email\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User UUID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-hot-users",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.2.2/manifest.yml b/packages/1password/1.2.2/manifest.yml
new file mode 100755
index 0000000000..68549ebe2f
--- /dev/null
+++ b/packages/1password/1.2.2/manifest.yml
@@ -0,0 +1,72 @@
+format_version: 1.0.0
+name: 1password
+title: "1Password Events Reporting"
+version: 1.2.2
+license: basic
+description: Collect events from 1Password Events API with Elastic Agent.
+type: integration
+categories:
+  - security
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+screenshots:
+  - src: /img/1password-signinattempts-screenshot.png
+    title: Sign-in attempts
+    size: 1918x963
+    type: image/png
+  - src: /img/1password-itemusages-screenshot.png
+    title: Item usages
+    size: 1916x965
+    type: image/png
+icons:
+  - src: /img/1password-logo-light-bg.svg
+    title: 1Password
+    size: 116x116
+    type: image/svg+xml
+policy_templates:
+  - name: 1password
+    title: 1Password Events
+    description: Collect events from 1Password Events Reporting
+    inputs:
+      - type: httpjson
+        title: Collect events from 1Password Events API
+        description: Collect sign-in attempt and item usages from 1Password via the 1Password Events API
+        vars:
+          - name: url
+            type: text
+            title: URL of 1Password Events API Server
+            description: |
+              options: https://events.1password.com, https://events.1password.ca, https://events.1password.eu, https://events.ent.1password.com. path is automatic
+            show_user: true
+            required: true
+            default: https://events.1password.com
+          - name: token
+            type: password
+            title: 1Password Authorization Token
+            description: |
+              Bearer Token, e.g. "eyJhbGciO..."
+            show_user: true
+            required: true
+          - name: http_client_timeout
+            type: text
+            title: HTTP Client Timeout
+            multi: false
+            required: false
+            show_user: true
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+            multi: false
+            required: false
+            show_user: false
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            multi: false
+            required: false
+            show_user: false
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/akamai/0.1.3/changelog.yml b/packages/akamai/0.1.3/changelog.yml
new file mode 100755
index 0000000000..328f273a3b
--- /dev/null
+++ b/packages/akamai/0.1.3/changelog.yml
@@ -0,0 +1,21 @@
+# newer versions go on top
+- version: "0.1.3"
+  changes:
+    - description: Fix typo in config template for ignoring host enrichment
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3092
+- version: "0.1.2"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.1.1"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2369
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/1643
diff --git a/packages/akamai/0.1.3/data_stream/siem/agent/stream/httpjson.yml.hbs b/packages/akamai/0.1.3/data_stream/siem/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..4efc3cf8ea
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,80 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: "{{api_host}}/siem/v1/configs/{{config_ids}}"
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+request.transforms:
+  - set:
+      target: url.params.from
+      value: "[[.cursor.last_execution_datetime]]"
+      default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]'
+  - set:
+      target: url.params.to
+      value: '[[ (now (parseDuration "-1m")).Unix ]]'
+  - set:
+      target: header.XTimestamp
+      value: '[[ formatDate (now) "20060102T15:04:05-0700" ]]'
+  - set:
+      target: header.XSignatureBase
+      value: '[[ sprintf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "{{client_token}}" "{{access_token}}" (.header.Get "XTimestamp") uuid ]]'
+  - set:
+      target: header.XSignatureKey
+      value: '[[ hmacBase64 "sha256" "{{client_secret}}" (.header.Get "XTimestamp") ]]'
+  - set:
+      target: header.XSignature
+      value: '[[ hmacBase64 "sha256" (.header.Get "XSignatureKey") "GET\t" .url.Scheme "\t" .url.Host "\t" .url.Path "?" .url.RawQuery "\t\t\t" (.header.Get "XSignatureBase") ]]'
+  - set:
+      target: header.Authorization
+      value: '[[ sprintf "%ssignature=%s" (.header.Get "XSignatureBase") (.header.Get "XSignature") ]]'
+  - delete:
+      target: header.XSignature
+  - delete:
+      target: header.XSignatureKey
+  - delete:
+      target: header.XSignatureBase
+  - delete:
+      target: header.XTimestamp
+
+response.decode_as: application/x-ndjson
+
+response.pagination:
+  - set:
+      target: url.params.offset
+      value: '[[ .last_event.offset ]]'
+      fail_on_template_error: true
+  - delete:
+      target: url.params.from
+  - delete:
+      target: url.params.to
+
+cursor:
+  last_execution_datetime:
+    value: '[[ (now (parseDuration "-1m")).Unix ]]'
+
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/akamai/0.1.3/data_stream/siem/elasticsearch/ingest_pipeline/default.yml b/packages/akamai/0.1.3/data_stream/siem/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..734700a2fb
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,426 @@
+---
+description: Pipeline for parsing Akamai logs
+processors:
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: ecs.version
+    value: '8.0.0'
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- drop:
+    if: 'ctx?.json?.offset != null'
+- set:
+    field: observer.vendor
+    value: akamai
+- set:
+    field: observer.type
+    value: proxy
+- date:
+    field: json.httpMessage.start
+    formats:
+    - UNIX
+    timezone: UTC
+    target_field: "@timestamp"
+- set:
+    field: "event.start" 
+    copy_from: "@timestamp"
+- rename:
+    field: json.httpMessage.status
+    target_field: http.response.status_code
+    ignore_missing: true
+- convert:
+    field: http.response.status_code
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.httpMessage.bytes
+    target_field: http.response.bytes
+    ignore_missing: true
+- convert:
+    field: http.response.bytes
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.httpMessage.requestId
+    target_field: http.request.id
+    ignore_missing: true
+- set:
+    field: event.id
+    copy_from: http.request.id
+    ignore_empty_value: true
+- fingerprint:
+    fields: 
+        - http.request.id
+    target_field: "_id"
+    ignore_missing: true
+- rename:
+    field: json.httpMessage.method
+    target_field: http.request.method
+    ignore_missing: true
+- rename:
+    field: json.httpMessage.host
+    target_field: url.domain
+    ignore_missing: true
+- urldecode:
+    field: json.httpMessage.path
+    target_field: url.path
+    ignore_missing: true
+- urldecode:
+    field: json.httpMessage.query
+    target_field: url.query
+    ignore_missing: true
+- rename:
+    field: json.httpMessage.port
+    target_field: url.port
+    ignore_missing: true
+- convert:
+    field: url.port
+    type: long
+    ignore_missing: true
+- urldecode:
+    field: json.httpMessage.responseHeaders
+    target_field: _tmp.response.headers
+    ignore_missing: true
+- kv:
+    field: _tmp.response.headers
+    target_field: akamai.siem.response.headers
+    field_split: '\r\n'
+    value_split: ': '
+    ignore_missing: true
+- urldecode:
+    field: json.httpMessage.requestHeaders
+    target_field: _tmp.request.headers
+    ignore_missing: true
+- kv:
+    field: _tmp.request.headers
+    target_field: akamai.siem.request.headers
+    field_split: '\r\n'
+    value_split: ': '
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script builds the `url.full` field out of the available `url.*` parts.
+    source: |
+        def full = "";
+        if(ctx.url.scheme != null && ctx.url.scheme != "") {
+            full += ctx.url.scheme+"://";
+        }
+        if(ctx.url.domain != null && ctx.url.domain != "") {
+            full += ctx.url.domain;
+        }
+        if(ctx.json.httpMessage.path != null && ctx.json.httpMessage.path != "") {
+            full += ctx.json.httpMessage.path;
+        }
+        if(ctx.json.httpMessage.query != null && ctx.json.httpMessage.query != "") {
+            full += "?"+ctx.json.httpMessage.query;
+        }
+        if(full != "") {
+            ctx.url.full = full
+        }
+- dissect:
+    field: json.httpMessage.protocol
+    pattern: "%{network.protocol}/%{http.version}"
+    ignore_failure: true
+- lowercase:
+    field: network.protocol
+    ignore_missing: true
+- set:
+    field: network.transport
+    value: tcp
+    if: ctx?.network?.protocol != null && ctx?.network?.protocol == 'http'
+- dissect:
+    field: json.httpMessage.tls
+    pattern: "%{tls.version_protocol}v%{tls.version}"
+    ignore_failure: true
+    ignore_missing: true
+- lowercase:
+    field: tls.version_protocol
+    ignore_missing: true
+- rename:
+    field: json.attackData.clientIP
+    target_field: source.address
+    ignore_missing: true
+- convert:
+    field: source.address
+    target_field: source.ip
+    type: ip
+    ignore_missing: true
+    ignore_failure: true
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+- rename:
+    field: json.geo.country
+    target_field: source.geo.country_iso_code
+    ignore_missing: true
+    if: ctx?.source?.geo?.country_iso_code == null
+- set:
+    field: source.geo.region_iso_code 
+    value: "{{json.geo.country}}-{{json.geo.regionCode}}"
+    ignore_empty_value: true
+    if: ctx?.source?.geo?.region_iso_code == null
+- rename:
+    field: json.geo.city
+    target_field: source.geo.city_name
+    ignore_missing: true
+    if: ctx?.source?.geo?.city_name == null
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- convert:
+    field: json.geo.asn
+    target_field: source.as.number
+    type: long
+    ignore_missing: true
+    if: ctx?.source?.as?.number == null
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+## Attack Data
+- urldecode:
+    field: json.attackData.ruleActions
+    target_field: json.attackData.ruleActions
+    ignore_missing: true
+- split:
+    field: json.attackData.ruleActions
+    target_field: json.attackData.ruleActions
+    separator: ';'
+    preserve_trailing: true
+- urldecode:
+    field: json.attackData.ruleData
+    target_field: json.attackData.ruleData
+    ignore_missing: true
+- split:
+    field: json.attackData.ruleData
+    target_field: json.attackData.ruleData
+    separator: ';'
+    preserve_trailing: true
+- urldecode:
+    field: json.attackData.ruleMessages
+    target_field: json.attackData.ruleMessages
+    ignore_missing: true
+- split:
+    field: json.attackData.ruleMessages
+    target_field: json.attackData.ruleMessages
+    separator: ';'
+    preserve_trailing: true
+- urldecode:
+    field: json.attackData.ruleSelectors
+    target_field: json.attackData.ruleSelectors
+    ignore_missing: true
+- split:
+    field: json.attackData.ruleSelectors
+    target_field: json.attackData.ruleSelectors
+    separator: ';'
+    preserve_trailing: true
+- urldecode:
+    field: json.attackData.ruleTags
+    target_field: json.attackData.ruleTags
+    ignore_missing: true
+- split:
+    field: json.attackData.ruleTags
+    target_field: json.attackData.ruleTags
+    separator: ';'
+    preserve_trailing: true
+- urldecode:
+    field: json.attackData.ruleVersions
+    target_field: json.attackData.ruleVersions
+    ignore_missing: true
+- split:
+    field: json.attackData.ruleVersions
+    target_field: json.attackData.ruleVersions
+    separator: ';'
+    preserve_trailing: true
+- urldecode:
+    field: json.attackData.rules
+    target_field: json.attackData.rules
+    ignore_missing: true
+- split:
+    field: json.attackData.rules
+    target_field: json.attackData.rules
+    separator: ';'
+    preserve_trailing: true
+- script:
+    lang: painless
+    description: Base64 Decode the json.attackData.rule* fields
+    source: |
+        ArrayList items = new ArrayList(["rules", "ruleActions", "ruleData", "ruleMessages", "ruleTags", "ruleSelectors", "ruleVersions"]);
+        ArrayList rules_array = new ArrayList();
+        for (def i = 0; i < ctx.json.attackData.rules.length; i++) {
+            HashMap map = new HashMap();
+            for (def j = 0; j < items.length; j++) {
+                String key = items[j];
+                if (i < ctx.json.attackData[key].length ) {
+                    String value = ctx.json.attackData[key][i].replace(" ", "").decodeBase64();
+                    map.put(key, value);
+                }
+            }
+            rules_array.add(map);
+        }
+        ctx.akamai.siem.rules = rules_array;
+- rename:
+    field: json.attackData.configId
+    target_field: akamai.siem.config_id
+    ignore_missing: true
+- rename:
+    field: json.attackData.policyId
+    target_field: akamai.siem.policy_id
+    ignore_missing: true
+- rename:
+    field: json.attackData.policyId
+    target_field: akamai.siem.policy_id
+    ignore_missing: true
+- rename:
+    field: json.attackData.slowPostAction
+    target_field: akamai.siem.slow_post_action
+    ignore_missing: true
+- convert:
+    field: json.attackData.slowPostRate
+    target_field: akamai.siem.slow_post_rate
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.attackData.clientReputation
+    target_field: akamai.siem.client_reputation
+    ignore_missing: true
+- rename:
+    field: json.attackData.clientReputation
+    target_field: akamai.siem.client_reputation
+    ignore_missing: true
+## Bot Data
+- convert:
+    field: json.botData.botScore
+    target_field: akamai.siem.bot.score
+    type: long
+    ignore_missing: true
+- convert:
+    field: json.botData.responseSegment
+    target_field: akamai.siem.bot.response_segment
+    type: long
+    ignore_missing: true
+## Client Data
+- rename:
+    field: json.clientData.appBundleId
+    target_field: akamai.siem.client_data.app_bundle_id
+    ignore_missing: true
+- rename:
+    field: json.clientData.appVersion
+    target_field: akamai.siem.client_data.app_version
+    ignore_missing: true
+- convert:
+    field: json.clientData.telemetryType	
+    target_field: akamai.siem.client_data.telemetry_type
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.clientData.sdkVersion	
+    target_field: akamai.siem.client_data.sdk_version
+    ignore_missing: true
+## User Risk Data
+- rename:
+    field: json.userRiskData.uuid
+    target_field: akamai.siem.user_risk.uuid
+    ignore_missing: true
+- convert:
+    field: json.userRiskData.status	
+    target_field: akamai.siem.user_risk.status
+    type: long
+    ignore_missing: true
+- convert:
+    field: json.userRiskData.score	
+    target_field: akamai.siem.user_risk.score
+    type: long
+    ignore_missing: true
+- convert:
+    field: json.userRiskData.allow	
+    target_field: akamai.siem.user_risk.allow
+    type: long
+    ignore_missing: true
+- kv:
+    field: json.userRiskData.risk
+    target_field: akamai.siem.user_risk.risk
+    field_split: '\|'
+    value_split: ':'
+    ignore_missing: true
+- kv:
+    field: json.userRiskData.trust
+    target_field: akamai.siem.user_risk.trust
+    field_split: '\|'
+    value_split: ':'
+    ignore_missing: true
+- kv:
+    field: json.userRiskData.general
+    target_field: akamai.siem.user_risk.general
+    field_split: '\|'
+    value_split: ':'
+    ignore_missing: true
+##
+- append:
+    field: related.ip
+    value: "{{source.ip}}"
+    allow_duplicates: false
+- set:
+    field: client
+    copy_from: source
+- set:
+    field: event.category
+    value: network
+- set:
+    field: event.kind
+    value: event
+- remove:
+    field:
+      - json
+      - _tmp
+    ignore_missing: true  
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+on_failure:
+- set:
+    field: error.message
+    value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/akamai/0.1.3/data_stream/siem/fields/agent.yml b/packages/akamai/0.1.3/data_stream/siem/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/akamai/0.1.3/data_stream/siem/fields/base-fields.yml b/packages/akamai/0.1.3/data_stream/siem/fields/base-fields.yml
new file mode 100755
index 0000000000..90bd5c6753
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: akamai
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: akamai.siem
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/akamai/0.1.3/data_stream/siem/fields/beats.yml b/packages/akamai/0.1.3/data_stream/siem/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/akamai/0.1.3/data_stream/siem/fields/ecs.yml b/packages/akamai/0.1.3/data_stream/siem/fields/ecs.yml
new file mode 100755
index 0000000000..61cbacbed0
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/fields/ecs.yml
@@ -0,0 +1,264 @@
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: client.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.as.organization.name
+  type: keyword
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: City name.
+  name: client.geo.city_name
+  type: keyword
+- description: Country name.
+  name: client.geo.country_name
+  type: keyword
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: Name of the continent.
+  name: client.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: Region ISO code.
+  name: client.geo.region_iso_code
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: client.geo.location
+  type: geo_point
+- description: Region name.
+  name: client.geo.region_name
+  type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: |-
+    Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: client.address
+  type: keyword
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: event.start contains the date when the event started or when the activity was first observed.
+  name: event.start
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: Password of the request.
+  name: url.password
+  type: keyword
+- description: Port of the request, such as 443.
+  name: url.port
+  type: long
+- description: Username of the request.
+  name: url.username
+  type: keyword
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: |-
+    The query field describes the query string of the request, such as "q=elasticsearch".
+    The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+  name: url.query
+  type: keyword
+- description: |-
+    The field contains the file extension from the original request url, excluding the leading dot.
+    The file extension is only set if it exists, as not every url has a file extension.
+    The leading period must not be included. For example, the value must be "png", not ".png".
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: url.extension
+  type: keyword
+- description: |-
+    Scheme of the request, such as "https".
+    Note: The `:` is not part of the scheme.
+  name: url.scheme
+  type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.full
+  type: wildcard
+- description: String indicating the cipher used during the current connection.
+  name: tls.cipher
+  type: keyword
+- description: Numeric part of the version parsed from the original string.
+  name: tls.version
+  type: keyword
+- description: Normalized lowercase protocol name parsed from original string.
+  name: tls.version_protocol
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: HTTP response status code.
+  name: http.response.status_code
+  type: long
+- description: Total size in bytes of the response (body and headers).
+  name: http.response.bytes
+  type: long
+- description: |-
+    HTTP request method.
+    The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+  name: http.request.method
+  type: keyword
+- description: |-
+    A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.
+    The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.
+  name: http.request.id
+  type: keyword
+- description: HTTP version.
+  name: http.version
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
diff --git a/packages/akamai/0.1.3/data_stream/siem/fields/fields.yml b/packages/akamai/0.1.3/data_stream/siem/fields/fields.yml
new file mode 100755
index 0000000000..faa4f435cb
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/fields/fields.yml
@@ -0,0 +1,110 @@
+- name: akamai.siem
+  type: group
+  release: beta
+  default_field: false
+  description: >
+    Fields for Akamai SIEM Logs
+
+  fields:
+    - name: response.headers
+      type: flattened
+      description: >
+        HTTP response headers
+
+    - name: request.headers
+      type: flattened
+      description: >
+        HTTP Request headers
+
+    - name: rules
+      type: nested
+      description: >
+        Rules triggered by this request
+
+    - name: config_id
+      type: keyword
+      description: >
+        ID of the Security Configuration applied to the request.
+
+    - name: policy_id
+      type: keyword
+      description: >
+        ID of the Firewall policy applied to the request.
+
+    - name: slow_post_action
+      type: keyword
+      description: >
+        Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort).
+
+    - name: slow_post_rate
+      type: long
+      description: >
+        Recorded rate of a detected Slow POST attack.
+
+    - name: client_reputation
+      type: keyword
+      description: >
+        Client IP scores for Client Reputation.	
+
+    - name: bot.score
+      type: long
+      description: >
+        Score assigned to the request by Botman Manager.
+
+    - name: bot.response_segment
+      type: long
+      description: >
+        Numeric response segment indicator. Segments are used to group and categorize bot scores.
+
+    - name: client_data.app_bundle_id
+      type: keyword
+      description: >
+        Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information.
+
+    - name: client_data.app_version
+      type: keyword
+      description: >
+        Version number of the app.
+
+    - name: client_data.telemetry_type
+      type: long
+      description: >
+        Specifies the telemetry type in use.
+
+    - name: client_data.sdk_version
+      type: keyword
+      description: >
+        SDK version
+
+    - name: user_risk.uuid
+      type: keyword
+      description: >
+        Unique identifier of the user whose risk data is being provided.
+
+    - name: user_risk.status
+      type: long
+      description: "Status code indicating any errors that might have occurred when calculating the risk score. \n"
+    - name: user_risk.score
+      type: long
+      description: >
+        Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk).
+
+    - name: user_risk.risk
+      type: flattened
+      description: >
+        Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile.
+
+    - name: user_risk.trust
+      type: flattened
+      description: >
+        Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted.
+
+    - name: user_risk.general
+      type: flattened
+      description: >
+        Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour.
+
+    - name: user_risk.allow
+      type: long
+      description: >-
+        Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list.
diff --git a/packages/akamai/0.1.3/data_stream/siem/manifest.yml b/packages/akamai/0.1.3/data_stream/siem/manifest.yml
new file mode 100755
index 0000000000..9d00eada89
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/manifest.yml
@@ -0,0 +1,105 @@
+type: logs
+title: Akamai SIEM Logs
+release: experimental
+streams:
+  - input: httpjson
+    vars:
+      - name: api_host
+        type: text
+        title: API Host
+        description: API Hostname in the form of http(s)://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net without path
+        multi: false
+        required: true
+        show_user: true
+        default: https://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net
+      - name: client_token
+        type: text
+        title: Client Token
+        description: Client token provided by "Credentials" ui
+        multi: false
+        required: true
+        show_user: true
+      - name: client_secret
+        type: password
+        title: Client Secret
+        description: Client secret provided by "Credentials" ui
+        multi: false
+        required: true
+        show_user: true
+      - name: access_token
+        type: password
+        title: Access Token
+        description: Access token provided by "Authorizations" ui
+        multi: false
+        required: true
+        show_user: true
+      - name: config_ids
+        type: text
+        title: Zone ID
+        multi: false
+        required: true
+        show_user: true
+        description: Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons. ex. 12892;29182;82912
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        multi: false
+        required: false
+        show_user: true
+        default: 60s
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+        default: 1h
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: true
+        default: 24h
+        description: Initial interval to poll for events.  Default is 24 hours.
+      - name: proxy_url
+        type: text
+        title: Proxy URL
+        multi: false
+        required: false
+        show_user: false
+        description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: false
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - akamai-siem
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
+    template_path: httpjson.yml.hbs
+    title: Akamai SIEM logs
+    description: Collect Akamai logs via the SIEM API
diff --git a/packages/akamai/0.1.3/data_stream/siem/sample_event.json b/packages/akamai/0.1.3/data_stream/siem/sample_event.json
new file mode 100755
index 0000000000..ce2935b782
--- /dev/null
+++ b/packages/akamai/0.1.3/data_stream/siem/sample_event.json
@@ -0,0 +1,188 @@
+{
+    "@timestamp": "2016-08-11T13:45:33.026Z",
+    "agent": {
+        "ephemeral_id": "713a6a71-c1f5-4984-9283-20611786e6d3",
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "akamai": {
+        "siem": {
+            "bot": {
+                "response_segment": 3,
+                "score": 100
+            },
+            "client_data": {
+                "app_bundle_id": "com.mydomain.myapp",
+                "app_version": "1.23",
+                "sdk_version": "4.7.1",
+                "telemetry_type": 2
+            },
+            "config_id": "6724",
+            "policy_id": "scoe_5426",
+            "request": {
+                "headers": {
+                    "Accept": "text/html,application/xhtml xml",
+                    "User-Agent": "BOT/0.1 (BOT for JCE)"
+                }
+            },
+            "response": {
+                "headers": {
+                    "Content-Type": "text/html",
+                    "Mime-Version": "1.0",
+                    "Server": "AkamaiGHost"
+                }
+            },
+            "rules": [
+                {
+                    "ruleActions": "ALERT",
+                    "ruleData": "alert(",
+                    "ruleMessages": "Cross-site Scripting (XSS) Attack",
+                    "ruleSelectors": "ARGS:a",
+                    "ruleTags": "WEB_ATTACK/XSS",
+                    "rules": "950004"
+                },
+                {
+                    "ruleActions": "DENY",
+                    "ruleData": "curl",
+                    "ruleMessages": "Request Indicates an automated program explored the site",
+                    "ruleSelectors": "REQUEST_HEADERS:User-Agent",
+                    "ruleTags": "AUTOMATION/MISC",
+                    "rules": "990011"
+                }
+            ],
+            "user_risk": {
+                "allow": 0,
+                "general": {
+                    "duc_1d": "30",
+                    "duc_1h": "10"
+                },
+                "risk": {
+                    "udfp": "1325gdg4g4343g/M",
+                    "unp": "74256/H"
+                },
+                "score": 75,
+                "status": 0,
+                "trust": {
+                    "ugp": "US"
+                },
+                "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5"
+            }
+        }
+    },
+    "client": {
+        "address": "89.160.20.156",
+        "as": {
+            "number": 29518,
+            "organization": {
+                "name": "Bredband2 AB"
+            }
+        },
+        "geo": {
+            "city_name": "Linköping",
+            "continent_name": "Europe",
+            "country_iso_code": "SE",
+            "country_name": "Sweden",
+            "location": {
+                "lat": 58.4167,
+                "lon": 15.6167
+            },
+            "region_iso_code": "SE-E",
+            "region_name": "Östergötland County"
+        },
+        "ip": "89.160.20.156"
+    },
+    "data_stream": {
+        "dataset": "akamai.siem",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "created": "2021-12-24T00:19:04.410Z",
+        "dataset": "akamai.siem",
+        "id": "2ab418ac8515f33",
+        "ingested": "2021-12-24T00:19:05Z",
+        "kind": "event",
+        "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}",
+        "start": "2016-08-11T13:45:33.026Z"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "http": {
+        "request": {
+            "id": "2ab418ac8515f33",
+            "method": "POST"
+        },
+        "response": {
+            "bytes": 34523,
+            "status_code": 301
+        },
+        "version": "2"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "network": {
+        "protocol": "http",
+        "transport": "tcp"
+    },
+    "observer": {
+        "type": "proxy",
+        "vendor": "akamai"
+    },
+    "related": {
+        "ip": [
+            "89.160.20.156"
+        ]
+    },
+    "source": {
+        "address": "89.160.20.156",
+        "as": {
+            "number": 29518,
+            "organization": {
+                "name": "Bredband2 AB"
+            }
+        },
+        "geo": {
+            "city_name": "Linköping",
+            "continent_name": "Europe",
+            "country_iso_code": "SE",
+            "country_name": "Sweden",
+            "location": {
+                "lat": 58.4167,
+                "lon": 15.6167
+            },
+            "region_iso_code": "SE-E",
+            "region_name": "Östergötland County"
+        },
+        "ip": "89.160.20.156"
+    },
+    "tags": [
+        "akamai-siem",
+        "forwarded",
+        "preserve_original_event"
+    ],
+    "tls": {
+        "version": "1.2",
+        "version_protocol": "tls"
+    },
+    "url": {
+        "domain": "www.example.com",
+        "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd",
+        "path": "/examples/1/",
+        "port": 80,
+        "query": "a=../../../etc/passwd"
+    }
+}
\ No newline at end of file
diff --git a/packages/akamai/0.1.3/docs/README.md b/packages/akamai/0.1.3/docs/README.md
new file mode 100755
index 0000000000..ac4f983c17
--- /dev/null
+++ b/packages/akamai/0.1.3/docs/README.md
@@ -0,0 +1,326 @@
+# Akamai Integration
+
+The Akamai integration collects events from the Akamai API, specifically reading from the [Akamai SIEM API](https://techdocs.akamai.com/siem-integration/reference/api).
+
+## Logs
+
+### SIEM
+
+The Security Information and Event Management API allows you to capture security events generated on the ​Akamai​ platform in your SIEM application.
+
+Use this API to get security event data generated on the ​Akamai​ platform and correlate it with data from other sources in your SIEM solution. Capture security event data incrementally, or replay missed security events from the past 12 hours. You can store, query, and analyze the data delivered through this API on your end, then go back and adjust your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly.
+
+See https://techdocs.akamai.com/siem-integration/reference/api-get-started to setup your Akamai account and obtain your credentials
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| akamai.siem.bot.response_segment | Numeric response segment indicator. Segments are used to group and categorize bot scores. | long |
+| akamai.siem.bot.score | Score assigned to the request by Botman Manager. | long |
+| akamai.siem.client_data.app_bundle_id | Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. | keyword |
+| akamai.siem.client_data.app_version | Version number of the app. | keyword |
+| akamai.siem.client_data.sdk_version | SDK version | keyword |
+| akamai.siem.client_data.telemetry_type | Specifies the telemetry type in use. | long |
+| akamai.siem.client_reputation | Client IP scores for Client Reputation. | keyword |
+| akamai.siem.config_id | ID of the Security Configuration applied to the request. | keyword |
+| akamai.siem.policy_id | ID of the Firewall policy applied to the request. | keyword |
+| akamai.siem.request.headers | HTTP Request headers | flattened |
+| akamai.siem.response.headers | HTTP response headers | flattened |
+| akamai.siem.rules | Rules triggered by this request | nested |
+| akamai.siem.slow_post_action | Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). | keyword |
+| akamai.siem.slow_post_rate | Recorded rate of a detected Slow POST attack. | long |
+| akamai.siem.user_risk.allow | Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. | long |
+| akamai.siem.user_risk.general | Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. | flattened |
+| akamai.siem.user_risk.risk | Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. | flattened |
+| akamai.siem.user_risk.score | Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). | long |
+| akamai.siem.user_risk.status | Status code indicating any errors that might have occurred when calculating the risk score. | long |
+| akamai.siem.user_risk.trust | Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. | flattened |
+| akamai.siem.user_risk.uuid | Unique identifier of the user whose risk data is being provided. | keyword |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| client.as.organization.name | Organization name. | keyword |
+| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.geo.city_name | City name. | keyword |
+| client.geo.continent_name | Name of the continent. | keyword |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.region_iso_code | Region ISO code. | keyword |
+| client.geo.region_name | Region name. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.response.bytes | Total size in bytes of the response (body and headers). | long |
+| http.response.status_code | HTTP response status code. | long |
+| http.version | HTTP version. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| tls.cipher | String indicating the cipher used during the current connection. | keyword |
+| tls.version | Numeric part of the version parsed from the original string. | keyword |
+| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.username | Username of the request. | keyword |
+
+
+An example event for `siem` looks as following:
+
+```json
+{
+    "@timestamp": "2016-08-11T13:45:33.026Z",
+    "agent": {
+        "ephemeral_id": "713a6a71-c1f5-4984-9283-20611786e6d3",
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "akamai": {
+        "siem": {
+            "bot": {
+                "response_segment": 3,
+                "score": 100
+            },
+            "client_data": {
+                "app_bundle_id": "com.mydomain.myapp",
+                "app_version": "1.23",
+                "sdk_version": "4.7.1",
+                "telemetry_type": 2
+            },
+            "config_id": "6724",
+            "policy_id": "scoe_5426",
+            "request": {
+                "headers": {
+                    "Accept": "text/html,application/xhtml xml",
+                    "User-Agent": "BOT/0.1 (BOT for JCE)"
+                }
+            },
+            "response": {
+                "headers": {
+                    "Content-Type": "text/html",
+                    "Mime-Version": "1.0",
+                    "Server": "AkamaiGHost"
+                }
+            },
+            "rules": [
+                {
+                    "ruleActions": "ALERT",
+                    "ruleData": "alert(",
+                    "ruleMessages": "Cross-site Scripting (XSS) Attack",
+                    "ruleSelectors": "ARGS:a",
+                    "ruleTags": "WEB_ATTACK/XSS",
+                    "rules": "950004"
+                },
+                {
+                    "ruleActions": "DENY",
+                    "ruleData": "curl",
+                    "ruleMessages": "Request Indicates an automated program explored the site",
+                    "ruleSelectors": "REQUEST_HEADERS:User-Agent",
+                    "ruleTags": "AUTOMATION/MISC",
+                    "rules": "990011"
+                }
+            ],
+            "user_risk": {
+                "allow": 0,
+                "general": {
+                    "duc_1d": "30",
+                    "duc_1h": "10"
+                },
+                "risk": {
+                    "udfp": "1325gdg4g4343g/M",
+                    "unp": "74256/H"
+                },
+                "score": 75,
+                "status": 0,
+                "trust": {
+                    "ugp": "US"
+                },
+                "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5"
+            }
+        }
+    },
+    "client": {
+        "address": "89.160.20.156",
+        "as": {
+            "number": 29518,
+            "organization": {
+                "name": "Bredband2 AB"
+            }
+        },
+        "geo": {
+            "city_name": "Linköping",
+            "continent_name": "Europe",
+            "country_iso_code": "SE",
+            "country_name": "Sweden",
+            "location": {
+                "lat": 58.4167,
+                "lon": 15.6167
+            },
+            "region_iso_code": "SE-E",
+            "region_name": "Östergötland County"
+        },
+        "ip": "89.160.20.156"
+    },
+    "data_stream": {
+        "dataset": "akamai.siem",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "created": "2021-12-24T00:19:04.410Z",
+        "dataset": "akamai.siem",
+        "id": "2ab418ac8515f33",
+        "ingested": "2021-12-24T00:19:05Z",
+        "kind": "event",
+        "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}",
+        "start": "2016-08-11T13:45:33.026Z"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "http": {
+        "request": {
+            "id": "2ab418ac8515f33",
+            "method": "POST"
+        },
+        "response": {
+            "bytes": 34523,
+            "status_code": 301
+        },
+        "version": "2"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "network": {
+        "protocol": "http",
+        "transport": "tcp"
+    },
+    "observer": {
+        "type": "proxy",
+        "vendor": "akamai"
+    },
+    "related": {
+        "ip": [
+            "89.160.20.156"
+        ]
+    },
+    "source": {
+        "address": "89.160.20.156",
+        "as": {
+            "number": 29518,
+            "organization": {
+                "name": "Bredband2 AB"
+            }
+        },
+        "geo": {
+            "city_name": "Linköping",
+            "continent_name": "Europe",
+            "country_iso_code": "SE",
+            "country_name": "Sweden",
+            "location": {
+                "lat": 58.4167,
+                "lon": 15.6167
+            },
+            "region_iso_code": "SE-E",
+            "region_name": "Östergötland County"
+        },
+        "ip": "89.160.20.156"
+    },
+    "tags": [
+        "akamai-siem",
+        "forwarded",
+        "preserve_original_event"
+    ],
+    "tls": {
+        "version": "1.2",
+        "version_protocol": "tls"
+    },
+    "url": {
+        "domain": "www.example.com",
+        "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd",
+        "path": "/examples/1/",
+        "port": 80,
+        "query": "a=../../../etc/passwd"
+    }
+}
+```
\ No newline at end of file
diff --git a/packages/akamai/0.1.3/img/akamai_logo.svg b/packages/akamai/0.1.3/img/akamai_logo.svg
new file mode 100755
index 0000000000..78cf6ad7e3
--- /dev/null
+++ b/packages/akamai/0.1.3/img/akamai_logo.svg
@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.1"
+   id="svg834"
+   xml:space="preserve"
+   width="409.33292"
+   height="166.75058"
+   viewBox="0 0 409.33292 166.75058"
+   sodipodi:docname="PhasedRelease-CS.svg"
+   inkscape:version="0.92.2 5c3e80d, 2017-08-06"><metadata
+     id="metadata840"><rdf:RDF><cc:Work
+         rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><defs
+     id="defs838"><clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath852"><path
+         d="M 0,0 H 612 V 792 H 0 Z"
+         id="path850"
+         inkscape:connector-curvature="0" /></clipPath><clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath860"><path
+         d="m -749.369,-45.4393 h 2 v -58.7847 h -2 z"
+         id="path858"
+         inkscape:connector-curvature="0" /></clipPath><clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath1256"><path
+         d="M 36,391.52 H 304.229 V 271.475 H 36 Z"
+         id="path1254"
+         inkscape:connector-curvature="0" /></clipPath><clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath1368"><path
+         d="M 0,0 H 612 V 792 H 0 Z"
+         id="path1366"
+         inkscape:connector-curvature="0" /></clipPath><clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath1396"><path
+         d="M 0,0 H 612 V 792 H 0 Z"
+         id="path1394"
+         inkscape:connector-curvature="0" /></clipPath><clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath1432"><path
+         d="M 0,0 H 612 V 792 H 0 Z"
+         id="path1430"
+         inkscape:connector-curvature="0" /></clipPath></defs><sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="1382"
+     inkscape:window-height="945"
+     id="namedview836"
+     showgrid="false"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     fit-margin-bottom="0"
+     inkscape:zoom="1"
+     inkscape:cx="224.1701"
+     inkscape:cy="171.71097"
+     inkscape:window-x="168"
+     inkscape:window-y="20"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="g1518" /><g
+     id="g842"
+     inkscape:groupmode="layer"
+     inkscape:label="PhasedRelease-CS"
+     transform="matrix(1.3333333,0,0,-1.3333333,-237.09597,1002.4343)"><g
+       id="g1518"
+       transform="matrix(4.2054927,0,0,4.2054927,-1937.8449,-2419.1027)"><g
+         id="g1392"
+         clip-path="url(#clipPath1396)"
+         style="fill:#000000" /><g
+         id="g1557"><g
+           style="fill:#0099cc;fill-opacity:1"
+           transform="translate(518.1763,724.9189)"
+           id="g1402"><path
+             inkscape:connector-curvature="0"
+             id="path1404"
+             style="fill:#0099cc;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c -6.127,1.862 -10.58,7.517 -10.58,14.209 0,6.763 4.548,12.465 10.768,14.279 0.637,0.189 0.472,0.59 -0.306,0.59 -8.271,0 -14.986,-6.669 -14.986,-14.869 0,-8.2 6.715,-14.869 14.986,-14.869 C 0.66,-0.66 0.707,-0.212 0,0" /></g><g
+           style="fill:#000000"
+           transform="translate(510.4474,735.6639)"
+           id="g1406"><path
+             inkscape:connector-curvature="0"
+             id="path1408"
+             style="fill:#0099cc;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c -0.047,0.401 -0.071,0.801 -0.071,1.202 0,6.527 5.279,11.805 11.806,11.805 6.173,0 8.011,-2.757 8.247,-2.568 0.259,0.188 -2.239,5.655 -9.473,5.655 -6.527,0 -11.805,-5.278 -11.805,-11.805 0,-1.508 0.283,-2.946 0.801,-4.265 C -0.283,-0.542 0.047,-0.542 0,0" /></g><g
+           style="fill:#0099cc;fill-opacity:1"
+           transform="translate(515.3958,744.1704)"
+           id="g1410"><path
+             inkscape:connector-curvature="0"
+             id="path1412"
+             style="fill:#0099cc;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c 3.063,1.343 6.928,1.39 10.721,0.047 2.545,-0.895 4.03,-2.168 4.148,-2.097 0.212,0.094 -1.485,2.757 -4.525,3.912 C 6.668,3.252 2.71,2.521 -0.165,0.259 -0.495,0 -0.377,-0.165 0,0" /></g><g
+           style="fill:#ff9933;fill-opacity:1"
+           transform="translate(576.072,738.6094)"
+           id="g1414"><path
+             inkscape:connector-curvature="0"
+             id="path1416"
+             style="fill:#ff9933;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c 0,-0.848 -0.707,-1.555 -1.555,-1.555 -0.849,0 -1.555,0.683 -1.555,1.555 0,0.848 0.683,1.555 1.555,1.555 C -0.683,1.555 0,0.872 0,0" /></g><path
+           inkscape:connector-curvature="0"
+           id="path1420"
+           style="fill:#ff9933;fill-opacity:1;fill-rule:nonzero;stroke:none"
+           d="m 525.4574,729.9144 0.188,-2.074 h 3.276 l -1.108,12.041 h -4.877 l -6.174,-12.041 h 3.346 l 1.037,2.074 z m -0.165,2.333 h -2.993 l 2.569,5.207 h 0.023 z" /><path
+           inkscape:connector-curvature="0"
+           id="path1424"
+           style="fill:#ff9933;fill-opacity:1;fill-rule:nonzero;stroke:none"
+           d="m 533.469,733.0956 h 0.495 l 2.333,3.181 h 3.039 l -3.228,-4.053 1.98,-4.383 h -3.229 l -1.296,3.417 h -0.471 l -0.73,-3.417 h -2.757 l 2.544,12.041 h 2.757 z" /><g
+           style="fill:#ff9933;fill-opacity:1"
+           clip-path="url(#clipPath1432)"
+           id="g1428"><g
+             style="fill:#ff9933;fill-opacity:1"
+             transform="translate(543.6485,727.8408)"
+             id="g1434"><path
+               inkscape:connector-curvature="0"
+               id="path1436"
+               style="fill:#ff9933;fill-opacity:1;fill-rule:nonzero;stroke:none"
+               d="M 0,0 H 2.757 L 3.864,5.255 C 4.477,8.153 3.37,8.506 0.542,8.506 c -1.979,0 -3.888,0.024 -4.43,-2.591 h 2.757 c 0.165,0.754 0.636,0.918 1.32,0.918 1.201,0 1.154,-0.494 0.989,-1.272 L 0.895,4.218 H 0.778 C 0.683,5.184 -0.542,5.16 -1.32,5.16 c -2.002,0 -3.181,-0.636 -3.605,-2.662 -0.447,-2.144 0.566,-2.616 2.498,-2.616 0.966,0 2.262,0.189 2.71,1.343 H 0.377 Z M -0.778,3.487 C 0.118,3.487 0.707,3.417 0.565,2.71 0.377,1.838 0,1.673 -1.155,1.673 c -0.424,0 -1.201,0 -1.013,0.919 0.165,0.778 0.707,0.895 1.39,0.895" /></g><g
+             style="fill:#ff9933;fill-opacity:1"
+             transform="translate(551.99,736.2766)"
+             id="g1438"><path
+               inkscape:connector-curvature="0"
+               id="path1440"
+               style="fill:#ff9933;fill-opacity:1;fill-rule:nonzero;stroke:none"
+               d="m 0,0 -0.259,-1.178 h 0.118 c 0.542,0.99 1.649,1.272 2.592,1.272 1.178,0 2.356,-0.212 2.191,-1.649 H 4.76 c 0.4,1.202 1.626,1.649 2.686,1.649 1.956,0 2.781,-0.801 2.356,-2.757 L 8.577,-8.436 H 5.82 l 1.037,4.878 c 0.141,0.872 0.283,1.532 -0.778,1.532 -1.084,0 -1.437,-0.707 -1.626,-1.626 L 3.44,-8.436 H 0.683 l 1.084,5.114 c 0.142,0.777 0.189,1.296 -0.777,1.296 -1.131,0 -1.485,-0.613 -1.697,-1.626 L -1.72,-8.436 H -4.477 L -2.686,0 Z" /></g><g
+             style="fill:#ff9933;fill-opacity:1"
+             transform="translate(566.9058,727.8408)"
+             id="g1442"><path
+               inkscape:connector-curvature="0"
+               id="path1444"
+               style="fill:#ff9933;fill-opacity:1;fill-rule:nonzero;stroke:none"
+               d="m 0,0 h 2.757 l 1.131,5.255 c 0.613,2.898 -0.495,3.251 -3.322,3.251 -1.98,0 -3.889,0.024 -4.43,-2.591 h 2.757 c 0.164,0.754 0.636,0.918 1.319,0.918 1.202,0 1.155,-0.494 0.99,-1.272 L 0.919,4.218 H 0.801 C 0.707,5.184 -0.518,5.16 -1.296,5.16 c -2.003,0 -3.181,-0.636 -3.605,-2.662 -0.448,-2.144 0.565,-2.616 2.497,-2.616 0.967,0 2.263,0.189 2.71,1.343 H 0.401 Z M -0.754,3.487 C 0.141,3.487 0.73,3.417 0.589,2.71 0.401,1.838 0.024,1.673 -1.131,1.673 c -0.424,0 -1.202,0 -1.013,0.919 0.165,0.778 0.707,0.895 1.39,0.895" /></g></g><path
+           inkscape:connector-curvature="0"
+           id="path1448"
+           style="fill:#ff9933;fill-opacity:1;fill-rule:nonzero;stroke:none"
+           d="m 573.6685,727.8408 h -2.757 l 1.767,8.436 h 2.781 z" /></g></g></g></svg>
\ No newline at end of file
diff --git a/packages/akamai/0.1.3/manifest.yml b/packages/akamai/0.1.3/manifest.yml
new file mode 100755
index 0000000000..87548e846a
--- /dev/null
+++ b/packages/akamai/0.1.3/manifest.yml
@@ -0,0 +1,26 @@
+name: akamai
+title: Akamai
+version: 0.1.3
+release: beta
+description: Akamai Integration
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security, network, web, cloud]
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/akamai_logo.svg
+    title: Akamai
+    size: 409×167
+    type: image/svg+xml
+policy_templates:
+  - name: akamai
+    title: Akamai logs
+    description: Collect SIEM logs from Akamai
+    inputs:
+      - type: httpjson
+        title: "Collect Akamai SIEM logs via API"
+        description: "Collecting SIEM logs from Akamai via API"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/atlassian_confluence/1.1.2/changelog.yml b/packages/atlassian_confluence/1.1.2/changelog.yml
new file mode 100755
index 0000000000..4956a0afd4
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/changelog.yml
@@ -0,0 +1,26 @@
+# newer versions go on top
+- version: "1.1.2"
+  changes:
+    - description: Update readme
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3062
+- version: "1.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2378
+- version: "1.0.1"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.0.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2208
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/atlassian_confluence/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..be1c57a543
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,69 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{api_url}}/rest/auditing/1.0/events
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+
+request.transforms:
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: Bearer {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+  - set:
+      target: url.params.from
+      value: "[[.cursor.last_timestamp]]"
+      default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]'
+  - set:
+      target: url.params.to
+      value: '[[formatDate now]]'
+  - set:
+      target: url.params.limit
+      value: {{ limit }}
+
+response.split:
+  target: body.entities
+response.pagination:
+  - set:
+      target: url.value
+      value: '[[ .last_response.body.pagingInfo.nextPageLink ]]'
+      fail_on_template_error: true
+
+cursor:
+  last_timestamp:
+    value: "[[.first_event.timestamp]]"
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}} 
\ No newline at end of file
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/agent/stream/stream.yml.hbs b/packages/atlassian_confluence/1.1.2/data_stream/audit/agent/stream/stream.yml.hbs
new file mode 100755
index 0000000000..c6e5ed4c73
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/agent/stream/stream.yml.hbs
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+exclude_files: [".gz$"]
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_confluence/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..9f11a631a4
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,434 @@
+---
+description: Pipeline for processing sample logs
+processors:
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: ecs.version
+    value: '8.0.0'
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- set:
+    field: _tmp.timestamp
+    copy_from: json.timestamp
+    if: ctx.json?.timestamp != null && ctx.json?.timestamp instanceof String
+- set:
+    field: _tmp.timestamp
+    value: "{{json.timestamp.epochSecond}}.{{json.timestamp.nano}}"
+    if: ctx.json?.timestamp != null && ctx.json?.timestamp instanceof Map && ctx.json?.timestamp?.epochSecond != null && ctx.json?.timestamp?.nano != null
+- date:
+    field: _tmp.timestamp
+    formats:
+    - UNIX
+    - ISO8601
+    target_field: "@timestamp"
+- rename:
+    field: json.source
+    target_field: source.address
+    ignore_missing: true
+- convert:
+    field: source.address
+    target_field: source.ip
+    type: ip
+    ignore_missing: true
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+- rename:
+    field: json.author.id
+    target_field: user.id
+    ignore_missing: true
+- rename:
+    field: json.author.name
+    target_field: user.full_name
+    ignore_missing: true
+- grok:
+    field: json.author.uri
+    ignore_missing: true
+    ignore_failure: true
+    if: ctx?.json?.author?.uri != ""
+    patterns:
+      - '\?username=%{USER:user.name}$'
+- rename:
+    field: json.auditType
+    target_field: confluence.audit.type
+    ignore_missing: true
+- rename:
+    field: json.type
+    target_field: confluence.audit.type
+    ignore_missing: true
+- rename:
+    field: json.method
+    target_field: confluence.audit.method
+    ignore_missing: true
+- rename:
+    field: json.system
+    target_field: service.address
+    ignore_missing: true
+- uri_parts:
+    field: service.address
+    target_field: _tmp.service
+    ignore_failure: true
+    if: ctx.service?.address != null
+- rename:
+    field: json.extraAttributes
+    target_field: confluence.audit.extra_attributes
+    ignore_missing: true
+- rename:
+    field: json.changedValues
+    target_field: confluence.audit.changed_values
+    ignore_missing: true
+- rename:
+    field: json.affectedObjects
+    target_field: confluence.audit.affected_objects
+    ignore_missing: true
+- set:
+    field: event.action
+    copy_from: confluence.audit.type.actionI18nKey
+    ignore_empty_value: true
+- script:
+    lang: painless
+    description: Add ECS categorization
+    params:
+      audit.logging.summary.global.permission.added:
+        category:
+          - iam
+          - configuration
+        type:
+          - admin
+          - creation
+      audit.logging.summary.space.permission.added:
+        category:
+          - iam
+          - configuration
+        type:
+          - admin
+          - creation
+      audit.logging.summary.user.created:
+        category:
+          - iam
+        type:
+          - user
+          - creation
+      audit.logging.summary.user.renamed:
+        category:
+          - iam
+        type:
+          - user
+          - change
+      audit.logging.summary.user.updated:
+        category:
+          - iam
+        type:
+          - user
+          - change
+      audit.logging.summary.user.deleted:
+        category:
+          - iam
+        type:
+          - user
+          - deletion
+      audit.logging.summary.group.membership.added:
+        category:
+          - iam
+        type:
+          - group
+          - change
+      audit.logging.summary.group.membership.removed:
+        category:
+          - iam
+        type:
+          - group
+          - change
+      audit.logging.summary.group.created:
+        category:
+          - iam
+        type:
+          - group
+          - creation
+      audit.logging.summary.group.deleted:
+        category:
+          - iam
+        type:
+          - group
+          - deletion
+      atlassian.audit.event.action.audit.config.updated:
+        category:
+          - configuration
+        type:
+          - admin
+          - change
+      audit.logging.summary.global.settings.edited:
+        category:
+          - configuration
+        type:
+          - admin
+          - change
+      personal.access.tokens.audit.log.summary.token.created:
+        category:
+          - iam
+        type:
+          - admin
+          - creation
+      personal.access.tokens.audit.log.summary.token.deleted:
+        category:
+          - iam
+        type:
+          - admin
+          - deletion
+      audit.logging.summary.login.success:
+        category:
+          - authentication
+        type:
+          - start
+        outcome: success
+      audit.logging.summary.user.logout:
+        category:
+          - authentication
+        type:
+          - end
+      audit.logging.summary.login.failed:
+        category:
+          - authentication
+        type:
+          - info
+        outcome: failure
+      audit.logging.summary.user.password.changed:
+        category:
+          - iam
+        type:
+          - user
+          - change
+        outcome: success
+      audit.logging.summary.sudo.auth.successful:
+        category:
+          - authentication
+        type:
+          - admin
+          - start
+      audit.logging.summary.sudo.logout:
+        category:
+          - authentication
+        type:
+          - admin
+          - end
+      audit.logging.summary.space.created:
+        category:
+          - configuration
+        type:
+          - creation
+      audit.logging.summary.page.created:
+        category:
+          - configuration
+        type:
+          - creation
+      audit.logging.summary.page.deleted:
+        category:
+          - configuration
+        type:
+          - deletion
+      audit.logging.summary.space.removed:
+        category:
+          - configuration
+        type:
+          - deletion
+      audit.logging.summary.space.config.updated:
+        category:
+          - configuration
+        type:
+          - change
+    source: >-
+      ctx.event.kind = 'event';
+      ctx.event.type = 'info';
+      if (ctx?.event?.action == null) {
+          return;
+      }
+      if (params.get(ctx.event.action) == null) {
+          return;
+      }
+      def hm = new HashMap(params.get(ctx.event.action));
+      hm.forEach((k, v) -> ctx.event[k] = v);
+- script:
+    lang: painless
+    description: Add ECS User fields
+    if: "['audit.logging.category.user.management','audit.logging.category.auth'].contains(ctx.confluence?.audit?.type?.categoryI18nKey)"
+    source: >-
+      if (ctx?.event?.action == null) {
+          return;
+      }
+      if (ctx.group == null) {
+        Map map = new HashMap();
+        ctx.put("group", map);
+      }
+      if (ctx.user == null) {
+        Map map = new HashMap();
+        ctx.put("user", map);
+      }
+      if (ctx.user?.target == null) {
+        Map map = new HashMap();
+        ctx.user.put("target", map);
+      }
+      if (ctx.user?.changes == null) {
+        Map map = new HashMap();
+        ctx.user.put("changes", map);
+      }
+      if (ctx.user?.target?.group == null) {
+        Map map = new HashMap();
+        ctx.user.target.put("group", map);
+      }
+      if(ctx.confluence?.audit?.affected_objects != null) {
+        for (def j = 0; j < ctx.confluence?.audit?.affected_objects.length; j++) {
+          if(ctx.confluence?.audit?.affected_objects[j]?.type == 'Group') {
+            if(['audit.logging.summary.group.created', 'audit.logging.summary.group.deleted'].contains(ctx.event.action)) {
+              ctx.group.put("name", ctx.confluence?.audit?.affected_objects[j]?.name);
+              ctx.group.put("id", ctx.confluence?.audit?.affected_objects[j]?.id);
+            }
+            if(['audit.logging.summary.group.membership.added', 'audit.logging.summary.group.membership.removed'].contains(ctx.event.action)) {
+              ctx.user.target.group.put("name", ctx.confluence?.audit?.affected_objects[j]?.name);
+              ctx.user.target.group.put("id", ctx.confluence?.audit?.affected_objects[j]?.id);
+            }
+          }
+          if(ctx.confluence?.audit?.affected_objects[j]?.type == 'User') {
+            if(['audit.logging.summary.user.created', 'audit.logging.summary.user.deleted', 'audit.logging.summary.user.password.changed','audit.logging.summary.user.updated'].contains(ctx.event.action)) {
+              ctx.user.target.put("full_name", ctx.confluence?.audit?.affected_objects[j]?.name);
+              ctx.user.target.put("id", ctx.confluence?.audit?.affected_objects[j]?.id);
+              if(ctx.confluence?.audit?.affected_objects[j]?.uri != null) {
+                def m = /\?username=([a-zA-Z0-9._-]+)$/.matcher(ctx.confluence?.audit?.affected_objects[j]?.uri);
+                if (m.find()) {
+                  ctx.user.target.put("name", m.group(1));
+                }
+              }
+            }
+            if(['audit.logging.summary.group.membership.added', 'audit.logging.summary.group.membership.removed'].contains(ctx.event.action)) {
+              ctx.user.target.put("name", ctx.confluence?.audit?.affected_objects[j]?.name);
+              ctx.user.target.put("id", ctx.confluence?.audit?.affected_objects[j]?.id);
+            }
+            if(['audit.logging.summary.login.success', 'audit.logging.summary.login.failed'].contains(ctx.event.action)) {
+              ctx.user.put("full_name", ctx.confluence?.audit?.affected_objects[j]?.name);
+              ctx.user.put("id", ctx.confluence?.audit?.affected_objects[j]?.id);
+              if(ctx.confluence?.audit?.affected_objects[j]?.uri != null) {
+                def m = /\?username=([a-zA-Z0-9._-]+)$/.matcher(ctx.confluence?.audit?.affected_objects[j]?.uri);
+                if (m.find()) {
+                  ctx.user.put("name", m.group(1));
+                }
+              }
+            }
+          }
+        }
+      }
+      if(ctx.confluence?.audit?.changed_values != null) {
+        for (def j = 0; j < ctx.confluence?.audit?.changed_values.length; j++) {
+          if(['audit.logging.summary.user.renamed'].contains(ctx.event.action)) {
+            if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'audit.logging.changed.value.username') {
+              ctx.user.changes.put("name", ctx.confluence?.audit?.changed_values[j]?.to);
+              ctx.user.target.put("name", ctx.confluence?.audit?.changed_values[j]?.from);
+            }
+          }
+          if(['audit.logging.summary.user.created','audit.logging.summary.user.updated'].contains(ctx.event.action)) {
+            if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'Username') {
+              ctx.user.changes.put("name", ctx.confluence?.audit?.changed_values[j]?.to);
+              if(ctx.confluence?.audit?.changed_values[j]?.from != null) {
+                ctx.user.target.put("name", ctx.confluence?.audit?.changed_values[j]?.from);
+              }
+            }
+            if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'Email') {
+              ctx.user.changes.put("email", ctx.confluence?.audit?.changed_values[j]?.to);
+              if(ctx.confluence?.audit?.changed_values[j]?.from != null) {
+                ctx.user.target.put("email", ctx.confluence?.audit?.changed_values[j]?.from);
+              }
+            }
+            if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'Display name') {
+              ctx.user.changes.put("full_name", ctx.confluence?.audit?.changed_values[j]?.to);
+              if(ctx.confluence?.audit?.changed_values[j]?.from != null) {
+                ctx.user.target.put("full_name", ctx.confluence?.audit?.changed_values[j]?.from);
+              }
+            }
+          }
+        }
+      }
+- append:
+    field: related.user
+    value: '{{user.name}}'
+    allow_duplicates: false
+    if: ctx.user?.name != null
+- append:
+    field: related.user
+    value: '{{user.target.name}}'
+    allow_duplicates: false
+    if: ctx.user?.target?.name != null
+- append:
+    field: related.user
+    value: '{{user.changes.name}}'
+    allow_duplicates: false
+    if: ctx.user?.changes?.name != null
+- append:
+    field: related.ip
+    value: '{{source.ip}}'
+    allow_duplicates: false
+    if: ctx.source?.ip != null
+- append:
+    field: related.hosts
+    value: '{{_tmp.service.domain}}'
+    allow_duplicates: false
+    if: ctx._tmp?.service?.domain != null
+- remove:
+    field:
+      - json
+      - _tmp
+    ignore_missing: true   
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}' 
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/agent.yml b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/base-fields.yml b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..ed93c08819
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: atlassian_confluence
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: atlassian_confluence.audit
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/ecs.yml b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..f306253bc9
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,140 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.full_name
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.target.group.id
+  type: keyword
+- description: Name of the group.
+  name: user.target.group.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.target.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.changes.name
+  type: keyword
+- description: User email address.
+  name: user.changes.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.changes.full_name
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: group.id
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+    If the event wasn't read from a log file, do not populate this field.
+  name: log.file.path
+  type: keyword
+- description: |-
+    Address where data about this service was collected from.
+    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+  name: service.address
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/fields.yml b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..841f8aa112
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/fields/fields.yml
@@ -0,0 +1,43 @@
+- name: confluence.audit
+  type: group
+  fields:
+    - name: type.categoryI18nKey
+      type: keyword
+      description: |
+        categoryI18nKey
+    - name: type.actionI18nKey
+      type: keyword
+      description: |
+        actionI18nKey
+    - name: type.category
+      type: keyword
+      description: |
+        Category
+    - name: type.action
+      type: keyword
+      description: |
+        Action
+    - name: type.area
+      type: keyword
+      description: |
+        Area
+    - name: type.level
+      type: keyword
+      description: |
+        Audit Level
+    - name: method
+      type: keyword
+      description: |
+        Method
+    - name: extra_attributes
+      type: flattened
+      description: |
+        Extra Attributes
+    - name: changed_values
+      type: flattened
+      description: |
+        Changed Values
+    - name: affected_objects
+      type: flattened
+      description: |
+        Affected Objects
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/manifest.yml b/packages/atlassian_confluence/1.1.2/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..2c59289e99
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/manifest.yml
@@ -0,0 +1,142 @@
+title: Confluence Audit Logs
+type: logs
+streams:
+  - input: logfile
+    title: Confluence audit logs
+    description: Collect Confluence audit logs
+    template_path: stream.yml.hbs
+    vars:
+      - name: paths
+        type: text
+        title: Paths
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - /var/atlassian/application-data/confluence/log/audit/*.log
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - confluence-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+  - input: httpjson
+    title: Confluence audit logs via Confluence audit API
+    description: Collect Confluence audit logs via Confluence audit API
+    enabled: false
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: api_url
+        type: text
+        title: API URL
+        description: The base URL to the Confluence server.
+        multi: false
+        required: true
+        show_user: true
+      - name: username
+        type: text
+        title: Confluence Username
+        description: JIRA Username. Needs to be used with a Password. Do not fill if you are using a personal access token.
+        multi: false
+        required: false
+        show_user: true
+      - name: password
+        type: password
+        title: Confluence Password
+        description: JIRA Password. Needs to be used with a Username. Do not fill if you are using a personal access token.
+        multi: false
+        required: false
+        show_user: true
+      - name: token
+        type: password
+        title: Personal Access Token
+        description: The Personal Access Token. If set, Username and Password will be ignored.
+        required: false
+        multi: false
+        show_user: true
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        multi: false
+        required: false
+        show_user: true
+        default: 60s
+      - name: limit
+        type: integer
+        title: Limit
+        description: Number of events to fetch on each request
+        show_user: false
+        required: true
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+        default: 1h
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: false
+        description: Initial interval for the first API call.  Defaults to 24 hours.
+        default: 24h
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: false
+      - name: proxy_url
+        type: text
+        title: Proxy URL
+        multi: false
+        required: false
+        show_user: false
+        description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - forwarded
+          - confluence-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details."
diff --git a/packages/atlassian_confluence/1.1.2/data_stream/audit/sample_event.json b/packages/atlassian_confluence/1.1.2/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..1d05591a3e
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/data_stream/audit/sample_event.json
@@ -0,0 +1,108 @@
+{
+    "@timestamp": "2021-11-23T00:41:45.280Z",
+    "agent": {
+        "ephemeral_id": "a362a4c6-e4c0-441d-9bca-edd06245f232",
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "confluence": {
+        "audit": {
+            "extra_attributes": [
+                {
+                    "name": "ID Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.id",
+                    "value": "77 - 176"
+                },
+                {
+                    "name": "Query",
+                    "nameI18nKey": "atlassian.audit.event.attribute.query"
+                },
+                {
+                    "name": "Results returned",
+                    "nameI18nKey": "atlassian.audit.event.attribute.results",
+                    "value": "100"
+                },
+                {
+                    "name": "Timestamp Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.timestamp",
+                    "value": "2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z"
+                }
+            ],
+            "method": "Browser",
+            "type": {
+                "action": "Audit Log search performed",
+                "actionI18nKey": "atlassian.audit.event.action.audit.search",
+                "category": "Auditing",
+                "categoryI18nKey": "atlassian.audit.event.category.audit"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "atlassian_confluence.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "atlassian.audit.event.action.audit.search",
+        "agent_id_status": "verified",
+        "created": "2021-12-24T00:49:08.197Z",
+        "dataset": "atlassian_confluence.audit",
+        "ingested": "2021-12-24T00:49:09Z",
+        "kind": "event",
+        "original": "{\"affectedObjects\":[],\"author\":{\"avatarUri\":\"\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"name\":\"test user\",\"type\":\"user\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"77 - 176\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"100\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z\"}],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":\"2021-11-23T00:41:45.280Z\",\"type\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\"}}",
+        "type": "info"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "hosts": [
+            "confluence.internal"
+        ],
+        "ip": [
+            "81.2.69.143"
+        ],
+        "user": [
+            "admin"
+        ]
+    },
+    "service": {
+        "address": "http://confluence.internal:8090"
+    },
+    "source": {
+        "address": "81.2.69.143",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "confluence-audit"
+    ],
+    "user": {
+        "full_name": "test user",
+        "id": "2c9680837d4a3682017d4a375a280000",
+        "name": "admin"
+    }
+}
\ No newline at end of file
diff --git a/packages/atlassian_confluence/1.1.2/docs/README.md b/packages/atlassian_confluence/1.1.2/docs/README.md
new file mode 100755
index 0000000000..a99e30cd45
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/docs/README.md
@@ -0,0 +1,218 @@
+# Atlassian Confluence Integration
+
+The Confluence integration collects [audit logs](https://confluence.atlassian.com/doc/auditing-in-confluence-829076528.html) from the audit log files or the [audit API](https://developer.atlassian.com/cloud/confluence/rest/api-group-audit/).
+
+## Logs
+
+### Audit
+
+The Confluence integration collects audit logs from the audit log files or the audit API from self hosted Confluence Data Center. It has been tested with Confluence 7.14.2 but is expected to work with newer versions. This has not been tested with Confluence Cloud and is not expected to work.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| confluence.audit.affected_objects | Affected Objects | flattened |
+| confluence.audit.changed_values | Changed Values | flattened |
+| confluence.audit.extra_attributes | Extra Attributes | flattened |
+| confluence.audit.method | Method | keyword |
+| confluence.audit.type.action | Action | keyword |
+| confluence.audit.type.actionI18nKey | actionI18nKey | keyword |
+| confluence.audit.type.area | Area | keyword |
+| confluence.audit.type.category | Category | keyword |
+| confluence.audit.type.categoryI18nKey | categoryI18nKey | keyword |
+| confluence.audit.type.level | Audit Level | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| group.id | Unique identifier for the group on the system/platform. | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.offset | Log offset | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.changes.email | User email address. | keyword |
+| user.changes.full_name | User's full name, if available. | keyword |
+| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text |
+| user.changes.name | Short name or login of the user. | keyword |
+| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.full_name | User's full name, if available. | keyword |
+| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text |
+| user.target.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2021-11-23T00:41:45.280Z",
+    "agent": {
+        "ephemeral_id": "a362a4c6-e4c0-441d-9bca-edd06245f232",
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "confluence": {
+        "audit": {
+            "extra_attributes": [
+                {
+                    "name": "ID Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.id",
+                    "value": "77 - 176"
+                },
+                {
+                    "name": "Query",
+                    "nameI18nKey": "atlassian.audit.event.attribute.query"
+                },
+                {
+                    "name": "Results returned",
+                    "nameI18nKey": "atlassian.audit.event.attribute.results",
+                    "value": "100"
+                },
+                {
+                    "name": "Timestamp Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.timestamp",
+                    "value": "2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z"
+                }
+            ],
+            "method": "Browser",
+            "type": {
+                "action": "Audit Log search performed",
+                "actionI18nKey": "atlassian.audit.event.action.audit.search",
+                "category": "Auditing",
+                "categoryI18nKey": "atlassian.audit.event.category.audit"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "atlassian_confluence.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "atlassian.audit.event.action.audit.search",
+        "agent_id_status": "verified",
+        "created": "2021-12-24T00:49:08.197Z",
+        "dataset": "atlassian_confluence.audit",
+        "ingested": "2021-12-24T00:49:09Z",
+        "kind": "event",
+        "original": "{\"affectedObjects\":[],\"author\":{\"avatarUri\":\"\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"name\":\"test user\",\"type\":\"user\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"77 - 176\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"100\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z\"}],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":\"2021-11-23T00:41:45.280Z\",\"type\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\"}}",
+        "type": "info"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "hosts": [
+            "confluence.internal"
+        ],
+        "ip": [
+            "81.2.69.143"
+        ],
+        "user": [
+            "admin"
+        ]
+    },
+    "service": {
+        "address": "http://confluence.internal:8090"
+    },
+    "source": {
+        "address": "81.2.69.143",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "confluence-audit"
+    ],
+    "user": {
+        "full_name": "test user",
+        "id": "2c9680837d4a3682017d4a375a280000",
+        "name": "admin"
+    }
+}
+```
\ No newline at end of file
diff --git a/packages/atlassian_confluence/1.1.2/img/confluence-logo.svg b/packages/atlassian_confluence/1.1.2/img/confluence-logo.svg
new file mode 100755
index 0000000000..7aac36a6fe
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/img/confluence-logo.svg
@@ -0,0 +1 @@
+<svg fill="none" height="100" viewBox="0 0 100 100" width="100" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><linearGradient id="a"><stop offset=".18" stop-color="#0052cc"/><stop offset="1" stop-color="#2684ff"/></linearGradient><linearGradient id="b" gradientUnits="userSpaceOnUse" x1="95.0371" x2="71.8734" xlink:href="#a" y1="104.185" y2="51.0439"/><linearGradient id="c" gradientUnits="userSpaceOnUse" x1="6770.46" x2="6500.78" xlink:href="#a" y1="-77645.6" y2="-78879.7"/><clipPath id="d"><path d="m0 0h100v100h-100z"/></clipPath><g clip-path="url(#d)"><path d="m3.62631 75.3532c-1.03424 1.6866-2.19577 3.6437-3.182274 5.203-.882999 1.4921-.4089699 3.4166 1.066064 4.3279l20.6848 12.7291c.7261.4483 1.6018.5862 2.4305.3827.8287-.2034 1.541-.7311 1.9769-1.4647.8274-1.3843 1.8935-3.1823 3.055-5.1076 8.1944-13.5246 16.4365-11.8698 31.2977-4.7734l20.5097 9.7537c.7768.3697 1.6702.4092 2.4766.1094.8063-.2997 1.457-.9132 1.8036-1.7005l9.8491-22.276c.6959-1.5909-.0122-3.446-1.5911-4.1687-4.3279-2.0367-12.936-6.0941-20.6848-9.8333-27.8767-13.5405-51.5687-12.6654-69.69179 16.8184z" fill="url(#b)"/><path d="m96.3737 24.8029c1.0343-1.6866 2.1958-3.6437 3.1823-5.203.883-1.4922.409-3.4166-1.066-4.3279l-20.6848-12.72913c-.732-.49303-1.6359-.65992-2.4957-.46081s-1.5983.74635-2.0391 1.51096c-.8274 1.38429-1.8934 3.18227-3.0549 5.10755-8.1944 13.52463-16.4365 11.86993-31.2977 4.77343l-20.4461-9.70595c-.7768-.36973-1.6702-.40921-2.4765-.10944-.8064.29976-1.457.91322-1.8037 1.70057l-9.84912 22.27592c-.69586 1.591.01219 3.4461 1.59114 4.1688 4.32788 2.0366 12.93598 6.094 20.68478 9.8332 27.9404 13.5247 51.6324 12.6177 69.7554-16.8342z" fill="url(#c)"/></g></svg>
\ No newline at end of file
diff --git a/packages/atlassian_confluence/1.1.2/manifest.yml b/packages/atlassian_confluence/1.1.2/manifest.yml
new file mode 100755
index 0000000000..dc1a23fb43
--- /dev/null
+++ b/packages/atlassian_confluence/1.1.2/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: atlassian_confluence
+title: Atlassian Confluence
+version: 1.1.2
+license: basic
+description: Collect logs from Atlassian Confluence with Elastic Agent.
+type: integration
+categories:
+  - security
+  - web
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/confluence-logo.svg
+    title: Confluence Logo
+    size: 400x400
+    type: image/svg+xml
+policy_templates:
+  - name: audit
+    title: Audit Logs
+    description: Collect audit logs from Atlassian Confluence with Elastic Agent.
+    inputs:
+      - type: logfile
+        title: "Collect Confluence audit logs via log files"
+        description: "Collecting audit logs from Confluence via log files"
+      - type: httpjson
+        title: "Collect Confluence audit logs via API"
+        description: "Collecting audit logs from Confluence via API"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/atlassian_jira/1.1.2/changelog.yml b/packages/atlassian_jira/1.1.2/changelog.yml
new file mode 100755
index 0000000000..79d25810c0
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/changelog.yml
@@ -0,0 +1,26 @@
+# newer versions go on top
+- version: "1.1.2"
+  changes:
+    - description: Update Readme
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3063
+- version: "1.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2379
+- version: "1.0.1"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.0.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2203
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/atlassian_jira/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..5ece9695f4
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,70 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{api_url}}/rest/auditing/1.0/events
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+
+request.transforms:
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+  - set:
+      target: header.Authorization
+      value: Bearer {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+  - set:
+      target: url.params.from
+      value: "[[.cursor.last_timestamp]]"
+      default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]'
+  - set:
+      target: url.params.to
+      value: '[[formatDate now]]'
+  - set:
+      target: url.params.limit
+      value: {{ limit }}
+
+
+response.split:
+  target: body.entities
+response.pagination:
+  - set:
+      target: url.value
+      value: '[[ .last_response.body.pagingInfo.nextPageLink ]]'
+      fail_on_template_error: true
+
+cursor:
+  last_timestamp:
+    value: "[[.first_event.timestamp]]"
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/agent/stream/stream.yml.hbs b/packages/atlassian_jira/1.1.2/data_stream/audit/agent/stream/stream.yml.hbs
new file mode 100755
index 0000000000..c6e5ed4c73
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/agent/stream/stream.yml.hbs
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+exclude_files: [".gz$"]
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_jira/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f1f95b9a44
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,404 @@
+---
+description: Pipeline for processing sample logs
+processors:
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: ecs.version
+    value: '8.0.0'
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- set:
+    field: _tmp.timestamp
+    copy_from: json.timestamp
+    if: ctx.json?.timestamp != null && ctx.json?.timestamp instanceof String
+- set:
+    field: _tmp.timestamp
+    value: "{{json.timestamp.epochSecond}}.{{json.timestamp.nano}}"
+    if: ctx.json?.timestamp != null && ctx.json?.timestamp instanceof Map && ctx.json?.timestamp?.epochSecond != null && ctx.json?.timestamp?.nano != null
+- date:
+    field: _tmp.timestamp
+    formats:
+    - UNIX
+    - ISO8601
+    target_field: "@timestamp"
+- rename:
+    field: json.source
+    target_field: source.address
+    ignore_missing: true
+- convert:
+    field: source.address
+    target_field: source.ip
+    type: ip
+    ignore_missing: true
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+- rename:
+    field: json.author.id
+    target_field: user.id
+    ignore_missing: true
+- rename:
+    field: json.author.name
+    target_field: user.name
+    ignore_missing: true
+- rename:
+    field: json.auditType
+    target_field: jira.audit.type
+    ignore_missing: true
+- rename:
+    field: json.type
+    target_field: jira.audit.type
+    ignore_missing: true
+- rename:
+    field: json.method
+    target_field: jira.audit.method
+    ignore_missing: true
+- rename:
+    field: json.system
+    target_field: service.address
+    ignore_missing: true
+- uri_parts:
+    field: service.address
+    target_field: _tmp.service
+    ignore_failure: true
+    if: ctx.service?.address != null
+- rename:
+    field: json.extraAttributes
+    target_field: jira.audit.extra_attributes
+    ignore_missing: true
+- rename:
+    field: json.changedValues
+    target_field: jira.audit.changed_values
+    ignore_missing: true
+- rename:
+    field: json.affectedObjects
+    target_field: jira.audit.affected_objects
+    ignore_missing: true
+- set:
+    field: event.action
+    copy_from: jira.audit.type.actionI18nKey
+    ignore_empty_value: true
+- script:
+    lang: painless
+    tag: Add ECS categorization
+    params:
+      jira.auditing.user.created:
+        category:
+          - iam
+        type:
+          - user
+          - creation
+      jira.auditing.user.updated:
+        category:
+          - iam
+        type:
+          - user
+          - change
+      jira.auditing.user.deleted:
+        category:
+          - iam
+        type:
+          - user
+          - deletion
+      jira.auditing.user.added.to.group:
+        category:
+          - iam
+        type:
+          - group
+          - change
+      jira.auditing.user.removed.from.group:
+        category:
+          - iam
+        type:
+          - group
+          - change
+      jira.auditing.user.logged.in:
+        category:
+          - authentication
+        type:
+          - start
+        outcome: success
+      jira.auditing.user.logged.out:
+        category:
+          - authentication
+        type:
+          - end
+      jira.auditing.user.password.changed:
+        category:
+          - iam
+        type:
+          - user
+          - change
+        outcome: success
+      jira.auditing.user.login.failed:
+        category:
+          - authentication
+        type:
+          - info
+        outcome: failure
+      jira.auditing.websudo.session.started:
+        category:
+          - authentication
+        type:
+          - start
+      jira.auditing.websudo.session.invalidated:
+        category:
+          - authentication
+        type:
+          - end
+      jira.auditing.group.created:
+        category:
+          - iam
+        type:
+          - group
+          - creation
+      jira.auditing.group.deleted:
+        category:
+          - iam
+        type:
+          - group
+          - deletion
+      jira.auditing.global.permission.added:
+        category:
+          - iam
+          - configuration
+        type:
+          - admin
+          - creation
+      personal.access.tokens.audit.log.summary.token.created:
+        category:
+          - iam
+        type:
+          - admin
+          - creation
+      personal.access.tokens.audit.log.summary.token.deleted:
+        category:
+          - iam
+        type:
+          - admin
+          - deletion
+      jira.auditing.issue.type.created:
+        category:
+          - configuration
+        type:
+          - creation
+      atlassian.audit.event.action.audit.config.updated:
+        category:
+          - configuration
+        type:
+          - admin
+          - change
+      jira.auditing.project.created:
+        category:
+          - configuration
+        type:
+          - creation
+      jira.auditing.project.lead.updated:
+        category:
+          - configuration
+        type:
+          - change
+      jira.auditing.project.default.assignee.updated:
+        category:
+          - configuration
+        type:
+          - change
+      jira.auditing.project.updated:
+        category:
+          - configuration
+        type:
+          - change
+      jira.auditing.permission.scheme.removed.from.project:
+        category:
+          - configuration
+          - iam
+        type:
+          - deletion
+      jira.auditing.issue.type.screen.scheme.removed:
+        category:
+          - configuration
+        type:
+          - deletion
+      jira.auditing.project.deleted:
+        category:
+          - configuration
+        type:
+          - deletion
+    source: >-
+      ctx.event.kind = 'event';
+      ctx.event.type = 'info';
+
+      if (ctx?.event?.action == null) {
+          return;
+      }
+
+      if (params.get(ctx.event.action) == null) {
+          return;
+      }
+
+      def hm = new HashMap(params.get(ctx.event.action));
+      hm.forEach((k, v) -> ctx.event[k] = v);
+- script:
+    lang: painless
+    description: Add ECS User fields
+    if: "['jira.auditing.category.usermanagement','jira.auditing.category.groupmanagement'].contains(ctx.jira?.audit?.type?.categoryI18nKey)"
+    source: >-
+      if (ctx?.event?.action == null) {
+          return;
+      }
+      if (ctx.group == null) {
+        Map map = new HashMap();
+        ctx.put("group", map);
+      }
+      if (ctx.user == null) {
+        Map map = new HashMap();
+        ctx.put("user", map);
+      }
+      if (ctx.user?.target == null) {
+        Map map = new HashMap();
+        ctx.user.put("target", map);
+      }
+      if (ctx.user?.changes == null) {
+        Map map = new HashMap();
+        ctx.user.put("changes", map);
+      }
+      if (ctx.user?.target?.group == null) {
+        Map map = new HashMap();
+        ctx.user.target.put("group", map);
+      }
+      if(ctx.jira?.audit?.affected_objects != null) {
+        for (def j = 0; j < ctx.jira?.audit?.affected_objects.length; j++) {
+          if(ctx.jira?.audit?.affected_objects[j]?.type == 'GROUP') {
+            if(['jira.auditing.group.created', 'jira.auditing.group.deleted'].contains(ctx.event.action)) {
+              ctx.group.put("name", ctx.jira?.audit?.affected_objects[j]?.name);
+            }
+            if(['jira.auditing.user.added.to.group', 'jira.auditing.user.removed.from.group'].contains(ctx.event.action)) {
+              ctx.user.target.group.put("name", ctx.jira?.audit?.affected_objects[j]?.name);
+              ctx.user.target.group.put("id", ctx.jira?.audit?.affected_objects[j]?.id);
+            }
+          }
+          if(ctx.jira?.audit?.affected_objects[j]?.type == 'USER') {
+            if(['jira.auditing.user.created', 'jira.auditing.user.deleted','jira.auditing.user.password.changed','jira.auditing.user.updated','jira.auditing.user.added.to.group', 'jira.auditing.user.removed.from.group'].contains(ctx.event.action)) {
+              ctx.user.target.put("name", ctx.jira?.audit?.affected_objects[j]?.name);
+              ctx.user.target.put("id", ctx.jira?.audit?.affected_objects[j]?.id);
+            }
+          }
+        }
+      }
+      if(ctx.jira?.audit?.changed_values != null) {
+        for (def j = 0; j < ctx.jira?.audit?.changed_values.length; j++) {
+          if(['jira.auditing.user.renamed'].contains(ctx.event.action)) {
+            if(ctx.jira?.audit?.changed_values[j]?.i18nKey == 'common.words.username') {
+              ctx.user.changes.put("name", ctx.jira?.audit?.changed_values[j]?.to);
+              ctx.user.target.put("name", ctx.jira?.audit?.changed_values[j]?.from);
+            }
+          }
+          if(['jira.auditing.user.created','jira.auditing.user.updated'].contains(ctx.event.action)) {
+            if(ctx.jira?.audit?.changed_values[j]?.i18nKey == 'common.words.username') {
+              ctx.user.changes.put("name", ctx.jira?.audit?.changed_values[j]?.to);
+              if(ctx.jira?.audit?.changed_values[j]?.from != null) {
+                ctx.user.target.put("name", ctx.jira?.audit?.changed_values[j]?.from);
+              }
+            }
+            if(ctx.jira?.audit?.changed_values[j]?.i18nKey == 'common.words.email') {
+              ctx.user.changes.put("email", ctx.jira?.audit?.changed_values[j]?.to);
+              if(ctx.jira?.audit?.changed_values[j]?.from != null) {
+                ctx.user.target.put("email", ctx.jira?.audit?.changed_values[j]?.from);
+              }
+            }
+            if(ctx.jira?.audit?.changed_values[j]?.i18nKey == 'common.words.fullname') {
+              ctx.user.changes.put("full_name", ctx.jira?.audit?.changed_values[j]?.to);
+              if(ctx.jira?.audit?.changed_values[j]?.from != null) {
+                ctx.user.target.put("full_name", ctx.jira?.audit?.changed_values[j]?.from);
+              }
+            }
+          }
+        }
+      }
+- append:
+    field: related.user
+    value: '{{user.name}}'
+    allow_duplicates: false
+    if: ctx.user?.name != null
+- append:
+    field: related.user
+    value: '{{user.target.name}}'
+    allow_duplicates: false
+    if: ctx.user?.target?.name != null
+- append:
+    field: related.user
+    value: '{{user.changes.name}}'
+    allow_duplicates: false
+    if: ctx.user?.changes?.name != null
+- append:
+    field: related.ip
+    value: '{{source.ip}}'
+    allow_duplicates: false
+    if: ctx.source?.ip != null
+- append:
+    field: related.hosts
+    value: '{{_tmp.service.domain}}'
+    allow_duplicates: false
+    if: ctx._tmp?.service?.domain != null
+- remove:
+    field:
+      - json
+      - _tmp
+    ignore_missing: true  
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/fields/agent.yml b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/fields/base-fields.yml b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..81519e92d2
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: atlassian_jira
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: atlassian_jira.audit
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/fields/ecs.yml b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..3d6247b291
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,137 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.full_name
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
+- description: Name of the group.
+  name: user.target.group.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.target.id
+  type: keyword
+- description: User email address.
+  name: user.target.email
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.changes.name
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.changes.full_name
+  type: keyword
+- description: User email address.
+  name: user.changes.email
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+    If the event wasn't read from a log file, do not populate this field.
+  name: log.file.path
+  type: keyword
+- description: |-
+    Address where data about this service was collected from.
+    This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).
+  name: service.address
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/fields/fields.yml b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..50681eeac3
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/fields/fields.yml
@@ -0,0 +1,43 @@
+- name: jira.audit
+  type: group
+  fields:
+    - name: type.categoryI18nKey
+      type: keyword
+      description: |
+        categoryI18nKey
+    - name: type.actionI18nKey
+      type: keyword
+      description: |
+        actionI18nKey
+    - name: type.category
+      type: keyword
+      description: |
+        Category
+    - name: type.action
+      type: keyword
+      description: |
+        Action
+    - name: type.area
+      type: keyword
+      description: |
+        Area
+    - name: type.level
+      type: keyword
+      description: |
+        Audit Level
+    - name: method
+      type: keyword
+      description: |
+        Method
+    - name: extra_attributes
+      type: flattened
+      description: |
+        Extra Attributes
+    - name: changed_values
+      type: flattened
+      description: |
+        Changed Values
+    - name: affected_objects
+      type: flattened
+      description: |
+        Affected Objects
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/manifest.yml b/packages/atlassian_jira/1.1.2/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..a2a18bda31
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/manifest.yml
@@ -0,0 +1,142 @@
+title: Jira Audit Logs
+type: logs
+streams:
+  - input: logfile
+    title: Jira audit logs
+    description: Collect Jira audit logs
+    template_path: stream.yml.hbs
+    vars:
+      - name: paths
+        type: text
+        title: Paths
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - /var/atlassian/application-data/jira/log/audit/*.log
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - jira-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+  - input: httpjson
+    title: Jira audit logs via Jira audit API
+    description: Collect Jira audit logs via Jira audit API
+    enabled: false
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: api_url
+        type: text
+        title: API URL
+        description: The API URL without the path.
+        multi: false
+        required: true
+        show_user: true
+      - name: username
+        type: text
+        title: Jira Username
+        description: JIRA Username. Needs to be used with a Password. Do not fill if you are using a personal access token.
+        multi: false
+        required: false
+        show_user: true
+      - name: password
+        type: password
+        title: Jira Password
+        description: JIRA Password. Needs to be used with a Username. Do not fill if you are using a personal access token.
+        multi: false
+        required: false
+        show_user: true
+      - name: token
+        type: password
+        title: Personal Access Token
+        description: The Personal Access Token. If set, Username and Password will be ignored.
+        required: false
+        multi: false
+        show_user: true
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        multi: false
+        required: false
+        show_user: true
+        default: 60s
+      - name: limit
+        type: integer
+        title: Limit
+        description: Number of events to fetch on each request
+        show_user: false
+        required: true
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+        default: 1h
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: false
+        description: Initial interval for the first API call.  Defaults to 24 hours.
+        default: 24h
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: false
+      - name: proxy_url
+        type: text
+        title: Proxy URL
+        multi: false
+        required: false
+        show_user: false
+        description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - forwarded
+          - jira-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details."
diff --git a/packages/atlassian_jira/1.1.2/data_stream/audit/sample_event.json b/packages/atlassian_jira/1.1.2/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..d70d5ea8d1
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/data_stream/audit/sample_event.json
@@ -0,0 +1,95 @@
+{
+    "@timestamp": "2021-11-22T00:31:52.991Z",
+    "agent": {
+        "ephemeral_id": "970494dc-6fd0-4e64-bd87-6d1fc7deba3f",
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "atlassian_jira.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "atlassian.audit.event.action.audit.search",
+        "agent_id_status": "verified",
+        "created": "2021-12-24T00:59:55.629Z",
+        "dataset": "atlassian_jira.audit",
+        "ingested": "2021-12-24T00:59:56Z",
+        "kind": "event",
+        "original": "{\"affectedObjects\":[],\"author\":{\"avatarUri\":\"\",\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"41 - 90\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"50\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-22T00:08:33.887Z - 2021-11-22T00:31:37.412Z\"}],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":\"2021-11-22T00:31:52.991Z\",\"type\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\"}}",
+        "type": "info"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "jira": {
+        "audit": {
+            "extra_attributes": [
+                {
+                    "name": "ID Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.id",
+                    "value": "41 - 90"
+                },
+                {
+                    "name": "Query",
+                    "nameI18nKey": "atlassian.audit.event.attribute.query"
+                },
+                {
+                    "name": "Results returned",
+                    "nameI18nKey": "atlassian.audit.event.attribute.results",
+                    "value": "50"
+                },
+                {
+                    "name": "Timestamp Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.timestamp",
+                    "value": "2021-11-22T00:08:33.887Z - 2021-11-22T00:31:37.412Z"
+                }
+            ],
+            "method": "Browser",
+            "type": {
+                "action": "Audit Log search performed",
+                "actionI18nKey": "atlassian.audit.event.action.audit.search",
+                "category": "Auditing",
+                "categoryI18nKey": "atlassian.audit.event.category.audit"
+            }
+        }
+    },
+    "related": {
+        "hosts": [
+            "jira.internal"
+        ],
+        "ip": [
+            "10.50.33.72"
+        ],
+        "user": [
+            "test.user"
+        ]
+    },
+    "service": {
+        "address": "http://jira.internal:8088"
+    },
+    "source": {
+        "address": "10.50.33.72",
+        "ip": "10.50.33.72"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "jira-audit"
+    ],
+    "user": {
+        "id": "10000",
+        "name": "test.user"
+    }
+}
\ No newline at end of file
diff --git a/packages/atlassian_jira/1.1.2/docs/README.md b/packages/atlassian_jira/1.1.2/docs/README.md
new file mode 100755
index 0000000000..e1ce8b09b9
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/docs/README.md
@@ -0,0 +1,204 @@
+# Atlassian Jira Integration
+
+The Jira integration collects audit logs from the audit log files or the [audit API](https://confluence.atlassian.com/jiracore/audit-log-improvements-for-developers-1019401815.html).
+
+## Logs
+
+### Audit
+
+The Jira integration collects audit logs from the audit log files or the audit API from self hosted Jira Data Center. It has been tested with Jira 8.20.2 but is expected to work with newer versions.  This has not been tested with Jira Cloud and is not expected to work.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| jira.audit.affected_objects | Affected Objects | flattened |
+| jira.audit.changed_values | Changed Values | flattened |
+| jira.audit.extra_attributes | Extra Attributes | flattened |
+| jira.audit.method | Method | keyword |
+| jira.audit.type.action | Action | keyword |
+| jira.audit.type.actionI18nKey | actionI18nKey | keyword |
+| jira.audit.type.area | Area | keyword |
+| jira.audit.type.category | Category | keyword |
+| jira.audit.type.categoryI18nKey | categoryI18nKey | keyword |
+| jira.audit.type.level | Audit Level | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.offset | Log offset | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.changes.email | User email address. | keyword |
+| user.changes.full_name | User's full name, if available. | keyword |
+| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text |
+| user.changes.name | Short name or login of the user. | keyword |
+| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.email | User email address. | keyword |
+| user.target.full_name | User's full name, if available. | keyword |
+| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2021-11-22T00:31:52.991Z",
+    "agent": {
+        "ephemeral_id": "970494dc-6fd0-4e64-bd87-6d1fc7deba3f",
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "atlassian_jira.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "atlassian.audit.event.action.audit.search",
+        "agent_id_status": "verified",
+        "created": "2021-12-24T00:59:55.629Z",
+        "dataset": "atlassian_jira.audit",
+        "ingested": "2021-12-24T00:59:56Z",
+        "kind": "event",
+        "original": "{\"affectedObjects\":[],\"author\":{\"avatarUri\":\"\",\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"41 - 90\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"50\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-22T00:08:33.887Z - 2021-11-22T00:31:37.412Z\"}],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":\"2021-11-22T00:31:52.991Z\",\"type\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\"}}",
+        "type": "info"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "jira": {
+        "audit": {
+            "extra_attributes": [
+                {
+                    "name": "ID Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.id",
+                    "value": "41 - 90"
+                },
+                {
+                    "name": "Query",
+                    "nameI18nKey": "atlassian.audit.event.attribute.query"
+                },
+                {
+                    "name": "Results returned",
+                    "nameI18nKey": "atlassian.audit.event.attribute.results",
+                    "value": "50"
+                },
+                {
+                    "name": "Timestamp Range",
+                    "nameI18nKey": "atlassian.audit.event.attribute.timestamp",
+                    "value": "2021-11-22T00:08:33.887Z - 2021-11-22T00:31:37.412Z"
+                }
+            ],
+            "method": "Browser",
+            "type": {
+                "action": "Audit Log search performed",
+                "actionI18nKey": "atlassian.audit.event.action.audit.search",
+                "category": "Auditing",
+                "categoryI18nKey": "atlassian.audit.event.category.audit"
+            }
+        }
+    },
+    "related": {
+        "hosts": [
+            "jira.internal"
+        ],
+        "ip": [
+            "10.50.33.72"
+        ],
+        "user": [
+            "test.user"
+        ]
+    },
+    "service": {
+        "address": "http://jira.internal:8088"
+    },
+    "source": {
+        "address": "10.50.33.72",
+        "ip": "10.50.33.72"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "jira-audit"
+    ],
+    "user": {
+        "id": "10000",
+        "name": "test.user"
+    }
+}
+```
diff --git a/packages/atlassian_jira/1.1.2/img/jira-software-logo.svg b/packages/atlassian_jira/1.1.2/img/jira-software-logo.svg
new file mode 100755
index 0000000000..425970f547
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/img/jira-software-logo.svg
@@ -0,0 +1 @@
+<svg height="2500" viewBox="2.59 0 214.09101008 224" width="2361" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><linearGradient id="a" gradientTransform="matrix(1 0 0 -1 0 264)" gradientUnits="userSpaceOnUse" x1="102.4" x2="56.15" y1="218.63" y2="172.39"><stop offset=".18" stop-color="#0052cc"/><stop offset="1" stop-color="#2684ff"/></linearGradient><linearGradient id="b" x1="114.65" x2="160.81" xlink:href="#a" y1="85.77" y2="131.92"/><path d="m214.06 105.73-96.39-96.39-9.34-9.34-72.56 72.56-33.18 33.17a8.89 8.89 0 0 0 0 12.54l66.29 66.29 39.45 39.44 72.55-72.56 1.13-1.12 32.05-32a8.87 8.87 0 0 0 0-12.59zm-105.73 39.39-33.12-33.12 33.12-33.12 33.11 33.12z" fill="#2684ff"/><path d="m108.33 78.88a55.75 55.75 0 0 1 -.24-78.61l-72.47 72.44 39.44 39.44z" fill="url(#a)"/><path d="m141.53 111.91-33.2 33.21a55.77 55.77 0 0 1 0 78.86l72.67-72.63z" fill="url(#b)"/></svg>
\ No newline at end of file
diff --git a/packages/atlassian_jira/1.1.2/manifest.yml b/packages/atlassian_jira/1.1.2/manifest.yml
new file mode 100755
index 0000000000..0256ef5f3a
--- /dev/null
+++ b/packages/atlassian_jira/1.1.2/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: atlassian_jira
+title: Atlassian Jira
+version: 1.1.2
+license: basic
+description: Collect logs from Atlassian Jira with Elastic Agent.
+type: integration
+categories:
+  - security
+  - web
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/jira-software-logo.svg
+    title: Jira Software Logo
+    size: 590x625
+    type: image/svg+xml
+policy_templates:
+  - name: audit
+    title: Audit Logs
+    description: Collect audit logs from Atlassian Jira with Elastic Agent.
+    inputs:
+      - type: logfile
+        title: "Collect Jira audit logs via log files"
+        description: "Collecting audit logs from Jira via log files"
+      - type: httpjson
+        title: "Collect Jira audit logs via API"
+        description: "Collecting audit logs from Jira via API"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/auditd/2.1.2/changelog.yml b/packages/auditd/2.1.2/changelog.yml
new file mode 100755
index 0000000000..9be00c47b3
--- /dev/null
+++ b/packages/auditd/2.1.2/changelog.yml
@@ -0,0 +1,115 @@
+# newer versions go on top
+- version: "2.1.2"
+  changes:
+    - description: Set event.outcome value according ECS specification
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3079
+- version: "2.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "2.1.0"
+  changes:
+    - description: Store EXECVE arguments in process.args array.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2730
+- version: "2.0.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2380
+    - description: process.ppid is replaced with process.parent.pid (breaking change)
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2380
+- version: "1.3.1"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.0"
+  changes:
+    - description: Change test IPs to the supported set for GeoIP
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2215
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2215
+- version: "1.2.4"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2002
+- version: "1.2.3"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1938
+- version: "1.2.2"
+  changes:
+    - description: Ensure boolean fields are true/false
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1896
+- version: "1.2.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1796
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1637
+- version: "1.1.3"
+  changes:
+    - description: Convert to generated ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1464
+- version: '1.1.2'
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1370
+- version: "1.1.1"
+  changes:
+    - description: Escape special characters in docs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1405
+- version: "1.1.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1215
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1215
+- version: "0.2.0"
+  changes:
+    - description: update to ECS 1.10.0 and apply changes to prepare for package GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1031
+- version: "0.1.2"
+  changes:
+    - description: set version in the ingest pipeline and make event.original optional
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/989
+- version: "0.1.1"
+  changes:
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/833
+- version: "0.1.0"
+  changes:
+    - description: Add changes to use ECS 1.8 fields.
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/715
+- version: "0.0.1"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/396
diff --git a/packages/auditd/2.1.2/data_stream/log/agent/stream/log.yml.hbs b/packages/auditd/2.1.2/data_stream/log/agent/stream/log.yml.hbs
new file mode 100755
index 0000000000..c6e5ed4c73
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/agent/stream/log.yml.hbs
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+exclude_files: [".gz$"]
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/auditd/2.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..d4618e3cd4
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,2243 @@
+---
+description: Pipeline for parsing Linux auditd logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_failure: true
+  - grok:
+      field: event.original
+      pattern_definitions:
+        AUDIT_TYPE: "type=%{NOTSPACE:auditd.log.record_type}"
+        AUDIT_NODE: "node=%{IPORHOST:auditd.log.node} "
+        AUDIT_PREFIX: "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?"
+        AUDIT_KEY_VALUES: "%{WORD}=%{GREEDYDATA}"
+        ANY: ".*"
+      patterns:
+      - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid}
+        new auid=%{NUMBER:auditd.log.new_auid} old ses=%{NUMBER:auditd.log.old_ses}
+        new ses=%{NUMBER:auditd.log.new_ses}"
+      - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} msg=['\"]([^=]*\\s)?%{ANY:auditd.log.sub_kv}['\"]"
+      - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv}"
+      - "%{AUDIT_PREFIX}"
+      - "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}"
+  - kv:
+      field: auditd.log.kv
+      field_split: "\\s+"
+      value_split: "="
+      target_field: auditd.log
+  - kv:
+      field: auditd.log.sub_kv
+      field_split: "\\s+(?=[^\\s]+=)"
+      value_split: "="
+      target_field: auditd.log
+      ignore_missing: true
+  - date:
+      field: auditd.log.epoch
+      target_field: "@timestamp"
+      formats:
+      - UNIX
+      ignore_failure: true
+  - rename:
+      ignore_failure: true
+      field: auditd.log.old-auid
+      target_field: auditd.log.old_auid
+  - rename:
+      ignore_failure: true
+      field: auditd.log.old-ses
+      target_field: auditd.log.old_ses
+  - script:
+      lang: painless
+      source: |
+          String trimQuotes(def singleQuote, def doubleQuote, def v) {
+              if (v.startsWith(singleQuote) || v.startsWith(doubleQuote)) {
+                  v = v.substring(1, v.length());
+              }
+              if (v.endsWith(singleQuote) || v.endsWith(doubleQuote)) {
+                  v = v.substring(0, v.length()-1);
+              }
+              return v;
+          }
+
+          boolean isHexAscii(String v) {
+              def len = v.length();
+
+              if (len == 0 || len % 2 != 0) {
+                  return false;
+              }
+
+              for (int i = 0 ; i < len ; i++) {
+                  if (Character.digit(v.charAt(i), 16) == -1) {
+                      return false;
+                  }
+              }
+              return true;
+          }
+
+          String convertHexToString(String hex) {
+              StringBuilder sb = new StringBuilder();
+              boolean needed_encoding = false;
+
+              for (int i=0; i < hex.length() - 1; i+=2) {
+                  int cp = Integer.parseInt(hex.substring(i, (i +2)), 16);
+                  if (cp < 33 || cp == 34 || cp == 127) {
+                      needed_encoding = true;
+                  }
+                  if (cp < 32 || cp == 127) {
+                      sb.append('^');
+                      cp ^= 64;
+                  }
+                  sb.append((char)cp);
+              }
+              if (needed_encoding) {
+                  return sb.toString();
+              }
+              return hex;
+          }
+
+          Boolean convertStringToBoolean(String value) {
+              value = value.toLowerCase();
+              return value == "yes" || value == "true" || value == "1";
+          }
+
+          def possibleHexKeys = ["exe", "cmd", "data", "path", "comm", "file", "name", "watch", "cwd", "acct", "dir", "vm", "old-chardev", "new-chardev", "old-disk", "new-disk", "old-fs", "new-fs", "old-net", "new-net", "device", "cgroup", "apparmor", "operation", "denied_mask", "info", "profile", "requested_mask", "old-rng", "new-rng", "ocomm", "grp", "new_group", "invalid_context", "sw", "root_dir", "proctitle"];
+          def possibleBooleanKeys = ["success", "key_enforce"];
+          def audit = ctx.auditd.get("log");
+          Iterator entries = audit.entrySet().iterator();
+
+          while (entries.hasNext()) {
+              def e = entries.next();
+              def k = e.getKey();
+              def v = e.getValue();
+
+              // Remove entries whose value is ?
+              if (v == "?" || v == "(null)" || v == "") {
+                  entries.remove();
+                  continue;
+              }
+
+              // Convert hex values to ASCII.
+              if (possibleHexKeys.contains(k) && isHexAscii(v)) {
+                  v = convertHexToString(v);
+                  audit.put(k, v);
+              }
+
+              // Convert string values to boolean.
+              if (possibleBooleanKeys.contains(k) && v instanceof String) {
+                  v = convertStringToBoolean(v);
+                  audit.put(k, v);
+              }
+
+              // Trim quotes.
+              if (v instanceof String) {
+                  v = trimQuotes(params.single_quote, params.double_quote, v);
+                  audit.put(k, v);
+              }
+
+              // Convert arch.
+              if (k == "arch" && v == "c000003e") {
+                  audit.put(k, "x86_64");
+              }
+          }
+      params:
+        single_quote: "'"
+        double_quote: "\""
+  - convert:
+      field: auditd.log.sequence
+      type: long
+      ignore_missing: true
+  - convert:
+      field: auditd.log.lport
+      type: long
+      ignore_missing: true
+  - convert:
+      field: auditd.log.rport
+      type: long
+      ignore_missing: true
+  - convert:
+      field: auditd.log.entries
+      type: long
+      ignore_missing: true
+  - convert:
+      field: auditd.log.dst_prefixlen
+      type: long
+      ignore_missing: true
+  - convert:
+      field: auditd.log.ksize
+      type: long
+      ignore_missing: true
+  - convert:
+      field: auditd.log.size
+      type: long
+      ignore_missing: true
+  - convert:
+      field: auditd.log.src_prefixlen
+      type: long
+      ignore_missing: true
+  - set:
+      field: event.kind
+      value: event
+  - script:
+      lang: painless
+      ignore_failure: true
+      # Auditd record type to ECS mappings
+      # AUTOGENERATED FROM go-libaudit v2.2.0, DO NOT EDIT
+      params:
+        syscalls:
+          '*':
+            - event:
+                category:
+                  - process
+                type:
+                  - info
+          accept:
+            - event:
+                action:
+                  - accepted-connection-from
+                category:
+                  - network
+                type:
+                  - connection
+                  - start
+          accept4:
+            - event:
+                action:
+                  - accepted-connection-from
+                category:
+                  - network
+                type:
+                  - connection
+                  - start
+          access:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          adjtimex:
+            - event:
+                action:
+                  - changed-system-time
+                category:
+                  - host
+                type:
+                  - change
+          bind:
+            - event:
+                action:
+                  - bound-socket
+                category:
+                  - network
+                type:
+                  - start
+          brk:
+            - event:
+                action:
+                  - allocated-memory
+                category:
+                  - process
+                type:
+                  - info
+          chmod:
+            - event:
+                action:
+                  - changed-file-permissions-of
+                category:
+                  - file
+                type:
+                  - change
+          chown:
+            - event:
+                action:
+                  - changed-file-ownership-of
+                category:
+                  - file
+                type:
+                  - change
+          clock_settime:
+            - event:
+                action:
+                  - changed-system-time
+                category:
+                  - host
+                type:
+                  - change
+          connect:
+            - event:
+                action:
+                  - connected-to
+                category:
+                  - network
+                type:
+                  - connection
+                  - start
+          creat:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - creation
+          delete_module:
+            - event:
+                action:
+                  - unloaded-kernel-module
+                category:
+                  - driver
+                type:
+                  - end
+          execve:
+            - event:
+                action:
+                  - executed
+                category:
+                  - process
+                type:
+                  - start
+          execveat:
+            - event:
+                action:
+                  - executed
+                category:
+                  - process
+                type:
+                  - start
+          faccessat:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          fallocate:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - change
+          fchmod:
+            - event:
+                action:
+                  - changed-file-permissions-of
+                category:
+                  - file
+                type:
+                  - change
+          fchmodat:
+            - event:
+                action:
+                  - changed-file-permissions-of
+                category:
+                  - file
+                type:
+                  - change
+          fchown:
+            - event:
+                action:
+                  - changed-file-ownership-of
+                category:
+                  - file
+                type:
+                  - change
+          fchownat:
+            - event:
+                action:
+                  - changed-file-ownership-of
+                category:
+                  - file
+                type:
+                  - change
+          fgetxattr:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          finit_module:
+            - event:
+                action:
+                  - loaded-kernel-module
+                category:
+                  - driver
+                type:
+                  - start
+          fremovexattr:
+            - event:
+                action:
+                  - changed-file-attributes-of
+                category:
+                  - file
+                type:
+                  - change
+          fsetxattr:
+            - event:
+                action:
+                  - changed-file-attributes-of
+                category:
+                  - file
+                type:
+                  - change
+          fstat:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          fstatat:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          fstatfs:
+            - event:
+                action:
+                  - checked-filesystem-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          ftruncate:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - change
+          futimens:
+            - event:
+                action:
+                  - changed-timestamp-of
+                category:
+                  - file
+                type:
+                  - info
+          futimesat:
+            - event:
+                action:
+                  - changed-timestamp-of
+                category:
+                  - file
+                type:
+                  - info
+          getxattr:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          init_module:
+            - event:
+                action:
+                  - loaded-kernel-module
+                category:
+                  - driver
+                type:
+                  - start
+          kill:
+            - event:
+                action:
+                  - killed-pid
+                category:
+                  - process
+                type:
+                  - end
+          lchown:
+            - event:
+                action:
+                  - changed-file-ownership-of
+                category:
+                  - file
+                type:
+                  - change
+          lgetxattr:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          listen:
+            - event:
+                action:
+                  - listen-for-connections
+                category:
+                  - network
+                type:
+                  - start
+          lremovexattr:
+            - event:
+                action:
+                  - changed-file-attributes-of
+                category:
+                  - file
+                type:
+                  - change
+          lsetxattr:
+            - event:
+                action:
+                  - changed-file-attributes-of
+                category:
+                  - file
+                type:
+                  - change
+          lstat:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          mkdir:
+            - event:
+                action:
+                  - created-directory
+                category:
+                  - file
+                type:
+                  - creation
+          mkdirat:
+            - event:
+                action:
+                  - created-directory
+                category:
+                  - file
+                type:
+                  - creation
+          mknod:
+            - event:
+                action:
+                  - make-device
+                category:
+                  - file
+                type:
+                  - creation
+          mknodat:
+            - event:
+                action:
+                  - make-device
+                category:
+                  - file
+                type:
+                  - creation
+          mmap:
+            - event:
+                action:
+                  - allocated-memory
+                category:
+                  - process
+                type:
+                  - info
+          mmap2:
+            - event:
+                action:
+                  - allocated-memory
+                category:
+                  - process
+                type:
+                  - info
+          mount:
+            - event:
+                action:
+                  - mounted
+                category:
+                  - file
+                type:
+                  - creation
+          newfstatat:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          open:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - info
+          openat:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - info
+          read:
+            - event:
+                action:
+                  - read-file
+                category:
+                  - file
+                type:
+                  - info
+          readlink:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - info
+          readlinkat:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - info
+          recv:
+            - event:
+                action:
+                  - received-from
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          recvfrom:
+            - event:
+                action:
+                  - received-from
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          recvmmsg:
+            - event:
+                action:
+                  - received-from
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          recvmsg:
+            - event:
+                action:
+                  - received-from
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          removexattr:
+            - event:
+                action:
+                  - changed-file-attributes-of
+                category:
+                  - file
+                type:
+                  - change
+          rename:
+            - event:
+                action:
+                  - renamed
+                category:
+                  - file
+                type:
+                  - change
+          renameat:
+            - event:
+                action:
+                  - renamed
+                category:
+                  - file
+                type:
+                  - change
+          renameat2:
+            - event:
+                action:
+                  - renamed
+                category:
+                  - file
+                type:
+                  - change
+          rmdir:
+            - event:
+                action:
+                  - deleted
+                category:
+                  - file
+                type:
+                  - deletion
+          sched_setattr:
+            - event:
+                action:
+                  - adjusted-scheduling-policy-of
+                category:
+                  - process
+                type:
+                  - change
+          sched_setparam:
+            - event:
+                action:
+                  - adjusted-scheduling-policy-of
+                category:
+                  - process
+                type:
+                  - change
+          sched_setscheduler:
+            - event:
+                action:
+                  - adjusted-scheduling-policy-of
+                category:
+                  - process
+                type:
+                  - change
+          send:
+            - event:
+                action:
+                  - sent-to
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          sendmmsg:
+            - event:
+                action:
+                  - sent-to
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          sendmsg:
+            - event:
+                action:
+                  - sent-to
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          sendto:
+            - event:
+                action:
+                  - sent-to
+                category:
+                  - network
+                type:
+                  - connection
+                  - info
+          setdomainname:
+            - event:
+                action:
+                  - changed-system-name
+                category:
+                  - host
+                type:
+                  - change
+          setegid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          seteuid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          setfsgid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          setfsuid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          setgid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          sethostname:
+            - event:
+                action:
+                  - changed-system-name
+                category:
+                  - host
+                type:
+                  - change
+          setregid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          setresgid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          setresuid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          setreuid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          settimeofday:
+            - event:
+                action:
+                  - changed-system-time
+                category:
+                  - host
+                type:
+                  - change
+          setuid:
+            - event:
+                action:
+                  - changed-identity-of
+                category:
+                  - process
+                type:
+                  - change
+          setxattr:
+            - event:
+                action:
+                  - changed-file-attributes-of
+                category:
+                  - file
+                type:
+                  - change
+          stat:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          stat64:
+            - event:
+                action:
+                  - checked-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          statfs:
+            - event:
+                action:
+                  - checked-filesystem-metadata-of
+                category:
+                  - file
+                type:
+                  - info
+          stime:
+            - event:
+                action:
+                  - changed-system-time
+                category:
+                  - host
+                type:
+                  - change
+          symlink:
+            - event:
+                action:
+                  - symlinked
+                category:
+                  - file
+                type:
+                  - creation
+          symlinkat:
+            - event:
+                action:
+                  - symlinked
+                category:
+                  - file
+                type:
+                  - creation
+          tgkill:
+            - event:
+                action:
+                  - killed-pid
+                category:
+                  - process
+                type:
+                  - end
+          tkill:
+            - event:
+                action:
+                  - killed-pid
+                category:
+                  - process
+                type:
+                  - end
+          truncate:
+            - event:
+                action:
+                  - opened-file
+                category:
+                  - file
+                type:
+                  - change
+          umount:
+            - event:
+                action:
+                  - unmounted
+                category:
+                  - file
+                type:
+                  - deletion
+          umount2:
+            - event:
+                action:
+                  - unmounted
+                category:
+                  - file
+                type:
+                  - deletion
+          unlink:
+            - event:
+                action:
+                  - deleted
+                category:
+                  - file
+                type:
+                  - deletion
+          unlinkat:
+            - event:
+                action:
+                  - deleted
+                category:
+                  - file
+                type:
+                  - deletion
+          utime:
+            - event:
+                action:
+                  - changed-timestamp-of
+                category:
+                  - file
+                type:
+                  - info
+          utimensat:
+            - event:
+                action:
+                  - changed-timestamp-of
+                category:
+                  - file
+                type:
+                  - info
+          utimes:
+            - event:
+                action:
+                  - changed-timestamp-of
+                category:
+                  - file
+                type:
+                  - info
+          write:
+            - event:
+                action:
+                  - wrote-to-file
+                category:
+                  - file
+                type:
+                  - change
+        types:
+          ACCT_LOCK:
+            - event:
+                action:
+                  - locked-account
+                category:
+                  - iam
+                type:
+                  - user
+                  - info
+          ACCT_UNLOCK:
+            - event:
+                action:
+                  - unlocked-account
+                category:
+                  - iam
+                type:
+                  - user
+                  - info
+          ADD_GROUP:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: user.effective
+                - from:
+                    - id
+                    - acct
+                  to: group
+              event:
+                action:
+                  - added-group-account-to
+                category:
+                  - iam
+                type:
+                  - group
+                  - creation
+          ADD_USER:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: user.effective
+                - from:
+                    - id
+                    - acct
+                  to: user.target
+              event:
+                action:
+                  - added-user-account
+                category:
+                  - iam
+                type:
+                  - user
+                  - creation
+          ANOM_ABEND:
+            - event:
+                action:
+                  - crashed-program
+                category:
+                  - process
+                type:
+                  - end
+          ANOM_EXEC:
+            - event:
+                action:
+                  - attempted-execution-of-forbidden-program
+                category:
+                  - process
+                type:
+                  - start
+          ANOM_LINK:
+            - event:
+                action:
+                  - used-suspicious-link
+          ANOM_LOGIN_FAILURES:
+            - event:
+                action:
+                  - failed-log-in-too-many-times-to
+          ANOM_LOGIN_LOCATION:
+            - event:
+                action:
+                  - attempted-log-in-from-unusual-place-to
+          ANOM_LOGIN_SESSIONS:
+            - event:
+                action:
+                  - opened-too-many-sessions-to
+          ANOM_LOGIN_TIME:
+            - event:
+                action:
+                  - attempted-log-in-during-unusual-hour-to
+          ANOM_PROMISCUOUS:
+            - event:
+                action:
+                  - changed-promiscuous-mode-on-device
+          ANOM_RBAC_INTEGRITY_FAIL:
+            - event:
+                action:
+                  - tested-file-system-integrity-of
+          AVC:
+            - event:
+                action:
+                  - violated-selinux-policy
+              has_fields:
+                - seresult
+            - event:
+                action:
+                  - violated-apparmor-policy
+              has_fields:
+                - apparmor
+          CHGRP_ID:
+            - event:
+                action:
+                  - changed-group
+                category:
+                  - process
+                type:
+                  - change
+          CHUSER_ID:
+            - event:
+                action:
+                  - changed-user-id
+                category:
+                  - process
+                type:
+                  - change
+          CONFIG_CHANGE:
+            - event:
+                action:
+                  - changed-audit-configuration
+                category:
+                  - process
+                  - configuration
+                type:
+                  - change
+          CRED_ACQ:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - acquired-credentials
+                category:
+                  - authentication
+                type:
+                  - info
+          CRED_DISP:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - disposed-credentials
+                category:
+                  - authentication
+                type:
+                  - info
+          CRED_REFR:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - refreshed-credentials
+                category:
+                  - authentication
+                type:
+                  - info
+          CRYPTO_KEY_USER:
+            - event:
+                action:
+                  - negotiated-crypto-key
+                category:
+                  - process
+                type:
+                  - info
+          CRYPTO_LOGIN:
+            - event:
+                action:
+                  - crypto-officer-logged-in
+          CRYPTO_LOGOUT:
+            - event:
+                action:
+                  - crypto-officer-logged-out
+                category:
+                  - process
+                type:
+                  - info
+          CRYPTO_SESSION:
+            - event:
+                action:
+                  - started-crypto-session
+                category:
+                  - process
+                type:
+                  - info
+          DAC_CHECK:
+            - event:
+                action:
+                  - access-result
+          DAEMON_ABORT:
+            - event:
+                action:
+                  - aborted-auditd-startup
+                category:
+                  - process
+                type:
+                  - stop
+          DAEMON_ACCEPT:
+            - event:
+                action:
+                  - remote-audit-connected
+                category:
+                  - network
+                type:
+                  - connection
+                  - start
+          DAEMON_CLOSE:
+            - event:
+                action:
+                  - remote-audit-disconnected
+                category:
+                  - network
+                type:
+                  - connection
+                  - start
+          DAEMON_CONFIG:
+            - event:
+                action:
+                  - changed-auditd-configuration
+                category:
+                  - process
+                  - configuration
+                type:
+                  - change
+          DAEMON_END:
+            - event:
+                action:
+                  - shutdown-audit
+                category:
+                  - process
+                type:
+                  - stop
+          DAEMON_ERR:
+            - event:
+                action:
+                  - audit-error
+                category:
+                  - process
+                type:
+                  - info
+          DAEMON_RECONFIG:
+            - event:
+                action:
+                  - reconfigured-auditd
+                category:
+                  - process
+                  - configuration
+                type:
+                  - info
+          DAEMON_RESUME:
+            - event:
+                action:
+                  - resumed-audit-logging
+                category:
+                  - process
+                type:
+                  - change
+          DAEMON_ROTATE:
+            - event:
+                action:
+                  - rotated-audit-logs
+                category:
+                  - process
+                type:
+                  - change
+          DAEMON_START:
+            - event:
+                action:
+                  - started-audit
+                category:
+                  - process
+                type:
+                  - start
+          DEL_GROUP:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: user.effective
+                - from:
+                    - id
+                    - acct
+                  to: group
+              event:
+                action:
+                  - deleted-group-account-from
+                category:
+                  - iam
+                type:
+                  - group
+                  - deletion
+          DEL_USER:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: user.effective
+                - from:
+                    - id
+                    - acct
+                  to: user.target
+              event:
+                action:
+                  - deleted-user-account
+                category:
+                  - iam
+                type:
+                  - user
+                  - deletion
+          FEATURE_CHANGE:
+            - event:
+                action:
+                  - changed-audit-feature
+                category:
+                  - configuration
+                type:
+                  - change
+          FS_RELABEL:
+            - event:
+                action:
+                  - relabeled-filesystem
+          GRP_AUTH:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - authenticated-to-group
+                category:
+                  - authentication
+                type:
+                  - info
+          GRP_CHAUTHTOK:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: user.effective
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: group
+              event:
+                action:
+                  - changed-group-password
+                category:
+                  - iam
+                type:
+                  - group
+                  - change
+          GRP_MGMT:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: group
+                - from:
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - modified-group-account
+                category:
+                  - iam
+                type:
+                  - group
+                  - change
+          KERNEL:
+            - event:
+                action:
+                  - initialized-audit-subsystem
+                category:
+                  - process
+                type:
+                  - info
+          KERN_MODULE:
+            - event:
+                action:
+                  - loaded-kernel-module
+                category:
+                  - driver
+                type:
+                  - start
+          LABEL_LEVEL_CHANGE:
+            - event:
+                action:
+                  - modified-level-of
+          LABEL_OVERRIDE:
+            - event:
+                action:
+                  - overrode-label-of
+          LOGIN:
+            - copy:
+                - from:
+                    - old_auid
+                    - old-auid
+                  to: user
+                - from:
+                    - new-auid
+                    - new_auid
+                    - auid
+                  to: user.effective
+              event:
+                action:
+                  - changed-login-id-to
+                category:
+                  - authentication
+                type:
+                  - start
+          MAC_CHECK:
+            - event:
+                action:
+                  - mac-permission
+          MAC_CONFIG_CHANGE:
+            - event:
+                action:
+                  - changed-selinux-boolean
+                category:
+                  - configuration
+                type:
+                  - change
+          MAC_POLICY_LOAD:
+            - event:
+                action:
+                  - loaded-selinux-policy
+                category:
+                  - configuration
+                type:
+                  - access
+          MAC_STATUS:
+            - event:
+                action:
+                  - changed-selinux-enforcement
+                category:
+                  - configuration
+                type:
+                  - change
+          NETFILTER_CFG:
+            - event:
+                action:
+                  - loaded-firewall-rule-to
+                category:
+                  - configuration
+                type:
+                  - change
+          ROLE_ASSIGN:
+            - event:
+                action:
+                  - assigned-user-role-to
+                category:
+                  - iam
+                type:
+                  - user
+                  - change
+          ROLE_MODIFY:
+            - event:
+                action:
+                  - modified-role
+                category:
+                  - iam
+                type:
+                  - change
+          ROLE_REMOVE:
+            - event:
+                action:
+                  - removed-user-role-from
+                category:
+                  - iam
+                type:
+                  - user
+                  - change
+          SECCOMP:
+            - event:
+                action:
+                  - violated-seccomp-policy
+          SELINUX_ERR:
+            - event:
+                action:
+                  - caused-mac-policy-error
+          SERVICE_START:
+            - event:
+                action:
+                  - started-service
+                category:
+                  - process
+                type:
+                  - start
+          SERVICE_STOP:
+            - event:
+                action:
+                  - stopped-service
+                category:
+                  - process
+                type:
+                  - stop
+          SOFTWARE_UPDATE:
+            - event:
+                action:
+                  - package-updated
+                category:
+                  - package
+                type:
+                  - info
+          SYSTEM_BOOT:
+            - event:
+                action:
+                  - booted-system
+                category:
+                  - host
+                type:
+                  - start
+          SYSTEM_RUNLEVEL:
+            - event:
+                action:
+                  - changed-to-runlevel
+                category:
+                  - host
+                type:
+                  - change
+          SYSTEM_SHUTDOWN:
+            - event:
+                action:
+                  - shutdown-system
+                category:
+                  - host
+                type:
+                  - end
+          TEST:
+            - event:
+                action:
+                  - sent-test
+                category:
+                  - process
+                type:
+                  - info
+          TRUSTED_APP:
+            - event:
+                action:
+                  - unknown
+                category:
+                  - process
+                type:
+                  - info
+          TTY:
+            - event:
+                action:
+                  - typed
+          USER:
+            - event:
+                action:
+                  - sent-message
+          USER_ACCT:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - was-authorized
+                category:
+                  - authentication
+                type:
+                  - info
+          USER_AUTH:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - authenticated
+                category:
+                  - authentication
+                type:
+                  - info
+          USER_AVC:
+            - event:
+                action:
+                  - access-permission
+          USER_CHAUTHTOK:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - uid
+                  to: user.effective
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.target
+              event:
+                action:
+                  - changed-password
+                category:
+                  - iam
+                type:
+                  - user
+                  - change
+          USER_CMD:
+            - event:
+                action:
+                  - ran-command
+                category:
+                  - process
+                type:
+                  - start
+          USER_END:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - ended-session
+                category:
+                  - session
+                type:
+                  - end
+          USER_ERR:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - error
+                category:
+                  - authentication
+                type:
+                  - info
+          USER_LOGIN:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - logged-in
+                category:
+                  - authentication
+                type:
+                  - start
+          USER_LOGOUT:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - logged-out
+                category:
+                  - authentication
+                type:
+                  - end
+          USER_MAC_CONFIG_CHANGE:
+            - event:
+                action:
+                  - changed-mac-configuration
+                category:
+                  - configuration
+                type:
+                  - change
+          USER_MAC_POLICY_LOAD:
+            - event:
+                action:
+                  - loaded-mac-policy
+                category:
+                  - configuration
+                type:
+                  - access
+          USER_MGMT:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.target
+                - from:
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - modified-user-account
+                category:
+                  - iam
+                type:
+                  - user
+                  - change
+          USER_ROLE_CHANGE:
+            - event:
+                action:
+                  - changed-role-to
+          USER_SELINUX_ERR:
+            - event:
+                action:
+                  - access-error
+          USER_START:
+            - copy:
+                - from:
+                    - auid
+                  to: user
+                - from:
+                    - acct
+                    - id
+                    - uid
+                  to: user.effective
+              event:
+                action:
+                  - started-session
+                category:
+                  - session
+                type:
+                  - start
+          USER_TTY:
+            - event:
+                action:
+                  - typed
+          USYS_CONFIG:
+            - event:
+                action:
+                  - changed-configuration
+                category:
+                  - configuration
+                type:
+                  - change
+          VIRT_CONTROL:
+            - event:
+                action:
+                  - issued-vm-control
+                category:
+                  - host
+                type:
+                  - info
+          VIRT_CREATE:
+            - event:
+                action:
+                  - created-vm-image
+                category:
+                  - host
+                type:
+                  - info
+          VIRT_DESTROY:
+            - event:
+                action:
+                  - deleted-vm-image
+                category:
+                  - host
+                type:
+                  - info
+          VIRT_INTEGRITY_CHECK:
+            - event:
+                action:
+                  - checked-integrity-of
+                category:
+                  - host
+                type:
+                  - info
+          VIRT_MACHINE_ID:
+            - event:
+                action:
+                  - assigned-vm-id
+                category:
+                  - host
+                type:
+                  - info
+          VIRT_MIGRATE_IN:
+            - event:
+                action:
+                  - migrated-vm-from
+                category:
+                  - host
+                type:
+                  - info
+          VIRT_MIGRATE_OUT:
+            - event:
+                action:
+                  - migrated-vm-to
+                category:
+                  - host
+                type:
+                  - info
+          VIRT_RESOURCE:
+            - event:
+                action:
+                  - assigned-vm-resource
+                category:
+                  - host
+                type:
+                  - info
+      # END OF AUTOGENERATED
+      source: >-
+        boolean hasFields(HashMap base, def list) {
+          if (list == null) return true;
+          for (int i=0; i<list.length; i++)
+            if (base[list[i]] == null) return false;
+          return true;
+        }
+        if (ctx?.auditd?.log?.record_type == null) {
+          return;
+        }
+        HashMap base = ctx.auditd.log;
+        def acts = params.types.get(base.record_type);
+        if (acts == null && base.syscall != null) {
+          acts = params.syscalls.get(base?.syscall);
+          if (acts == null) acts = params.syscalls.get('*');
+        }
+        if (acts == null) return;
+        def act = null;
+        for (int i=0; act == null && i<acts.length; i++) {
+          if (hasFields(base, acts[i]["has_fields"])) act = acts[i];
+        }
+
+        if (act?.event != null) {
+          def hm = new HashMap(act.event);
+          hm.forEach((k, v) -> ctx.event[k] = v);
+        }
+        if (act?.copy != null) {
+          List lst = new ArrayList();
+          for(int i=0; i<act.copy.length; i++) {
+            def value;
+            def srcList = act.copy[i]["from"];
+            for (int j=0; value == null && j<srcList.length; j++) {
+              value = base[srcList[j]];
+            }
+            if (value != null && value instanceof String) {
+              String suffix = value ==~ /[0-9]+/? ".id" : ".name";
+              lst.add([
+                "target": act.copy[i]["to"] + suffix,
+                "value": value
+              ]);
+            }
+          }
+          if (lst.size() > 0) {
+            ctx.auditd.log["copy"] = lst;
+          }
+        }
+  - foreach:
+      field: auditd.log.copy
+      ignore_missing: true
+      processor:
+        set:
+          field: "{{_ingest._value.target}}"
+          value: "{{_ingest._value.value}}"
+  - set:
+      if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'"
+      field: event.category
+      value: host
+  - set:
+      if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'"
+      field: event.type
+      value: info
+  - set:
+      if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'"
+      field: event.category
+      value: process
+  - set:
+      if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'"
+      field: event.type
+      value: info
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'"
+      field: event.category
+      value: host
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'start'"
+      field: event.type
+      value: start
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'stop'"
+      field: event.type
+      value: end
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'create'"
+      field: event.type
+      value: creation
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'delete'"
+      field: event.type
+      value: deletion
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'"
+      field: event.type
+      value: creation
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'"
+      field: container.name
+      value: "{{ auditd.log.vm }}"
+      ignore_empty_value: true
+  - set:
+      if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'"
+      field: container.runtime
+      value: "{{ auditd.log.virt }}"
+      ignore_empty_value: true
+  - set:
+      if: >
+        ctx.auditd.log?.record_type == 'SYSCALL' && (
+        ctx.auditd.log?.syscall == 'accept' || ctx.auditd.log?.syscall == '43' ||
+        ctx.auditd.log?.syscall == 'recvfrom' || ctx.auditd.log?.syscall == '45' ||
+        ctx.auditd.log?.syscall == 'recvmsg' || ctx.auditd.log?.syscall == '47' ||
+        ctx.auditd.log?.syscall == 'accept4' || ctx.auditd.log?.syscall == '288' )
+      field: network.direction
+      value: ingress
+  - set:
+      if: >
+        ctx.auditd.log?.record_type == 'SYSCALL' && (
+        ctx.auditd.log?.syscall == 'connect' || ctx.auditd.log?.syscall == '42' ||
+        ctx.auditd.log?.syscall == 'sendto' || ctx.auditd.log?.syscall == '44' ||
+        ctx.auditd.log?.syscall == 'sendmsg' || ctx.auditd.log?.syscall == '46')
+      field: network.direction
+      value: egress
+  - set:
+      copy_from: auditd.log.arch
+      field: host.architecture
+      if: ctx.auditd.log?.arch != null
+  - rename:
+      ignore_failure: true
+      field: auditd.log.acct
+      target_field: user.name
+  - rename:
+      ignore_failure: true
+      field: auditd.log.user
+      target_field: user.name
+  - rename:
+      ignore_failure: true
+      field: auditd.log.uid
+      target_field: user.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.gid
+      target_field: user.group.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.agid
+      target_field: user.audit.group.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.auid
+      target_field: user.audit.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.fsgid
+      target_field: user.filesystem.group.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.fsuid
+      target_field: user.filesystem.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.egid
+      target_field: user.effective.group.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.euid
+      target_field: user.effective.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.sgid
+      target_field: user.saved.group.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.suid
+      target_field: user.saved.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.ogid
+      target_field: user.owner.group.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.ouid
+      target_field: user.owner.id
+  - rename:
+      ignore_failure: true
+      field: auditd.log.comm
+      target_field: process.name
+  - rename:
+      ignore_failure: true
+      field: auditd.log.exe
+      target_field: process.executable
+  - rename:
+      ignore_failure: true
+      field: auditd.log.pid
+      target_field: process.pid
+  - rename:
+      ignore_failure: true
+      field: auditd.log.ppid
+      target_field: process.parent.pid
+  - convert:
+      ignore_missing: true
+      field: process.pid
+      type: long
+  - convert:
+      ignore_missing: true
+      field: process.parent.pid
+      type: long
+  - rename:
+      ignore_failure: true
+      field: auditd.log.cmd
+      target_field: process.args
+  - split:
+      ignore_failure: true
+      field: process.args
+      separator: "\\s+"
+  - rename:
+      ignore_failure: true
+      field: auditd.log.argc
+      target_field: process.args_count
+  - script:
+      if: "ctx?.process?.args != null"
+      lang: painless
+      source: >-
+        if (ctx.process.args instanceof List) {
+          ctx.process.args_count = ctx.process.args.length;
+        }
+  - convert:
+      ignore_missing: true
+      field: process.args_count
+      type: long
+  - rename:
+      ignore_failure: true
+      field: auditd.log.exit
+      target_field: process.exit_code
+  - convert:
+      ignore_missing: true
+      field: process.exit_code
+      type: long
+  - rename:
+      ignore_missing: true
+      field: auditd.log.cwd
+      target_field: process.working_directory
+  - rename:
+      ignore_failure: true
+      field: auditd.log.terminal
+      target_field: user.terminal
+  - rename:
+      ignore_failure: true
+      field: auditd.log.msg
+      target_field: message
+  - set:
+      if: (ctx?.auditd?.log?.res != null && ["1", "success"].contains(ctx.auditd.log.res))
+      field: event.outcome
+      value: "success"
+      ignore_failure: true
+  - set:
+      if: (ctx?.auditd?.log?.res != null && ["0", "failed"].contains(ctx.auditd.log.res))
+      field: event.outcome
+      value: "failure"
+      ignore_failure: true
+  - set:
+      if: (ctx?.auditd?.log?.res != null && !["0", "1", "success", "failed"].contains(ctx.auditd.log.res))
+      field: event.outcome
+      value: "unknown"
+      ignore_failure: true
+   # The processor below populates process.args list from argN fields.
+   #
+   # It handles the common case of a complete record: Contains argc=N and a0 to aN-1,
+   # and the truncated case: Contains aI, aI+1, ..., aN-1, for I>0, and no argc.
+  - script:
+      lang: painless
+      description: Extracts process arguments from EXECVE calls.
+      if: 'ctx.auditd?.log?.record_type == "EXECVE"'
+      source: >-
+         /* Want to capture all aNN fields, including aN_len and aN[x] */
+         Pattern argRegex = /^a([0-9]+)(.*)$/;
+
+         List keys = ctx.auditd.log.keySet().stream()
+                     /* From List of keys to list of matchers */
+                     .map(x -> argRegex.matcher(x))
+                     /* Drop elements that didn't match the regex */
+                     .filter(x -> x.matches())
+                     /* Must save to a list because it needs to remove keys in auditd.log,
+                        which cannot be done while streaming from this source */
+                     .collect(Collectors.toList());
+
+         List args = keys.stream()
+                     /* List<Matcher> to List<[Matcher, Value for given key]>
+                        with side effect of removing the key */
+                     .map(x -> [x, ctx.auditd.log.remove(x.group(0))])
+                     /* Drop elements that end in _len, just wanted to remove them */
+                     .filter(x -> x[0].group(2) != "_len")
+                     /* List<Matcher, Value> to List<[Int, Value]>
+                        where the Int is the argument index */
+                     .map(x -> [Integer.parseInt(x[0].group(1)), x[1]])
+                     /* Sort by numeric argument index */
+                     .sorted((lhs, rhs) -> lhs[0].compareTo(rhs[0]))
+                     /* Save as List<[Index, Value]> */
+                     .collect(Collectors.toList());
+
+         if (args.isEmpty()) return;
+         if (ctx.process == null) ctx.process = new HashMap();
+         ctx.process.args = args.stream().map(x -> x[1]).collect(Collectors.toList());
+         def firstIndex = args[0][0];
+         if (firstIndex == 0) {
+           ctx.process.executable = ctx.process.args[0];
+         } else {
+           ctx.process.args.add(0, "[... " + firstIndex + " truncated arguments ...]");
+         }
+      on_failure:
+      - append:
+          field: error.message
+          value: "failed extracting process arguments: {{{ _ingest.on_failure_message }}}"
+  - rename:
+      ignore_failure: true
+      field: auditd.log.record_type
+      target_field: event.action
+  - lowercase:
+      ignore_failure: true
+      field: event.action
+  - rename:
+      ignore_failure: true
+      field: auditd.log.src
+      target_field: source.address
+  - rename:
+      ignore_failure: true
+      field: auditd.log.addr
+      target_field: source.address
+      if: ctx?.source?.address == null
+  - rename:
+      ignore_failure: true
+      field: auditd.log.dst
+      target_field: destination.address
+  - grok:
+      field: source.address
+      patterns:
+      - "^%{IP:source.ip}$"
+      ignore_failure: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_failure: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+      - asn
+      - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - remove:
+      field:
+        - auditd.log.kv
+        - auditd.log.sub_kv
+        - auditd.log.epoch
+        - auditd.log.copy
+        - auditd.log.arch
+        - auditd.log.res
+      ignore_failure: true
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/auditd/2.1.2/data_stream/log/fields/agent.yml b/packages/auditd/2.1.2/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/auditd/2.1.2/data_stream/log/fields/base-fields.yml b/packages/auditd/2.1.2/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..5e4ff67d8d
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,25 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: auditd
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: auditd.log
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  ignore_above: 1024
+  type: keyword
diff --git a/packages/auditd/2.1.2/data_stream/log/fields/ecs.yml b/packages/auditd/2.1.2/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..8ec2a65561
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/fields/ecs.yml
@@ -0,0 +1,196 @@
+- description: Container name.
+  name: container.name
+  type: keyword
+- description: Runtime managing this container.
+  name: container.runtime
+  type: keyword
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: group.id
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: Operating system architecture.
+  name: host.architecture
+  type: keyword
+- description: |-
+    Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+    If the event wasn't read from a log file, do not populate this field.
+  name: log.file.path
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: |-
+    Array of process arguments, starting with the absolute path to the executable.
+    May be filtered to protect sensitive information.
+  name: process.args
+  type: keyword
+- description: |-
+    Length of the process.args array.
+    This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+  name: process.args_count
+  type: long
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: |-
+    The exit code of the process, if this is a termination event.
+    The field should be absent if there is no exit code for the event (e.g. process start).
+  name: process.exit_code
+  type: long
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: Process id.
+  name: process.parent.pid
+  type: long
+- description: The working directory of the process.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.working_directory
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Unique identifier for the group on the system/platform.
+  name: user.effective.group.id
+  type: keyword
+- description: Name of the group.
+  name: user.effective.group.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.effective.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.effective.name
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.group.id
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.target.group.id
+  type: keyword
+- description: Name of the group.
+  name: user.target.group.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.target.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
diff --git a/packages/auditd/2.1.2/data_stream/log/fields/fields.yml b/packages/auditd/2.1.2/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..90ad2435ae
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/fields/fields.yml
@@ -0,0 +1,185 @@
+- name: auditd.log
+  type: group
+  default_field: false
+  fields:
+    - name: old_auid
+      type: keyword
+      description: |
+        For login events this is the old audit ID used for the user prior to this login.
+    - name: new_auid
+      type: keyword
+      description: |
+        For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
+    - name: old_ses
+      type: keyword
+      description: |
+        For login events this is the old session ID used for the user prior to this login.
+    - name: new_ses
+      type: keyword
+      description: |
+        For login events this is the new session ID. It can be used to tie a user to future events by session ID.
+    - name: sequence
+      type: long
+      description: |
+        The audit event sequence number.
+    - name: items
+      type: keyword
+      description: |
+        The number of items in an event.
+    - name: item
+      type: keyword
+      description: |
+        The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
+    - name: tty
+      type: keyword
+    - name: a0
+      type: keyword
+      description: |
+        The first argument to the system call.
+    - name: a0
+      description: The first argument to the system call.
+      type: keyword
+    - name: addr
+      type: ip
+    - name: rport
+      type: long
+    - name: laddr
+      type: ip
+    - name: lport
+      type: long
+    - name: entries
+      type: long
+    - name: audit_failure
+      type: keyword
+    - name: cipher
+      type: keyword
+    - name: data
+      type: keyword
+    - name: dev
+      type: keyword
+    - name: fe
+      type: keyword
+    - name: fi
+      type: keyword
+    - name: fp
+      type: keyword
+    - name: format
+      type: keyword
+    - name: default-context
+      type: keyword
+    - name: direction
+      type: keyword
+    - name: dst_prefixlen
+      type: long
+    - name: family
+      type: keyword
+    - name: fver
+      type: keyword
+    - name: gpg_res
+      type: keyword
+    - name: hostname
+      type: keyword
+    - name: id
+      type: keyword
+    - name: inode
+      type: keyword
+    - name: kernel
+      type: keyword
+    - name: key_enforce
+      type: boolean
+    - name: img-ctx
+      type: keyword
+    - name: kind
+      type: keyword
+    - name: ksize
+      type: long
+    - name: list
+      type: keyword
+    - name: major
+      type: keyword
+    - name: minor
+      type: keyword
+    - name: mode
+      type: keyword
+    - name: model
+      type: keyword
+    - name: name
+      type: keyword
+    - name: new-level
+      type: keyword
+    - name: new_pe
+      type: keyword
+    - name: new_pi
+      type: keyword
+    - name: new_pp
+      type: keyword
+    - name: old-level
+      type: keyword
+    - name: old_pe
+      type: keyword
+    - name: old_pi
+      type: keyword
+    - name: old_pp
+      type: keyword
+    - name: node
+      type: keyword
+    - name: obj
+      type: keyword
+    - name: objtype
+      type: keyword
+    - name: old
+      type: keyword
+    - name: op
+      type: keyword
+    - name: pfs
+      type: keyword
+    - name: proctitle
+      type: keyword
+    - name: rdev
+      type: keyword
+    - name: reason
+      type: keyword
+    - name: root_dir
+      type: keyword
+    - name: saddr
+      type: keyword
+    - name: selected-context
+      type: keyword
+    - name: ses
+      type: keyword
+    - name: spid
+      type: keyword
+    - name: src_prefixlen
+      type: long
+    - name: subj
+      type: keyword
+    - name: success
+      type: boolean
+    - name: sw
+      type: keyword
+    - name: sw_type
+      type: keyword
+    - name: syscall
+      type: keyword
+    - name: table
+      type: keyword
+    - name: unit
+      type: keyword
+    - name: uuid
+      type: keyword
+    - name: ver
+      type: keyword
+    - name: virt
+      type: keyword
+    - name: vm
+      type: keyword
+    - name: vm-ctx
+      type: keyword
+    - name: geoip
+      type: group
+    - name: uid
+      type: keyword
+    - name: record_type
+      type: keyword
+    - name: reset
+      type: keyword
diff --git a/packages/auditd/2.1.2/data_stream/log/fields/package-fields.yml b/packages/auditd/2.1.2/data_stream/log/fields/package-fields.yml
new file mode 100755
index 0000000000..208d48ec1f
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/fields/package-fields.yml
@@ -0,0 +1,104 @@
+- name: user
+  type: group
+  fields:
+    - name: terminal
+      type: keyword
+      description: |
+        Terminal or tty device on which the user is performing the observed activity.
+    - name: audit
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            One or multiple unique identifiers of the user.
+        - name: name
+          type: keyword
+          description: |
+            Short name or login of the user.
+        - name: group.id
+          type: keyword
+          description: |
+            Unique identifier for the group on the system/platform.
+        - name: group.name
+          type: keyword
+          description: |
+            Name of the group.
+    - name: effective
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            One or multiple unique identifiers of the user.
+        - name: name
+          type: keyword
+          description: |
+            Short name or login of the user.
+        - name: group.id
+          type: keyword
+          description: |
+            Unique identifier for the group on the system/platform.
+        - name: group.name
+          type: keyword
+          description: |
+            Name of the group.
+    - name: filesystem
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            One or multiple unique identifiers of the user.
+        - name: name
+          type: keyword
+          description: |
+            Short name or login of the user.
+        - name: group.id
+          type: keyword
+          description: |
+            Unique identifier for the group on the system/platform.
+        - name: group.name
+          type: keyword
+          description: |
+            Name of the group.
+    - name: owner
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            One or multiple unique identifiers of the user.
+        - name: name
+          type: keyword
+          description: |
+            Short name or login of the user.
+        - name: group.id
+          type: keyword
+          description: |
+            Unique identifier for the group on the system/platform.
+        - name: group.name
+          type: keyword
+          description: |
+            Name of the group.
+    - name: saved
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            One or multiple unique identifiers of the user.
+        - name: name
+          type: keyword
+          description: |
+            Short name or login of the user.
+        - name: group.id
+          type: keyword
+          description: |
+            Unique identifier for the group on the system/platform.
+        - name: group.name
+          type: keyword
+          description: |
+            Name of the group.
+- name: auditd
+  type: group
diff --git a/packages/auditd/2.1.2/data_stream/log/manifest.yml b/packages/auditd/2.1.2/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..285926867f
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/manifest.yml
@@ -0,0 +1,41 @@
+type: logs
+title: Auditd logs
+streams:
+  - input: logfile
+    vars:
+      - name: paths
+        type: text
+        title: Paths
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - /var/log/audit/audit.log*
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - auditd-log
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: log.yml.hbs
+    title: Auditd logs
+    description: Collect Auditd logs using log input
diff --git a/packages/auditd/2.1.2/data_stream/log/sample_event.json b/packages/auditd/2.1.2/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..8c6a1b245e
--- /dev/null
+++ b/packages/auditd/2.1.2/data_stream/log/sample_event.json
@@ -0,0 +1,70 @@
+{
+    "@timestamp": "2016-01-03T00:37:51.394Z",
+    "agent": {
+        "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772",
+        "hostname": "docker-fleet-agent",
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "auditd": {
+        "log": {
+            "proctitle": "bash",
+            "sequence": 194438
+        }
+    },
+    "data_stream": {
+        "dataset": "auditd.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "action": "proctitle",
+        "agent_id_status": "verified",
+        "dataset": "auditd.log",
+        "ingested": "2022-04-13T05:23:36Z",
+        "kind": "event"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "containerized": false,
+        "hostname": "docker-fleet-agent",
+        "ip": [
+            "172.19.0.7"
+        ],
+        "mac": [
+            "02:42:ac:13:00:07"
+        ],
+        "name": "docker-fleet-agent",
+        "os": {
+            "codename": "focal",
+            "family": "debian",
+            "kernel": "5.10.104-linuxkit",
+            "name": "Ubuntu",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "20.04.3 LTS (Focal Fossa)"
+        }
+    },
+    "input": {
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/audit.log"
+        },
+        "offset": 1706
+    },
+    "tags": [
+        "auditd-log"
+    ]
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/docs/README.md b/packages/auditd/2.1.2/docs/README.md
new file mode 100755
index 0000000000..4e8fef73d0
--- /dev/null
+++ b/packages/auditd/2.1.2/docs/README.md
@@ -0,0 +1,281 @@
+# Auditd Integration
+
+The Auditd integration collects and parses logs from the audit daemon (`auditd`).
+
+## Compatibility
+
+The integration was tested with logs from `auditd` on OSes like CentOS 6 and CentOS 7.
+
+This integration is not available for Windows.
+
+## Logs
+
+### Auditd log
+
+This is the Auditd `log` dataset.
+
+An example event for `log` looks as following:
+
+```json
+{
+    "@timestamp": "2016-01-03T00:37:51.394Z",
+    "agent": {
+        "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772",
+        "hostname": "docker-fleet-agent",
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "auditd": {
+        "log": {
+            "proctitle": "bash",
+            "sequence": 194438
+        }
+    },
+    "data_stream": {
+        "dataset": "auditd.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "f386c08a-1dcf-444a-a259-9c33fa001606",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "action": "proctitle",
+        "agent_id_status": "verified",
+        "dataset": "auditd.log",
+        "ingested": "2022-04-13T05:23:36Z",
+        "kind": "event"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "containerized": false,
+        "hostname": "docker-fleet-agent",
+        "ip": [
+            "172.19.0.7"
+        ],
+        "mac": [
+            "02:42:ac:13:00:07"
+        ],
+        "name": "docker-fleet-agent",
+        "os": {
+            "codename": "focal",
+            "family": "debian",
+            "kernel": "5.10.104-linuxkit",
+            "name": "Ubuntu",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "20.04.3 LTS (Focal Fossa)"
+        }
+    },
+    "input": {
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/audit.log"
+        },
+        "offset": 1706
+    },
+    "tags": [
+        "auditd-log"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| auditd.log.a0 | The first argument to the system call. | keyword |
+| auditd.log.addr |  | ip |
+| auditd.log.audit_failure |  | keyword |
+| auditd.log.cipher |  | keyword |
+| auditd.log.data |  | keyword |
+| auditd.log.default-context |  | keyword |
+| auditd.log.dev |  | keyword |
+| auditd.log.direction |  | keyword |
+| auditd.log.dst_prefixlen |  | long |
+| auditd.log.entries |  | long |
+| auditd.log.family |  | keyword |
+| auditd.log.fe |  | keyword |
+| auditd.log.fi |  | keyword |
+| auditd.log.format |  | keyword |
+| auditd.log.fp |  | keyword |
+| auditd.log.fver |  | keyword |
+| auditd.log.gpg_res |  | keyword |
+| auditd.log.hostname |  | keyword |
+| auditd.log.id |  | keyword |
+| auditd.log.img-ctx |  | keyword |
+| auditd.log.inode |  | keyword |
+| auditd.log.item | The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. | keyword |
+| auditd.log.items | The number of items in an event. | keyword |
+| auditd.log.kernel |  | keyword |
+| auditd.log.key_enforce |  | boolean |
+| auditd.log.kind |  | keyword |
+| auditd.log.ksize |  | long |
+| auditd.log.laddr |  | ip |
+| auditd.log.list |  | keyword |
+| auditd.log.lport |  | long |
+| auditd.log.major |  | keyword |
+| auditd.log.minor |  | keyword |
+| auditd.log.mode |  | keyword |
+| auditd.log.model |  | keyword |
+| auditd.log.name |  | keyword |
+| auditd.log.new-level |  | keyword |
+| auditd.log.new_auid | For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). | keyword |
+| auditd.log.new_pe |  | keyword |
+| auditd.log.new_pi |  | keyword |
+| auditd.log.new_pp |  | keyword |
+| auditd.log.new_ses | For login events this is the new session ID. It can be used to tie a user to future events by session ID. | keyword |
+| auditd.log.node |  | keyword |
+| auditd.log.obj |  | keyword |
+| auditd.log.objtype |  | keyword |
+| auditd.log.old |  | keyword |
+| auditd.log.old-level |  | keyword |
+| auditd.log.old_auid | For login events this is the old audit ID used for the user prior to this login. | keyword |
+| auditd.log.old_pe |  | keyword |
+| auditd.log.old_pi |  | keyword |
+| auditd.log.old_pp |  | keyword |
+| auditd.log.old_ses | For login events this is the old session ID used for the user prior to this login. | keyword |
+| auditd.log.op |  | keyword |
+| auditd.log.pfs |  | keyword |
+| auditd.log.proctitle |  | keyword |
+| auditd.log.rdev |  | keyword |
+| auditd.log.reason |  | keyword |
+| auditd.log.record_type |  | keyword |
+| auditd.log.reset |  | keyword |
+| auditd.log.root_dir |  | keyword |
+| auditd.log.rport |  | long |
+| auditd.log.saddr |  | keyword |
+| auditd.log.selected-context |  | keyword |
+| auditd.log.sequence | The audit event sequence number. | long |
+| auditd.log.ses |  | keyword |
+| auditd.log.spid |  | keyword |
+| auditd.log.src_prefixlen |  | long |
+| auditd.log.subj |  | keyword |
+| auditd.log.success |  | boolean |
+| auditd.log.sw |  | keyword |
+| auditd.log.sw_type |  | keyword |
+| auditd.log.syscall |  | keyword |
+| auditd.log.table |  | keyword |
+| auditd.log.tty |  | keyword |
+| auditd.log.uid |  | keyword |
+| auditd.log.unit |  | keyword |
+| auditd.log.uuid |  | keyword |
+| auditd.log.ver |  | keyword |
+| auditd.log.virt |  | keyword |
+| auditd.log.vm |  | keyword |
+| auditd.log.vm-ctx |  | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| group.id | Unique identifier for the group on the system/platform. | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| process.working_directory | The working directory of the process. | keyword |
+| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.audit.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.audit.group.name | Name of the group. | keyword |
+| user.audit.id | One or multiple unique identifiers of the user. | keyword |
+| user.audit.name | Short name or login of the user. | keyword |
+| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.effective.group.name | Name of the group. | keyword |
+| user.effective.id | Unique identifier of the user. | keyword |
+| user.effective.name | Short name or login of the user. | keyword |
+| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text |
+| user.filesystem.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.filesystem.group.name | Name of the group. | keyword |
+| user.filesystem.id | One or multiple unique identifiers of the user. | keyword |
+| user.filesystem.name | Short name or login of the user. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.owner.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.owner.group.name | Name of the group. | keyword |
+| user.owner.id | One or multiple unique identifiers of the user. | keyword |
+| user.owner.name | Short name or login of the user. | keyword |
+| user.saved.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.saved.group.name | Name of the group. | keyword |
+| user.saved.id | One or multiple unique identifiers of the user. | keyword |
+| user.saved.name | Short name or login of the user. | keyword |
+| user.target.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+| user.terminal | Terminal or tty device on which the user is performing the observed activity. | keyword |
+
diff --git a/packages/auditd/2.1.2/img/kibana-audit-auditd.png b/packages/auditd/2.1.2/img/kibana-audit-auditd.png
new file mode 100755
index 0000000000..732afa18dc
Binary files /dev/null and b/packages/auditd/2.1.2/img/kibana-audit-auditd.png differ
diff --git a/packages/auditd/2.1.2/img/linux.svg b/packages/auditd/2.1.2/img/linux.svg
new file mode 100755
index 0000000000..c0a92e0c0f
--- /dev/null
+++ b/packages/auditd/2.1.2/img/linux.svg
@@ -0,0 +1,1532 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="299.14902"
+   height="354.18802"
+   id="svg27450"
+   version="1.1"
+   sodipodi:docname="Tux2.svg"
+   inkscape:export-filename="./tux-large.png"
+   inkscape:version="0.92.4 (unknown)">
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="732"
+     inkscape:window-height="480"
+     id="namedview282"
+     showgrid="false"
+     inkscape:zoom="0.66631277"
+     inkscape:cx="149.57451"
+     inkscape:cy="177.09401"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg27450" />
+  <title
+     id="title20046">Tux</title>
+  <defs
+     id="defs27452">
+    <linearGradient
+       id="linearGradient14132-6">
+      <stop
+         style="stop-color:#b98309"
+         offset="0"
+         id="stop14134-2" />
+      <stop
+         style="stop-color:#382605"
+         offset="1"
+         id="stop14136-2" />
+    </linearGradient>
+    <filter
+       id="filter14148-8"
+       x="-0.10750898"
+       width="1.215018"
+       y="-0.10849553"
+       height="1.2169911"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="3.9237191"
+         id="feGaussianBlur14150-8" />
+    </filter>
+    <filter
+       id="filter14140-3"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="2.4365744"
+         id="feGaussianBlur14142-5" />
+    </filter>
+    <linearGradient
+       id="linearGradient14168-5">
+      <stop
+         style="stop-color:#ebc40c"
+         offset="0"
+         id="stop14170-8" />
+      <stop
+         style="stop-color:#ebc40c;stop-opacity:0"
+         offset="1"
+         id="stop14172-0" />
+    </linearGradient>
+    <filter
+       id="filter14176-5"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.3702557"
+         id="feGaussianBlur14178-0" />
+    </filter>
+    <filter
+       id="filter15053-7"
+       x="-0.10103524"
+       width="1.2020705"
+       y="-0.042669769"
+       height="1.0853395"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="1.1322032"
+         id="feGaussianBlur15055-3" />
+    </filter>
+    <linearGradient
+       id="linearGradient14830-4">
+      <stop
+         id="stop14832-6"
+         offset="0"
+         style="stop-color:#7c7c7c" />
+      <stop
+         id="stop14834-5"
+         offset="1"
+         style="stop-color:#7c7c7c;stop-opacity:0.32941177" />
+    </linearGradient>
+    <filter
+       id="filter14812-5"
+       x="-0.070455663"
+       width="1.1409113"
+       y="-0.15060219"
+       height="1.3012044"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="1.0252435"
+         id="feGaussianBlur14814-2" />
+    </filter>
+    <filter
+       id="filter14812-0-9"
+       x="-0.070455663"
+       width="1.1409113"
+       y="-0.15060219"
+       height="1.3012044"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="1.0252435"
+         id="feGaussianBlur14814-6-7" />
+    </filter>
+    <linearGradient
+       id="linearGradient14518-6">
+      <stop
+         id="stop14540-0"
+         offset="0"
+         style="stop-color:#110800" />
+      <stop
+         style="stop-color:#a65a00;stop-opacity:0.80000001"
+         offset="0.59066743"
+         id="stop14542-5" />
+      <stop
+         style="stop-color:#ff921e;stop-opacity:0"
+         offset="1"
+         id="stop14522-4" />
+    </linearGradient>
+    <filter
+       id="filter14897-2"
+       x="-0.20050517"
+       width="1.4010103"
+       y="-0.23409025"
+       height="1.4681805"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="2.8444356"
+         id="feGaussianBlur14899-5" />
+    </filter>
+    <filter
+       id="filter14951-8"
+       x="-0.091410659"
+       width="1.1828213"
+       y="-0.10672215"
+       height="1.2134444"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="1.2967831"
+         id="feGaussianBlur14953-7" />
+    </filter>
+    <filter
+       id="filter15211-9"
+       x="-0.46932927"
+       width="1.9386586"
+       y="-0.27372435"
+       height="1.5474488"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.85991809"
+         id="feGaussianBlur15213-7" />
+    </filter>
+    <filter
+       id="filter14706-3"
+       x="-0.60389674"
+       width="2.2077935"
+       y="-0.48226368"
+       height="1.9645272"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="2.6400036"
+         id="feGaussianBlur14708-8" />
+    </filter>
+    <linearGradient
+       id="linearGradient15103-0">
+      <stop
+         style="stop-color:#000000"
+         offset="0"
+         id="stop15105-1" />
+      <stop
+         style="stop-color:#000000;stop-opacity:0"
+         offset="1"
+         id="stop15107-6" />
+    </linearGradient>
+    <filter
+       id="filter15115-3"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="2.2091576"
+         id="feGaussianBlur15117-8" />
+    </filter>
+    <linearGradient
+       id="linearGradient14392-8">
+      <stop
+         style="stop-color:#3e2a06"
+         offset="0"
+         id="stop14394-3" />
+      <stop
+         style="stop-color:#ad780a"
+         offset="1"
+         id="stop14396-0" />
+    </linearGradient>
+    <filter
+       id="filter14416-8"
+       x="-0.14501533"
+       width="1.2900307"
+       y="-0.14299878"
+       height="1.2859976"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="4.7787162"
+         id="feGaussianBlur14418-5" />
+    </filter>
+    <filter
+       id="filter14432-2"
+       x="-0.11529266"
+       width="1.2305853"
+       y="-0.12494507"
+       height="1.2498901"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="3.1725155"
+         id="feGaussianBlur14434-2" />
+    </filter>
+    <linearGradient
+       id="linearGradient17009">
+      <stop
+         style="stop-color:#f3cd0c"
+         offset="0"
+         id="stop17011" />
+      <stop
+         style="stop-color:#f3cd0c;stop-opacity:0"
+         offset="1"
+         id="stop17013" />
+    </linearGradient>
+    <filter
+       id="filter17044"
+       x="-0.020911871"
+       width="1.0418237"
+       y="-0.12926871"
+       height="1.2585374"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.47946431"
+         id="feGaussianBlur17046" />
+    </filter>
+    <filter
+       id="filter15185-2"
+       x="-0.17754583"
+       width="1.3550917"
+       y="-0.15942827"
+       height="1.3188565"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.90083196"
+         id="feGaussianBlur15187-7" />
+    </filter>
+    <filter
+       height="1.1156476"
+       y="-0.057823781"
+       width="2.6331918"
+       x="-0.81659585"
+       id="filter4592-2"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur4594-6"
+         stdDeviation="1.4463082" />
+    </filter>
+    <linearGradient
+       id="linearGradient4417-0">
+      <stop
+         id="stop4419-4-4"
+         offset="0"
+         style="stop-color:#000000" />
+      <stop
+         id="stop4421-2-0"
+         offset="1"
+         style="stop-color:#000000;stop-opacity:0.24886878" />
+    </linearGradient>
+    <filter
+       id="filter4538-7"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur4540-9"
+         stdDeviation="0.7854602" />
+    </filter>
+    <filter
+       id="filter4427-5-7"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur4429-4-8"
+         stdDeviation="1.1383167" />
+    </filter>
+    <filter
+       id="filter4487-6"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur4489-4"
+         stdDeviation="0.6434074" />
+    </filter>
+    <filter
+       id="filter14666-9"
+       x="-0.11753157"
+       width="1.2350631"
+       y="-0.040046327"
+       height="1.0800927"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="1.352085"
+         id="feGaussianBlur14668-7" />
+    </filter>
+    <linearGradient
+       id="linearGradient29652-2">
+      <stop
+         style="stop-color:#c8c8c8"
+         offset="0"
+         id="stop29654-6" />
+      <stop
+         style="stop-color:#797978"
+         offset="1"
+         id="stop29656-1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient28469-0">
+      <stop
+         style="stop-color:#d2940a"
+         offset="0"
+         id="stop28479-4" />
+      <stop
+         style="stop-color:#d89c08"
+         offset="0.75143719"
+         id="stop28477-2" />
+      <stop
+         id="stop28485-7"
+         offset="0.86579126"
+         style="stop-color:#b67e07" />
+      <stop
+         id="stop28473-1"
+         offset="1"
+         style="stop-color:#946106" />
+    </linearGradient>
+    <filter
+       height="1.429882"
+       y="-0.21494099"
+       width="1.3096611"
+       x="-0.1548306"
+       id="filter28502-8"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur28504-3"
+         stdDeviation="0.89858666" />
+    </filter>
+    <filter
+       id="filter15145-6"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.75821369"
+         id="feGaussianBlur15147-1" />
+    </filter>
+    <linearGradient
+       id="linearGradient28275-8">
+      <stop
+         id="stop28277-1"
+         offset="0"
+         style="stop-color:#ad780a" />
+      <stop
+         style="stop-color:#d89e08"
+         offset="0.11972899"
+         id="stop28291-9" />
+      <stop
+         style="stop-color:#edb80b"
+         offset="0.25514477"
+         id="stop28289-6" />
+      <stop
+         style="stop-color:#ebc80d"
+         offset="0.39194193"
+         id="stop28287-6" />
+      <stop
+         style="stop-color:#f5d838"
+         offset="0.52741116"
+         id="stop28285-7" />
+      <stop
+         style="stop-color:#f6d811"
+         offset="0.76906693"
+         id="stop28283-7" />
+      <stop
+         id="stop28279-5"
+         offset="1"
+         style="stop-color:#f5cd31" />
+    </linearGradient>
+    <filter
+       id="filter14963-7"
+       x="-0.16095592"
+       width="1.3219118"
+       y="-0.13027605"
+       height="1.260552"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.84878819"
+         id="feGaussianBlur14965-0" />
+    </filter>
+    <linearGradient
+       id="linearGradient29529-6">
+      <stop
+         id="stop29531-0"
+         offset="0"
+         style="stop-color:#3a2903" />
+      <stop
+         style="stop-color:#735208"
+         offset="0.55472803"
+         id="stop29539-7" />
+      <stop
+         id="stop29533-8"
+         offset="1"
+         style="stop-color:#ac8c04" />
+    </linearGradient>
+    <filter
+       id="filter15177-1"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.11039302"
+         id="feGaussianBlur15179-3" />
+    </filter>
+    <filter
+       id="filter15173-0"
+       x="-0.11644644"
+       width="1.2328929"
+       y="-0.10572958"
+       height="1.2114592"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="0.11039302"
+         id="feGaussianBlur15175-4" />
+    </filter>
+    <linearGradient
+       id="linearGradient28572-7">
+      <stop
+         id="stop28574-5"
+         offset="0"
+         style="stop-color:#f5ce2d" />
+      <stop
+         id="stop28576-0"
+         offset="1"
+         style="stop-color:#d79b08" />
+    </linearGradient>
+    <filter
+       height="1.2722148"
+       y="-0.13610739"
+       width="1.2146032"
+       x="-0.10730159"
+       id="filter28584-4"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur28586-3"
+         stdDeviation="0.2640625" />
+    </filter>
+    <linearGradient
+       id="linearGradient29477-3">
+      <stop
+         id="stop29479-5"
+         offset="0"
+         style="stop-color:#757574;stop-opacity:0" />
+      <stop
+         style="stop-color:#757574"
+         offset="0.26291031"
+         id="stop29487-5" />
+      <stop
+         style="stop-color:#757574"
+         offset="0.5"
+         id="stop29485-0" />
+      <stop
+         id="stop29481-3"
+         offset="1"
+         style="stop-color:#757574;stop-opacity:0" />
+    </linearGradient>
+    <filter
+       height="1.2921369"
+       y="-0.14606842"
+       width="1.4689326"
+       x="-0.23446631"
+       id="filter29493-2"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur29495-7"
+         stdDeviation="0.51262416" />
+    </filter>
+    <linearGradient
+       id="linearGradient29336-6">
+      <stop
+         id="stop29338-1"
+         offset="0"
+         style="stop-color:#646464;stop-opacity:0" />
+      <stop
+         style="stop-color:#646464;stop-opacity:0.5825243"
+         offset="0.30628255"
+         id="stop29344-7" />
+      <stop
+         id="stop29354-5"
+         offset="0.47000006"
+         style="stop-color:#646464" />
+      <stop
+         style="stop-color:#646464;stop-opacity:0.25728154"
+         offset="0.72834015"
+         id="stop29356-3" />
+      <stop
+         id="stop29340-6"
+         offset="1"
+         style="stop-color:#646464;stop-opacity:0" />
+    </linearGradient>
+    <filter
+       id="filter29447-1"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur29449-4"
+         stdDeviation="0.13475369" />
+    </filter>
+    <filter
+       id="filter29350-1"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur29352-7"
+         stdDeviation="0.1475" />
+    </filter>
+    <linearGradient
+       id="linearGradient28976-3">
+      <stop
+         id="stop28978-7"
+         offset="0"
+         style="stop-color:#747474" />
+      <stop
+         style="stop-color:#8c8c8c"
+         offset="0.125"
+         id="stop29259-5" />
+      <stop
+         style="stop-color:#a4a4a4"
+         offset="0.25"
+         id="stop29257-0" />
+      <stop
+         style="stop-color:#d4d4d4"
+         offset="0.5"
+         id="stop28984-4" />
+      <stop
+         id="stop28986-0"
+         offset="0.61919296"
+         style="stop-color:#d4d4d4" />
+      <stop
+         id="stop28980-2"
+         offset="1"
+         style="stop-color:#7c7c7c" />
+    </linearGradient>
+    <filter
+       height="1.4183974"
+       y="-0.2091987"
+       width="1.3159075"
+       x="-0.15795375"
+       id="filter28927-8"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur28929-2"
+         stdDeviation="0.24891089" />
+    </filter>
+    <linearGradient
+       id="linearGradient28935-8">
+      <stop
+         id="stop28937-7"
+         offset="0"
+         style="stop-color:#949494;stop-opacity:0.39215687" />
+      <stop
+         style="stop-color:#949494"
+         offset="0.5"
+         id="stop28943-3" />
+      <stop
+         id="stop28939-8"
+         offset="1"
+         style="stop-color:#949494;stop-opacity:0.39215687" />
+    </linearGradient>
+    <filter
+       height="1.3626815"
+       y="-0.18134074"
+       width="1.3573579"
+       x="-0.17867894"
+       id="filter28949-8"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur28951-1"
+         stdDeviation="0.51947927" />
+    </filter>
+    <filter
+       id="filter15133-1"
+       x="-0.2921797"
+       width="1.5843594"
+       y="-0.30825046"
+       height="1.6165009"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         stdDeviation="1.7403319"
+         id="feGaussianBlur15135-5" />
+    </filter>
+    <linearGradient
+       id="linearGradient28853-5">
+      <stop
+         id="stop28855-3"
+         offset="0"
+         style="stop-color:#020204" />
+      <stop
+         style="stop-color:#020204"
+         offset="0.73448181"
+         id="stop28865-0" />
+      <stop
+         id="stop28857-9"
+         offset="1"
+         style="stop-color:#5c5c5c" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient28799-3">
+      <stop
+         id="stop28801-6"
+         offset="0"
+         style="stop-color:#fefefc" />
+      <stop
+         style="stop-color:#fefefc"
+         offset="0.75733864"
+         id="stop28807-7" />
+      <stop
+         id="stop28803-0"
+         offset="1"
+         style="stop-color:#d4d4d4" />
+    </linearGradient>
+    <filter
+       id="filter30475-4"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur30477-9"
+         stdDeviation="0.93152507" />
+    </filter>
+    <filter
+       height="1.2583811"
+       y="-0.12919053"
+       width="1.1527554"
+       x="-0.07637769"
+       id="filter30479-2"
+       style="color-interpolation-filters:sRGB">
+      <feGaussianBlur
+         id="feGaussianBlur30481-9"
+         stdDeviation="2.0355046" />
+    </filter>
+    <radialGradient
+       xlink:href="#linearGradient28799-3"
+       id="radialGradient18806"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.81524244,-0.03431182,0.02961133,1.2479887,-208.43744,-35.542647)"
+       cx="223.19559"
+       cy="137.66095"
+       fx="223.19559"
+       fy="137.66095"
+       r="14.572236" />
+    <radialGradient
+       xlink:href="#linearGradient28799-3"
+       id="radialGradient18808"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.0857794,-0.03431182,0.03943781,1.2479887,-233.54194,-35.542647)"
+       cx="223.19559"
+       cy="137.66095"
+       fx="223.19559"
+       fy="137.66095"
+       r="14.572236" />
+    <radialGradient
+       xlink:href="#linearGradient28853-5"
+       id="radialGradient18810"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.69784558,-0.50717348,0.46034105,0.63340638,-271.10191,183.03011)"
+       cx="275.53763"
+       cy="150.65126"
+       fx="275.53763"
+       fy="150.65126"
+       r="15.382211" />
+    <linearGradient
+       xlink:href="#linearGradient28935-8"
+       id="linearGradient18812"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-60.00015,-58.362183)"
+       x1="213.01591"
+       y1="132.76981"
+       x2="219.73343"
+       y2="140.72476" />
+    <linearGradient
+       xlink:href="#linearGradient28976-3"
+       id="linearGradient18814"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-250)"
+       x1="337.25"
+       y1="119.98718"
+       x2="358.625"
+       y2="132.48718" />
+    <linearGradient
+       xlink:href="#linearGradient29336-6"
+       id="linearGradient18816"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-300.00015,-0.9999998)"
+       x1="294.50998"
+       y1="114.56181"
+       x2="308.74051"
+       y2="127.99684" />
+    <linearGradient
+       xlink:href="#linearGradient29336-6"
+       id="linearGradient18818"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-300.00015,-0.9999998)"
+       x1="253.22745"
+       y1="115.66637"
+       x2="266.62701"
+       y2="128.57106" />
+    <linearGradient
+       xlink:href="#linearGradient29477-3"
+       id="linearGradient18820"
+       gradientUnits="userSpaceOnUse"
+       x1="164.04878"
+       y1="132.06271"
+       x2="169.8824"
+       y2="142.49252"
+       gradientTransform="translate(-50.00015,-58.362183)" />
+    <radialGradient
+       xlink:href="#linearGradient28469-0"
+       id="radialGradient18822"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.93618683,-0.38640412,0.27133164,0.65738721,-244.47527,146.7229)"
+       cx="294.48483"
+       cy="193.09949"
+       fx="294.48483"
+       fy="193.09949"
+       r="31.111488" />
+    <linearGradient
+       xlink:href="#linearGradient28275-8"
+       id="linearGradient18824"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-210)"
+       x1="256.85657"
+       y1="158.31404"
+       x2="313.3367"
+       y2="157.8721" />
+    <radialGradient
+       xlink:href="#linearGradient29529-6"
+       id="radialGradient18826"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.0000004,0,0,0.5833264,59.999805,3.054009)"
+       cx="77.67215"
+       cy="147.09335"
+       fx="77.67215"
+       fy="147.09335"
+       r="3.2300935" />
+    <radialGradient
+       xlink:href="#linearGradient29529-6"
+       id="radialGradient18828"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0751189,59.99984,-69.456344)"
+       cx="63.125401"
+       cy="147.44128"
+       fx="63.125401"
+       fy="147.44128"
+       r="1.5350333" />
+    <linearGradient
+       xlink:href="#linearGradient28572-7"
+       id="linearGradient18830"
+       gradientUnits="userSpaceOnUse"
+       x1="243.03125"
+       y1="157.01843"
+       x2="243.46875"
+       y2="159.76843" />
+    <radialGradient
+       xlink:href="#linearGradient29652-2"
+       id="radialGradient18832"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.20141143,-0.03316079,0.03065006,0.18616184,-3.1263574,114.03586)"
+       cx="268.06998"
+       cy="126.53491"
+       fx="268.06998"
+       fy="126.53491"
+       r="35.51144" />
+    <radialGradient
+       xlink:href="#linearGradient4417-0"
+       id="radialGradient18834"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(-0.69844216,0,0,0.76335815,166.3057,50.219935)"
+       cx="336.22372"
+       cy="220.53755"
+       fx="336.22372"
+       fy="220.53755"
+       r="27.391165" />
+    <radialGradient
+       xlink:href="#linearGradient4417-0"
+       id="radialGradient18836"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.76335815,-150.00015,-8.142243)"
+       cx="312.14502"
+       cy="236.36569"
+       fx="312.14502"
+       fy="236.36569"
+       r="27.391165" />
+    <radialGradient
+       xlink:href="#linearGradient4417-0"
+       id="radialGradient18838"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0692348,-150.00016,-73.222483)"
+       cx="275.55389"
+       cy="225.13487"
+       fx="275.55389"
+       fy="225.13487"
+       r="10.84542" />
+    <linearGradient
+       xlink:href="#linearGradient15103-0"
+       id="linearGradient18840"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-310)"
+       x1="338.28552"
+       y1="323.90076"
+       x2="341.98224"
+       y2="351.48654" />
+    <linearGradient
+       xlink:href="#linearGradient14392-8"
+       id="linearGradient18842"
+       gradientUnits="userSpaceOnUse"
+       x1="442.03912"
+       y1="371.54401"
+       x2="490.12241"
+       y2="293.58548"
+       gradientTransform="translate(-250.00016,-58.362183)" />
+    <linearGradient
+       xlink:href="#linearGradient17009"
+       id="linearGradient18844"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-150.00016,-60.362183)"
+       x1="355.16373"
+       y1="289.58905"
+       x2="353.74951"
+       y2="302.31699" />
+    <radialGradient
+       xlink:href="#linearGradient14518-6"
+       id="radialGradient18846"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.3082075,0.35053296,-0.36795399,1.3732236,-150.50951,-298.71133)"
+       cx="363.33957"
+       cy="303.41541"
+       fx="363.33957"
+       fy="303.41541"
+       r="16.845654" />
+    <radialGradient
+       xlink:href="#linearGradient14518-6"
+       id="radialGradient18848"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.3082075,0.35053296,-0.36795399,1.3732236,-310.50935,-240.34915)"
+       cx="363.33957"
+       cy="303.41541"
+       fx="363.33957"
+       fy="303.41541"
+       r="16.845654" />
+    <radialGradient
+       xlink:href="#linearGradient14830-4"
+       id="radialGradient18850"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.36025223,0.15680447,-0.07246786,0.16649214,260.61683,181.93825)"
+       cx="382.23483"
+       cy="246.85757"
+       fx="382.23483"
+       fy="246.85757"
+       r="20.537666" />
+    <linearGradient
+       xlink:href="#linearGradient14830-4"
+       id="linearGradient18852"
+       gradientUnits="userSpaceOnUse"
+       x1="358.5"
+       y1="279.36218"
+       x2="361.5"
+       y2="279.23718" />
+    <linearGradient
+       xlink:href="#linearGradient14132-6"
+       id="linearGradient18854"
+       gradientUnits="userSpaceOnUse"
+       x1="123.13397"
+       y1="301.54044"
+       x2="170.86368"
+       y2="381.62027"
+       gradientTransform="translate(-80.00015,-58.362183)" />
+    <linearGradient
+       xlink:href="#linearGradient14168-5"
+       id="linearGradient18856"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-80.53048,-60.12995)"
+       x1="171.57079"
+       y1="323.99109"
+       x2="186.5968"
+       y2="352.27536" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath391">
+      <path
+         id="path393"
+         d="m 137.57703,281.0191 c 1.59929,-0.66295 3.3982,-0.78361 5.10074,-0.46963 1.70253,0.31398 3.31141,1.04948 4.74342,2.02239 2.86402,1.94583 4.98821,4.77774 7.02263,7.57952 4.67189,6.43406 9.16868,13.00227 13.24488,19.8293 3.30635,5.53766 6.34352,11.25685 10.16415,16.45304 2.49398,3.3919 5.3066,6.53947 7.813,9.92221 2.50639,3.38273 4.72794,7.05586 5.83931,11.11662 1.44411,5.27653 0.88463,11.09291 -1.62666,15.95302 -1.76663,3.41896 -4.47646,6.35228 -7.77242,8.33898 -3.29595,1.9867 -7.17064,3.01444 -11.01635,2.87021 -6.11413,-0.2293 -11.69944,-3.28515 -17.38362,-5.54906 -11.58097,-4.6125 -24.15978,-6.0594 -36.09666,-9.65174 -3.66859,-1.10404 -7.27582,-2.4107 -10.96988,-3.42629 -1.64125,-0.45122 -3.30866,-0.8482 -4.85875,-1.55144 -1.55008,-0.70325 -2.999548,-1.7491 -3.86171,-3.21675 -0.666391,-1.13439 -0.948386,-2.47002 -0.930187,-3.78554 0.0182,-1.31552 0.325889,-2.61453 0.773815,-3.85158 0.895851,-2.47409 2.343262,-4.71374 3.320162,-7.15696 1.59511,-3.98935 1.88169,-8.38839 1.66657,-12.67942 -0.21511,-4.29103 -0.91078,-8.54478 -1.20454,-12.83115 -0.13118,-1.91406 -0.18066,-3.85256 0.18479,-5.73598 0.36545,-1.88343 1.17577,-3.72459 2.55771,-5.05541 1.27406,-1.22693 2.96492,-1.95531 4.69643,-2.31651 1.73151,-0.3612 3.51533,-0.37747 5.28367,-0.33762 1.76833,0.0399 3.54067,0.13425 5.30351,-0.0106 1.76284,-0.14488 3.53347,-0.54055 5.06911,-1.41828 1.45996,-0.83447 2.65433,-2.0745 3.64374,-3.43424 0.9894,-1.35974 1.78909,-2.84573 2.60891,-4.31396 0.81983,-1.46823 1.66834,-2.93151 2.74157,-4.22611 1.07324,-1.2946 2.38923,-2.42304 3.94266,-3.06698"
+         style="fill:url(#linearGradient395)"
+         transform="matrix(1,0,0,1.0182804,0,-4.0313444)"
+         inkscape:label="Clip - Left Foot Brighter Highlights" />
+    </clipPath>
+    <linearGradient
+       xlink:href="#linearGradient14132-6"
+       id="linearGradient395"
+       gradientUnits="userSpaceOnUse"
+       x1="123.13397"
+       y1="301.54044"
+       x2="170.86368"
+       y2="381.62027" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath401">
+      <path
+         inkscape:label="Clip - Left Foot Highlights"
+         transform="translate(-240.00015,-1)"
+         style="fill:url(#linearGradient395)"
+         d="m 137.57703,281.0191 c 1.59929,-0.66295 3.3982,-0.78361 5.10074,-0.46963 1.70253,0.31398 3.31141,1.04948 4.74342,2.02239 2.86402,1.94583 4.98821,4.77774 7.02263,7.57952 4.67189,6.43406 9.16868,13.00227 13.24488,19.8293 3.30635,5.53766 6.34352,11.25685 10.16415,16.45304 2.49398,3.3919 5.3066,6.53947 7.813,9.92221 2.50639,3.38273 4.72794,7.05586 5.83931,11.11662 1.44411,5.27653 0.88463,11.09291 -1.62666,15.95302 -1.76663,3.41896 -4.47646,6.35228 -7.77242,8.33898 -3.29595,1.9867 -7.17064,3.01444 -11.01635,2.87021 -6.11413,-0.2293 -11.69944,-3.28515 -17.38362,-5.54906 -11.58097,-4.6125 -24.15978,-6.0594 -36.09666,-9.65174 -3.66859,-1.10404 -7.27582,-2.4107 -10.96988,-3.42629 -1.64125,-0.45122 -3.30866,-0.8482 -4.85875,-1.55144 -1.55008,-0.70325 -2.999548,-1.7491 -3.86171,-3.21675 -0.666391,-1.13439 -0.948386,-2.47002 -0.930187,-3.78554 0.0182,-1.31552 0.325889,-2.61453 0.773815,-3.85158 0.895851,-2.47409 2.343262,-4.71374 3.320162,-7.15696 1.59511,-3.98935 1.88169,-8.38839 1.66657,-12.67942 -0.21511,-4.29103 -0.91078,-8.54478 -1.20454,-12.83115 -0.13118,-1.91406 -0.18066,-3.85256 0.18479,-5.73598 0.36545,-1.88343 1.17577,-3.72459 2.55771,-5.05541 1.27406,-1.22693 2.96492,-1.95531 4.69643,-2.31651 1.73151,-0.3612 3.51533,-0.37747 5.28367,-0.33762 1.76833,0.0399 3.54067,0.13425 5.30351,-0.0106 1.76284,-0.14488 3.53347,-0.54055 5.06911,-1.41828 1.45996,-0.83447 2.65433,-2.0745 3.64374,-3.43424 0.9894,-1.35974 1.78909,-2.84573 2.60891,-4.31396 0.81983,-1.46823 1.66834,-2.93151 2.74157,-4.22611 1.07324,-1.2946 2.38923,-2.42304 3.94266,-3.06698"
+         id="path403" />
+    </clipPath>
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath419">
+      <path
+         style="fill:url(#linearGradient423)"
+         d="m 513.18983,336.61385 c -2.6238,3.11482 -6.268,5.17039 -9.89648,7.01985 -6.1886,3.15437 -12.60169,5.92177 -18.41964,9.71654 -3.89802,2.54249 -7.4959,5.52671 -10.86016,8.74238 -2.87719,2.75012 -5.60582,5.68745 -8.83247,8.01771 -3.25567,2.35122 -7.01915,4.05426 -10.99061,4.6502 -4.83026,0.72481 -9.82134,-0.21289 -14.29898,-2.16416 -3.13754,-1.36728 -6.15569,-3.3229 -7.96301,-6.22931 -1.81425,-2.91754 -2.22807,-6.48813 -2.23266,-9.92375 -0.008,-6.07666 1.11824,-12.09004 2.17848,-18.07349 0.88097,-4.97177 1.71949,-9.95483 2.26013,-14.97502 0.98337,-9.13118 0.9763,-18.35278 0.3199,-27.51327 -0.10993,-1.53416 -0.23754,-3.0832 -0.008,-4.60412 0.22922,-1.52092 0.85475,-3.0367 2.02069,-4.03986 1.07696,-0.9266 2.52093,-1.33598 3.93947,-1.4145 1.41854,-0.0785 2.83404,0.14655 4.23982,0.35197 3.31254,0.48405 6.65159,0.8649 9.88917,1.71656 2.04284,0.53738 4.03315,1.25925 6.0722,1.81081 3.40258,0.92039 6.96639,1.36144 10.46739,0.95192 3.76917,-0.44089 7.42987,-1.85678 11.22363,-1.76474 1.55658,0.0378 3.1015,0.33171 4.58649,0.79985 1.51539,0.47772 3.00914,1.16182 4.12281,2.29512 0.84639,0.8613 1.43579,1.94539 1.87872,3.06879 0.65982,1.67352 1.01492,3.457 1.16703,5.24945 0.13475,1.58788 0.11343,3.19441 0.41433,4.75933 0.49503,2.57458 1.84746,4.92305 3.52848,6.93494 1.68102,2.01189 3.68982,3.72048 5.69641,5.40783 1.99908,1.68103 4.0106,3.35469 6.16708,4.82839 1.0121,0.69165 2.05642,1.33949 3.01736,2.10062 0.96094,0.76113 1.84466,1.6468 2.44543,2.71535 0.81492,1.44944 1.06377,3.2077 0.53758,4.87655 -0.5262,1.66885 -1.48162,3.27659 -2.67059,4.68806 z"
+         id="path421"
+         clip-path="none"
+         inkscape:label="Clip - Right Foot Highlights" />
+    </clipPath>
+    <linearGradient
+       xlink:href="#linearGradient14392-8"
+       id="linearGradient423"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-250.00016,-58.362187)"
+       x1="442.03912"
+       y1="371.54401"
+       x2="490.12241"
+       y2="293.58548" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath426">
+      <path
+         style="fill:url(#linearGradient430);stroke-width:0.842603"
+         d="m 509.36312,335.7449 c -2.29559,2.52764 -5.48394,4.19571 -8.65854,5.69652 -5.41448,2.55973 -11.02537,4.80544 -16.11557,7.88485 -3.41042,2.0632 -6.55825,4.48486 -9.50168,7.09433 -2.51729,2.23169 -4.9046,4.6153 -7.72764,6.50627 -2.84842,1.90799 -6.14114,3.28999 -9.61581,3.77358 -4.22606,0.58818 -8.59281,-0.17275 -12.51035,-1.75618 -2.74507,-1.10954 -5.38569,-2.6965 -6.96694,-5.05501 -1.5873,-2.36755 -1.94936,-5.26504 -1.95338,-8.053 -0.007,-4.93114 0.97837,-9.81092 1.90598,-14.66641 0.77077,-4.03453 1.5044,-8.07822 1.97742,-12.15205 0.86036,-7.40983 0.85417,-14.89305 0.27988,-22.32667 -0.0962,-1.24495 -0.20783,-2.50198 -0.007,-3.73619 0.20055,-1.23421 0.74783,-2.46424 1.76793,-3.27829 0.94224,-0.75193 2.20559,-1.08414 3.44669,-1.14785 1.24109,-0.0637 2.47953,0.11892 3.70947,0.28562 2.89818,0.3928 5.81955,0.70185 8.65215,1.39296 1.78731,0.43608 3.52865,1.02187 5.31264,1.46945 2.97696,0.74689 6.09498,1.10479 9.15805,0.77247 3.29769,-0.35777 6.50048,-1.50675 9.81968,-1.43206 1.36187,0.0307 2.71354,0.26918 4.01278,0.64907 1.32583,0.38766 2.63273,0.9428 3.6071,1.86246 0.74051,0.69893 1.25619,1.57866 1.64371,2.49028 0.57728,1.35804 0.88797,2.80532 1.02105,4.25987 0.11789,1.28854 0.0992,2.59222 0.3625,3.86213 0.43311,2.08924 1.61637,3.995 3.08711,5.62762 1.47074,1.63263 3.22827,3.01913 4.98386,4.38839 1.74902,1.36413 3.50892,2.72229 5.39565,3.91818 0.8855,0.56126 1.79919,1.08698 2.63992,1.70462 0.84074,0.61765 1.61392,1.33636 2.13954,2.20348 0.71298,1.1762 0.93071,2.60301 0.47034,3.95726 -0.46038,1.35425 -1.29629,2.65891 -2.33654,3.8043 z"
+         id="path428"
+         clip-path="none"
+         inkscape:label="Clip - Right Foot Brighter Highlights" />
+    </clipPath>
+    <linearGradient
+       xlink:href="#linearGradient14392-8"
+       id="linearGradient430"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.87491199,0,0,0.81148755,-158.36095,15.22676)"
+       x1="442.03912"
+       y1="371.54401"
+       x2="490.12241"
+       y2="293.58548" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath433">
+      <path
+         style="fill:url(#linearGradient437)"
+         d="m 263.18967,278.25167 c -2.6238,3.11482 -6.268,5.17039 -9.89648,7.01985 -6.1886,3.15437 -12.60169,5.92177 -18.41964,9.71654 -3.89802,2.54249 -7.4959,5.52671 -10.86016,8.74238 -2.87719,2.75012 -5.60582,5.68745 -8.83247,8.01771 -3.25567,2.35122 -7.01915,4.05426 -10.99061,4.6502 -4.83026,0.72481 -9.82134,-0.21289 -14.29898,-2.16416 -3.13754,-1.36728 -6.15569,-3.3229 -7.96301,-6.22931 -1.81425,-2.91754 -2.22807,-6.48813 -2.23266,-9.92375 -0.008,-6.07666 1.11824,-12.09004 2.17848,-18.07349 0.88097,-4.97177 1.71949,-9.95483 2.26013,-14.97502 0.98337,-9.13118 0.9763,-18.35278 0.3199,-27.51327 -0.10993,-1.53416 -0.23754,-3.0832 -0.008,-4.60412 0.22922,-1.52092 0.85475,-3.0367 2.02069,-4.03986 1.07696,-0.9266 2.52093,-1.33598 3.93947,-1.4145 1.41854,-0.0785 2.83404,0.14655 4.23982,0.35197 3.31254,0.48405 6.65159,0.8649 9.88917,1.71656 2.04284,0.53738 4.03315,1.25925 6.0722,1.81081 3.40258,0.92039 6.96639,1.36144 10.46739,0.95192 3.76917,-0.44089 7.42987,-1.85678 11.22363,-1.76474 1.55658,0.0378 3.1015,0.33171 4.58649,0.79985 1.51539,0.47772 3.00914,1.16182 4.12281,2.29512 0.84639,0.8613 1.43579,1.94539 1.87872,3.06879 0.65982,1.67352 1.01492,3.457 1.16703,5.24945 0.13475,1.58788 0.11343,3.19441 0.41433,4.75933 0.49503,2.57458 1.84746,4.92305 3.52848,6.93494 1.68102,2.01189 3.68982,3.72048 5.69641,5.40783 1.99908,1.68103 4.0106,3.35469 6.16708,4.82839 1.0121,0.69165 2.05642,1.33949 3.01736,2.10062 0.96094,0.76113 1.84466,1.6468 2.44543,2.71535 0.81492,1.44944 1.06377,3.2077 0.53758,4.87655 -0.5262,1.66885 -1.48162,3.27659 -2.67059,4.68806 z"
+         id="path435"
+         clip-path="none"
+         inkscape:label="Clip - Right Foot Brightest Highlights" />
+    </clipPath>
+    <linearGradient
+       xlink:href="#linearGradient14392-8"
+       id="linearGradient437"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-500.00032,-116.72437)"
+       x1="442.03912"
+       y1="371.54401"
+       x2="490.12241"
+       y2="293.58548" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath504">
+      <path
+         inkscape:label="Clip - Right Arm Shadow"
+         style="fill:#020204;stroke-width:0.991084"
+         id="path506"
+         d="m 304.84727,225.44951 c 5.97679,4.89463 9.76903,12.28597 10.94319,20.00305 0.91574,6.01859 0.32054,12.19496 -1.0124,18.13223 -1.33294,5.93726 -3.39093,11.67615 -5.43351,17.40051 -0.81452,2.2827 -1.63269,4.5871 -1.95634,6.9933 -0.32365,2.40621 -0.1187,4.95426 1.02109,7.08777 1.3066,2.44578 3.74526,4.13021 6.36677,4.92292 2.58816,0.78263 5.38374,0.76618 8.00354,0.10153 2.61979,-0.66466 5.06582,-1.96341 7.19828,-3.64929 5.41763,-4.28306 8.68657,-10.94871 9.95201,-17.81211 1.26545,-6.86339 0.68401,-13.95038 -0.49258,-20.83014 -1.60443,-9.38136 -4.30394,-18.55105 -7.74003,-27.40773 -2.52746,-6.51466 -5.7653,-12.74244 -9.61753,-18.52016 -3.77934,-5.66839 -9.14163,-10.09303 -13.10336,-15.63502 -1.37643,-1.92547 -3.03189,-3.93159 -4.38419,-5.87845 -2.91575,-4.19771 -2.25544,-3.41451 -4.06424,-6.13155 -1.31235,-1.9713 -3.38449,-2.6487 -5.56491,-3.51096 -2.18041,-0.86226 -4.629,-1.11623 -6.88065,-0.47108 -2.96781,0.85034 -5.39233,3.23113 -6.68215,6.08208 -1.28982,2.85095 -1.51545,6.12313 -1.01363,9.2201 0.64739,3.99536 2.44215,7.70258 4.46569,11.18873 2.28537,3.93724 4.93283,7.72707 8.38442,10.65407 3.60205,3.05459 7.95771,5.06875 11.61053,8.0602" />
+    </clipPath>
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath508">
+      <path
+         inkscape:label="Clip - Left Arm Shadow"
+         id="path510"
+         d="m 240.47307,195.03592 c -7.07309,8.03686 -14.35222,15.81627 -18.34577,24.50506 -1.97625,4.41329 -2.91077,9.20725 -4.26498,13.84932 -1.5379,5.27176 -3.62609,10.3703 -5.97071,15.33612 -2.16496,4.58531 -4.54982,9.06291 -6.93891,13.53553 -1.7382,3.25409 -3.50514,6.58104 -4.10782,10.22071 -0.47628,2.87632 -0.1985,5.84423 0.53375,8.66626 0.73225,2.82202 1.90965,5.5106 3.23776,8.10601 5.66725,11.07504 14.17003,20.62168 24.24176,27.92472 4.57063,3.31418 9.46669,6.18109 14.60245,8.52595 2.78247,1.27041 5.71355,2.40436 8.77186,2.45744 1.52915,0.0265 3.0741,-0.22544 4.47434,-0.84055 1.40023,-0.6151 2.65068,-1.60373 3.48254,-2.88709 1.02278,-1.5779 1.36992,-3.53829 1.16461,-5.40743 -0.2053,-1.86914 -0.93484,-3.65294 -1.91324,-5.25873 -2.38997,-3.92251 -6.1652,-6.76055 -9.79642,-9.57343 -7.84055,-6.07358 -15.42465,-12.48039 -22.68212,-19.23996 -2.04912,-1.90854 -4.09841,-3.87759 -5.53019,-6.28412 -1.3943,-2.34352 -2.1476,-5.01376 -2.65783,-7.69253 -1.39972,-7.34873 -1.04092,-15.08286 1.45958,-22.13343 0.97822,-2.75826 2.27118,-5.39201 3.51815,-8.03965 2.16133,-4.58906 4.20725,-9.26564 7.04933,-13.46723 3.53798,-5.23037 8.26749,-9.66049 11.15147,-15.27803 2.43423,-4.74149 3.41994,-10.07236 4.36185,-15.31831 0.73693,-4.10434 2.15042,-8.12437 2.86923,-12.23193 -1.40611,2.66567 -5.93796,7.04283 -8.71069,10.5253 z"
+         style="fill:#020204" />
+    </clipPath>
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath533">
+      <path
+         inkscape:label="Clip - Hand Lower Hightlight"
+         style="fill:#020204"
+         id="path535"
+         d="m 386.1875,285.32775 c -0.40516,-1.10369 -1.11845,-2.08156 -1.9907,-2.86987 -0.87226,-0.78832 -1.90049,-1.39229 -2.98278,-1.85155 -2.16459,-0.91852 -4.52053,-1.26149 -6.83152,-1.69556 -2.17919,-0.40931 -4.34179,-0.90631 -6.52782,-1.27734 -2.27136,-0.38551 -4.6179,-0.63213 -6.8653,-0.1253 -1.96583,0.44333 -3.7845,1.45879 -5.27172,2.81864 -1.48723,1.35984 -2.64911,3.0564 -3.48499,4.89007 -1.47218,3.22952 -1.93451,6.86503 -1.65394,10.40316 0.20881,2.63325 0.87532,5.34594 2.60877,7.33912 1.40065,1.61052 3.38733,2.61526 5.43398,3.22092 3.52502,1.04316 7.36663,0.98822 10.86038,-0.1553 5.76689,-1.93113 10.87568,-5.77387 14.33034,-10.77903 1.13861,-1.64963 2.11217,-3.44809 2.5532,-5.4034 0.33597,-1.48955 0.34831,-3.08112 -0.1779,-4.51456" />
+    </clipPath>
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath538">
+      <path
+         d="m 386.1875,285.32775 c -0.40516,-1.10369 -1.11845,-2.08156 -1.9907,-2.86987 -0.87226,-0.78832 -1.90049,-1.39229 -2.98278,-1.85155 -2.16459,-0.91852 -4.52053,-1.26149 -6.83152,-1.69556 -2.17919,-0.40931 -4.34179,-0.90631 -6.52782,-1.27734 -2.27136,-0.38551 -4.6179,-0.63213 -6.8653,-0.1253 -1.96583,0.44333 -3.7845,1.45879 -5.27172,2.81864 -1.48723,1.35984 -2.64911,3.0564 -3.48499,4.89007 -1.47218,3.22952 -1.93451,6.86503 -1.65394,10.40316 0.20881,2.63325 0.87532,5.34594 2.60877,7.33912 1.40065,1.61052 3.38733,2.61526 5.43398,3.22092 3.52502,1.04316 7.36663,0.98822 10.86038,-0.1553 5.76689,-1.93113 10.87568,-5.77387 14.33034,-10.77903 1.13861,-1.64963 2.11217,-3.44809 2.5532,-5.4034 0.33597,-1.48955 0.34831,-3.08112 -0.1779,-4.51456"
+         id="path540"
+         style="fill:#020204"
+         inkscape:label="Clip - Hand Upper Highlight" />
+    </clipPath>
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath622">
+      <path
+         inkscape:label="Clip - Right Eyelid"
+         style="fill:url(#radialGradient626)"
+         d="m 85.75,122.36218 c -2.78042,1.91023 -5.11057,4.57487 -6.25,7.75 -1.43603,4.00163 -0.88584,8.48071 0.5,12.5 1.41949,4.11688 3.79379,8.04098 7.37932,10.51234 1.79277,1.23567 3.86809,2.08301 6.0304,2.33859 2.16231,0.25558 4.40928,-0.0949 6.34028,-1.10093 2.35312,-1.22596 4.14782,-3.37278 5.26217,-5.78076 1.11436,-2.40798 1.5888,-5.0701 1.73783,-7.71924 0.18989,-3.37546 -0.14047,-6.80646 -1.25,-10 -1.20527,-3.46909 -3.39005,-6.67055 -6.47275,-8.6666 -1.54136,-0.99803 -3.29195,-1.68356 -5.11089,-1.93515 -1.81893,-0.25158 -3.70476,-0.0633 -5.41636,0.60175 -0.97547,0.37901 -1.88744,0.9074 -2.75,1.5"
+         id="path624" />
+    </clipPath>
+    <radialGradient
+       xlink:href="#linearGradient28799-3"
+       id="radialGradient626"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.0857794,-0.03431182,0.03943781,1.2479887,-15.5421,-75.904827)"
+       cx="223.19559"
+       cy="137.66095"
+       fx="223.19559"
+       fy="137.66095"
+       r="14.572236" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath631">
+      <path
+         inkscape:label="Clip - Left Eyelid"
+         style="fill:url(#radialGradient635)"
+         d="m 54.23244,122.36218 c -1.78096,0.097 -3.48461,0.91899 -4.78785,2.1367 -1.30323,1.21771 -2.22137,2.81176 -2.78618,4.50357 -1.12962,3.38363 -0.87548,7.05177 -0.6187,10.60973 0.23251,3.22162 0.47041,6.50533 1.67679,9.50158 0.60319,1.49813 1.45024,2.91021 2.58034,4.06395 1.13009,1.15374 2.55173,2.04189 4.11829,2.43447 1.46884,0.36809 3.03816,0.29183 4.48279,-0.16209 1.44462,-0.45392 2.76391,-1.27887 3.84623,-2.33791 1.57904,-1.54507 2.64326,-3.5662 3.25345,-5.68947 0.61019,-2.12328 0.78416,-4.35155 0.7524,-6.56053 -0.0397,-2.76435 -0.40091,-5.53851 -1.26575,-8.16439 -0.86485,-2.62588 -2.24575,-5.10327 -4.1728,-7.08561 -0.93331,-0.96009 -1.99776,-1.80513 -3.19858,-2.39747 -1.20082,-0.59233 -2.54344,-0.92535 -3.88043,-0.85253"
+         id="path633" />
+    </clipPath>
+    <radialGradient
+       xlink:href="#linearGradient28799-3"
+       id="radialGradient635"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.81524244,-0.03431182,0.02961133,1.2479887,9.5624,-75.904827)"
+       cx="223.19559"
+       cy="137.66095"
+       fx="223.19559"
+       fy="137.66095"
+       r="14.572236" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath697">
+      <path
+         style="fill:url(#radialGradient701);stroke-width:0.77538"
+         d="m 214.63605,148.03815 c -2.51029,-0.0409 -4.99135,0.28921 -7.27146,0.88384 -4.05254,1.05688 -7.57367,2.93934 -10.08468,5.39315 -1.62814,0.85539 -3.05003,1.89919 -4.20722,3.08639 -0.66186,0.67901 -1.24391,1.41694 -1.50131,2.24757 -0.20244,0.65333 -0.19857,1.34469 -0.28524,2.01986 -0.0324,0.25293 -0.0778,0.5073 -0.0362,0.76548 0.0208,0.12909 0.0631,0.25809 0.13756,0.38081 0.0221,0.0364 0.0528,0.0707 0.0806,0.1055 0.0825,0.15031 0.18297,0.29681 0.31473,0.43099 0.28806,0.29334 0.68023,0.53107 1.09417,0.73203 0.41394,0.20097 0.85255,0.36757 1.2815,0.54936 2.28006,0.96628 4.22773,2.32456 5.9925,3.75924 2.3677,1.92485 4.52941,4.06099 7.5099,5.46004 2.10465,0.98794 4.52773,1.552 6.92602,1.72396 2.81637,0.20193 5.58521,-0.12293 8.18167,-0.69344 2.40631,-0.52873 4.69673,-1.27132 6.75202,-2.25401 3.90702,-1.86802 6.98699,-4.60634 11.42445,-5.83442 0.96876,-0.2681 1.99041,-0.45921 2.91317,-0.78993 0.92276,-0.33072 1.76305,-0.8265 2.11948,-1.52711 0.34261,-0.67347 0.2049,-1.45031 0.23569,-2.18968 0.0329,-0.791 0.26357,-1.5559 0.33312,-2.34278 0.0695,-0.78687 -0.0382,-1.6289 -0.62199,-2.35178 -0.12955,-0.16043 -0.28324,-0.31001 -0.45163,-0.45157 -0.0509,-0.29235 -0.22134,-0.58029 -0.46622,-0.83239 -0.50487,-0.51975 -1.29334,-0.87172 -2.09515,-1.11671 -1.09824,-0.33555 -2.25599,-0.50211 -3.39891,-0.69601 -3.51093,-0.59565 -6.96955,-1.47539 -10.29467,-2.60394 -1.65302,-0.56104 -3.27073,-1.18327 -4.90416,-1.77928 -1.67927,-0.61273 -3.38672,-1.20103 -5.16515,-1.57729 -1.49109,-0.31546 -3.00643,-0.47332 -4.51259,-0.49788 z"
+         id="path699"
+         inkscape:label="Clip - Beak Side Highlight" />
+    </clipPath>
+    <radialGradient
+       xlink:href="#linearGradient28469-0"
+       id="radialGradient701"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.81494503,-0.25452614,0.31491054,0.43302392,-75.371375,150.73818)"
+       cx="294.48483"
+       cy="193.09949"
+       fx="294.48483"
+       fy="193.09949"
+       r="31.111488" />
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath816">
+      <path
+         inkscape:label="Clip - Lower Beak Shadow"
+         style="fill:#fdfdfb"
+         d="m -26.29567,154.81433 c -1.0464,1.31136 -1.72773,2.88726 -2.13927,4.51369 -0.41153,1.62642 -0.56228,3.30801 -0.62653,4.98446 -0.12849,3.35291 0.0765,6.77015 -0.81096,10.00604 -0.94874,3.4595 -3.07595,6.45649 -5.15761,9.37795 -3.60485,5.05916 -7.248548,10.25011 -9.027058,16.20217 -1.077103,3.60469 -1.435613,7.42255 -1.04841,11.16474 -4.035298,5.9262 -7.528852,12.22112 -10.4229,18.78069 -4.386197,9.94163 -7.396115,20.5265 -8.454552,31.34105 -1.296051,13.24236 0.397579,26.86184 5.627472,39.09655 3.781309,8.84592 9.417708,16.94379 16.68566,23.2466 3.695408,3.20468 7.799668,5.93944 12.189498,8.09709 15.21252,7.47713 34.01348,7.49101 48.97296,-0.48031 7.81838,-4.16611 14.41789,-10.2582 20.78084,-16.42232 3.83183,-3.71209 7.64353,-7.51249 10.56653,-11.97551 5.62746,-8.59236 7.58747,-19.03566 8.80544,-29.23436 2.12971,-17.83321 2.1984,-36.66998 -5.62137,-52.83816 -2.69219,-5.56638 -6.27896,-10.69891 -10.58065,-15.14052 -1.14547,-7.78087 -3.40638,-15.39666 -6.69212,-22.54215 -2.37045,-5.15502 -5.2683,-10.06187 -7.47079,-15.29085 -0.90422,-2.14672 -1.68995,-4.34486 -2.69346,-6.44699 -1.00352,-2.10213 -2.24145,-4.12498 -3.92446,-5.73541 -1.72343,-1.6491 -3.87096,-2.81824 -6.13593,-3.56631 -2.26498,-0.74806 -4.64917,-1.08697 -7.03147,-1.2068 -4.7646,-0.23966 -9.53872,0.38348 -14.30559,0.19423 -3.79476,-0.15066 -7.57776,-0.81566 -11.36892,-0.59186 -1.89557,0.1119 -3.79087,0.45058 -5.55026,1.1649 -1.7594,0.71432 -3.38173,1.81713 -4.56609,3.30139"
+         id="path818" />
+    </clipPath>
+    <clipPath
+       clipPathUnits="userSpaceOnUse"
+       id="clipPath820">
+      <path
+         id="path822"
+         d="m -47.29567,161.44377 c -1.0464,1.42368 -1.72773,3.13456 -2.13927,4.9003 -0.41153,1.76572 -0.56228,3.59134 -0.62653,5.41138 -0.12849,3.64009 0.0765,7.35002 -0.81096,10.86307 -0.94874,3.75581 -3.07595,7.0095 -5.15761,10.18119 -3.60485,5.49248 -7.248548,11.12804 -9.027058,17.58991 -1.077103,3.91343 -1.435613,8.0583 -1.04841,12.12101 -4.035298,6.43379 -7.528852,13.26788 -10.4229,20.38928 -4.386197,10.79315 -7.396115,22.28463 -8.454552,34.02546 -1.296051,14.37658 0.397579,29.16259 5.627472,42.44522 3.781309,9.60359 9.417708,18.39505 16.68566,25.23771 3.695408,3.47916 7.799668,6.44816 12.189498,8.79061 15.21252,8.11756 34.01348,8.13263 48.97296,-0.52145 7.81838,-4.52294 14.41789,-11.13683 20.78084,-17.82891 3.83183,-4.03004 7.64353,-8.15595 10.56653,-13.00123 5.62746,-9.32831 7.58747,-20.66609 8.80544,-31.73832 2.12971,-19.36065 2.1984,-39.81082 -5.62137,-57.36383 -2.69219,-6.04314 -6.27896,-11.61528 -10.58065,-16.43732 -1.14547,-8.44732 -3.40638,-16.71541 -6.69212,-24.47292 -2.37045,-5.59655 -5.2683,-10.92368 -7.47079,-16.60053 -0.90422,-2.33059 -1.68995,-4.71701 -2.69346,-6.99919 -1.00352,-2.28218 -2.24145,-4.47829 -3.92446,-6.22665 -1.72343,-1.79035 -3.87096,-3.05963 -6.13593,-3.87177 -2.26498,-0.81213 -4.64917,-1.18007 -7.03147,-1.31016 -4.7646,-0.26019 -9.53872,0.41632 -14.30559,0.21086 -3.79476,-0.16356 -7.57776,-0.88552 -11.36892,-0.64255 -1.89557,0.12148 -3.79087,0.48917 -5.55026,1.26467 -1.7594,0.77551 -3.38173,1.97277 -4.56609,3.58416"
+         style="fill:#fdfdfb;stroke-width:1.04195"
+         inkscape:label="Clip - Upper Beak Shadow" />
+    </clipPath>
+  </defs>
+  <metadata
+     id="metadata27455">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title>Tux</dc:title>
+        <dc:date>20 June 2012</dc:date>
+        <dc:creator>
+          <cc:Agent>
+            <dc:title>Garrett LeSage</dc:title>
+          </cc:Agent>
+        </dc:creator>
+        <cc:license
+           rdf:resource="http://creativecommons.org/publicdomain/zero/1.0/" />
+        <dc:contributor>
+          <cc:Agent>
+            <dc:title>Larry Ewing, the creator of the original Tux graphic</dc:title>
+          </cc:Agent>
+        </dc:contributor>
+        <dc:subject>
+          <rdf:Bag>
+            <rdf:li>tux</rdf:li>
+            <rdf:li>Linux</rdf:li>
+            <rdf:li>penguin</rdf:li>
+            <rdf:li>logo</rdf:li>
+          </rdf:Bag>
+        </dc:subject>
+        <dc:rights>
+          <cc:Agent>
+            <dc:title>Larry Ewing, Garrett LeSage</dc:title>
+          </cc:Agent>
+        </dc:rights>
+        <dc:source>https://github.com/garrett/Tux</dc:source>
+      </cc:Work>
+      <cc:License
+         rdf:about="http://creativecommons.org/publicdomain/zero/1.0/">
+        <cc:permits
+           rdf:resource="http://creativecommons.org/ns#Reproduction" />
+        <cc:permits
+           rdf:resource="http://creativecommons.org/ns#Distribution" />
+        <cc:permits
+           rdf:resource="http://creativecommons.org/ns#DerivativeWorks" />
+      </cc:License>
+    </rdf:RDF>
+  </metadata>
+  <g
+     transform="translate(8,4.6)"
+     id="layer2"
+     inkscape:label="Tux">
+    <g
+       inkscape:label="Body"
+       id="g463">
+      <path
+         style="fill:#020204"
+         d="m 140.8125,19.578125 c -7.16795,-0.07795 -14.42402,1.374646 -20.73438,4.775391 -6.70663,3.614308 -12.20088,9.395485 -15.58593,16.220703 -3.38347,6.822028 -4.712926,14.108148 -4.914065,22.132808 -0.382163,15.24684 0.34393,31.23872 1.494145,45.730473 0.3054,4.41258 0.85369,6.99499 0.29297,11.52344 -1.88652,9.62986 -10.313201,16.11178 -14.80468,24.57031 -4.954704,9.33089 -7.043403,19.88101 -10.783203,29.76172 -3.422488,9.04236 -8.227578,17.52067 -11.470703,26.62891 -4.534864,12.73604 -5.890504,26.73088 -2.894532,39.91406 2.283855,10.04965 7.054597,19.47291 13.484375,27.5332 -0.930503,1.67688 -1.832233,3.3716 -2.792968,5.03125 -2.979452,5.14693 -6.619557,10.02667 -8.316407,15.72656 -0.848425,2.84995 -1.182417,5.88981 -0.634765,8.8125 0.547652,2.92268 2.02651,5.71858 4.351562,7.57227 1.522028,1.21346 3.357446,1.99485 5.253906,2.43359 1.896461,0.43879 3.856625,0.54531 5.802735,0.50391 7.394587,-0.15718 14.559024,-2.40522 21.71289,-4.2832 4.23946,-1.11291 8.51036,-2.10105 12.80273,-2.98829 15.24055,-3.12209 32.25031,-1.87591 46.39844,0.17579 4.79197,0.72368 9.54981,1.67102 14.25977,2.8125 7.37714,1.78788 14.72878,4.06701 22.3164,4.2832 1.99729,0.0569 4.0106,-0.0306 5.96094,-0.46484 1.95034,-0.43429 3.84211,-1.22688 5.4043,-2.47266 2.32922,-1.85746 3.80834,-4.65745 4.35546,-7.58594 0.54713,-2.9285 0.20917,-5.97702 -0.64843,-8.83008 -1.71521,-5.70613 -5.38873,-10.5749 -8.43555,-15.69531 -1.20215,-2.0203 -2.32023,-4.0926 -3.51367,-6.11719 9.16873,-10.29563 16.54824,-22.20278 20.8164,-35.28125 4.65874,-14.27524 5.51426,-29.64566 3.55274,-44.5332 -1.96148,-14.88754 -6.6821,-29.32114 -12.8984,-42.99023 -7.79769,-17.13839 -14.35278,-23.331 -19.10351,-38.38086 -5.13471,-16.266273 -0.8948,-35.514213 -4.71094,-50.267583 -1.3618,-5.0173 -3.53277,-9.80681 -6.32617,-14.191405 -3.27306,-5.137474 -7.42457,-9.742407 -12.35743,-13.316406 -7.87066,-5.702527 -17.61519,-8.638455 -27.33398,-8.744141 z"
+         id="path28712-2"
+         inkscape:label="Body Without Tummy" />
+      <path
+         id="path29719-5"
+         d="m 112.70417,105.45215 c -1.0464,1.31136 -1.72773,2.88726 -2.13927,4.51369 -0.41153,1.62642 -0.56228,3.30801 -0.62653,4.98446 -0.12849,3.35291 0.0765,6.77015 -0.81096,10.00604 -0.94874,3.4595 -3.07595,6.45649 -5.15761,9.37795 -3.60485,5.05916 -7.248548,10.25011 -9.027058,16.20217 -1.077103,3.60469 -1.435613,7.42255 -1.04841,11.16474 -4.035298,5.9262 -7.528852,12.22112 -10.4229,18.78069 -4.386197,9.94163 -7.396115,20.5265 -8.454552,31.34105 -1.296051,13.24236 0.397579,26.86184 5.627472,39.09655 3.781309,8.84592 9.417708,16.94379 16.68566,23.2466 3.695408,3.20468 7.799668,5.93944 12.189498,8.09709 15.21252,7.47713 34.01348,7.49101 48.97296,-0.48031 7.81838,-4.16611 14.41789,-10.2582 20.78084,-16.42232 3.83183,-3.71209 7.64353,-7.51249 10.56653,-11.97551 5.62746,-8.59236 7.58747,-19.03566 8.80544,-29.23436 2.12971,-17.83321 2.1984,-36.66998 -5.62137,-52.83816 -2.69219,-5.56638 -6.27896,-10.69891 -10.58065,-15.14052 -1.14547,-7.78087 -3.40638,-15.39666 -6.69212,-22.54215 -2.37045,-5.15502 -5.2683,-10.06187 -7.47079,-15.29085 -0.90422,-2.14672 -1.68995,-4.34486 -2.69346,-6.44699 -1.00352,-2.10213 -2.24145,-4.12498 -3.92446,-5.73541 -1.72343,-1.6491 -3.87096,-2.81824 -6.13593,-3.56631 -2.26498,-0.74806 -4.64917,-1.08697 -7.03147,-1.2068 -4.7646,-0.23966 -9.53872,0.38348 -14.30559,0.19423 -3.79476,-0.15066 -7.57776,-0.81566 -11.36892,-0.59186 -1.89557,0.1119 -3.79087,0.45058 -5.55026,1.1649 -1.7594,0.71432 -3.38173,1.81713 -4.56609,3.30139"
+         style="fill:#fdfdfb"
+         inkscape:label="Tummy" />
+    </g>
+    <g
+       inkscape:label="Body Shadows"
+       id="g562">
+      <path
+         transform="matrix(1.1543044,0,0,1,166.33231,-58.362183)"
+         id="path4400-1"
+         d="m -61.00266,211.59308 c 0.88005,1.52387 -0.54737,6.77829 19.96381,3.4153 0,0 -3.60202,0.4573 -7.15281,1.40419 -5.52127,2.1334 -10.33021,4.51706 -14.04019,7.67524 -3.67553,3.12167 -6.36707,7.19694 -9.73973,10.69705 0,0 5.46173,-11.5187 6.82331,-14.98742 1.36157,-3.46872 -0.22795,-3.30999 0.84893,-8.4136 1.07688,-5.1036 3.71346,-10.00699 3.71346,-10.00699 0,0 -2.15241,7.21088 -0.41678,10.21623 z"
+         style="opacity:0.25;fill:url(#radialGradient18834);filter:url(#filter4487-6)"
+         inkscape:label="Left Pec Shadow" />
+      <path
+         id="path4400-2-8"
+         d="m 172.04993,151.8559 c -4.82509,3.36138 -7.65241,2.96341 -13.50685,3.62087 -5.85444,0.65746 -21.69838,0.41943 -21.69838,0.41943 0,0 2.29371,-0.0427 7.37759,0.90419 5.08388,0.94693 15.45307,1.85232 21.29176,4.07468 5.83869,2.22236 7.96846,2.8566 11.51723,5.10056 5.05107,3.19388 8.75817,8.19694 13.587,11.69705 0,0 0.23377,-4.6437 -1.71568,-8.11242 -1.94945,-3.46872 -7.19037,-8.93499 -8.7322,-14.0386 -1.54183,-5.1036 -2.27429,-15.13199 -2.27429,-15.13199 0,0 -1.02108,8.10485 -5.84618,11.46623 z"
+         style="opacity:0.42;fill:url(#radialGradient18836);filter:url(#filter4427-5-7)"
+         inkscape:label="Right Pec Shadow" />
+      <path
+         id="path4491-9"
+         d="m 126.66974,144.67794 c -0.17937,1.45594 -0.41189,2.90533 -0.69695,4.34431 -0.14052,0.70936 -0.2949,1.41989 -0.55905,2.09306 -0.26414,0.67317 -0.64419,1.31214 -1.18125,1.79639 -0.47071,0.42443 -1.04439,0.71595 -1.62069,0.97975 -2.24827,1.02916 -4.6544,1.71261 -7.10798,2.01899 0.97993,0.0719 1.95856,0.16127 2.93528,0.2682 0.61534,0.0674 1.23207,0.14208 1.83169,0.29586 0.59961,0.15377 1.18472,0.38955 1.68422,0.75518 0.54781,0.40099 0.97799,0.94833 1.29931,1.54636 0.64023,1.19159 0.85435,2.56281 0.97272,3.91031 0.15139,1.72336 0.16244,3.45904 0.033,5.18419 0.11585,-1.15429 0.35775,-2.29589 0.72,-3.39797 0.65284,-1.98614 1.70416,-3.84789 3.11974,-5.38642 0.56171,-0.6105 1.18038,-1.17036 1.85876,-1.6479 2.07821,-1.46294 4.71804,-2.1055 7.23612,-1.76133 -2.55897,0.11302 -5.14896,-0.69089 -7.19419,-2.23302 -1.04161,-0.78539 -1.94875,-1.76287 -2.57976,-2.90463 -0.97579,-1.76561 -1.25012,-3.90675 -0.75097,-5.86133"
+         style="opacity:0.2;fill:url(#radialGradient18838);filter:url(#filter4538-7)"
+         inkscape:label="Middle Pec Shadow" />
+      <path
+         id="path4542-7"
+         d="m 120.49984,178.71875 c -1.22954,4.67934 -2.07519,9.45949 -2.52566,14.27665 -0.63702,6.81216 -0.48368,13.6725 -0.84934,20.5046 -0.31029,5.79753 -0.99107,11.65587 0.0159,17.3737 0.48017,2.72655 1.34273,5.38547 2.55456,7.87467 0.19249,-0.95006 0.33356,-1.91054 0.42239,-2.87583 0.42661,-4.63604 -0.3541,-9.28689 -0.61781,-13.93504 -0.46225,-8.14744 0.66569,-16.2899 1.125,-24.4375 0.3526,-6.25476 0.31082,-12.53173 -0.125,-18.78125 h -4e-5"
+         style="opacity:0.11;filter:url(#filter4592-2)"
+         inkscape:label="Tummy Shadow" />
+      <path
+         id="path28767-9-3"
+         d="m 351.9604,200.85653 c -1.45162,0.38883 -1.23008,3.99417 -0.29604,5.49789 0.78886,1.26999 3.07235,2.27109 3.75853,1.00504 1.11412,-2.05562 -1.47192,-7.03613 -3.46249,-6.50293 z"
+         style="opacity:0.25;fill:#7c7c7c;filter:url(#filter15211-9)"
+         transform="matrix(-0.06991927,0.95700905,-0.56450744,-0.11853409,236.56758,-180.37928)"
+         inkscape:label="Left Pec Upper Shadow" />
+      <path
+         transform="matrix(-0.09596121,-0.95700905,-0.77476232,0.11853409,398.90188,493.24449)"
+         style="opacity:0.75;fill:#7c7c7c;filter:url(#filter14706-3)"
+         d="m 361.75,209.34296 c 0.002,-1.53313 -7.56474,-10.0564 -9.7896,-8.48643 -2.22486,1.56998 -0.49172,3.7842 -0.29604,5.49789 0.19568,1.71368 -0.94537,6.60933 0.23849,7.25934 1.18386,0.65001 3.36607,-2.5198 5.30111,-4.27697 1.55818,-1.41494 4.54398,1.53929 4.54604,0.006 z"
+         id="path15189-4"
+         inkscape:label="Right Pec Side Shadow" />
+      <path
+         id="path28767-3"
+         d="m 277.9604,90.856536 c -2.22486,1.569973 -1.25289,3.530477 -0.29604,5.497884 0.95685,1.967407 -2.10429,7.63969 -2.13651,7.88434 -0.0322,0.24465 6.02534,-2.8754 7.67611,-4.901967 1.94956,-2.393373 6.87703,3.237917 6.60851,2.381167 0.002,-1.53312 -9.62721,-12.431397 -11.85207,-10.861424 z"
+         style="fill:#7c7c7c;filter:url(#filter15133-1)"
+         transform="matrix(1.1522137,0,0,1.1522137,-163.02721,-72.199565)"
+         inkscape:label="Head Shadow" />
+      <path
+         inkscape:label="Neck Shadow"
+         style="fill:#838384;filter:url(#filter15185-2)"
+         d="m 16.687345,165.86218 c -2.16217,1.96937 1.01359,4.92767 2.51966,8.40429 0.93626,2.16126 3.52677,5.20509 6.03244,4.7175 1.8848,-0.36677 3.05427,-3.07936 2.87588,-4.99121 -0.34416,-3.68852 -3.45669,-4.55256 -5.7172,-5.81949 -1.79139,-1.00401 -4.19258,-3.69391 -5.71078,-2.31109 z"
+         id="path4596-3"
+         transform="translate(160,-57.362183)" />
+      <path
+         clip-path="url(#clipPath816)"
+         inkscape:label="Lower Beak Shadow"
+         transform="translate(138.99984,-49.362181)"
+         style="fill:#000000;fill-opacity:0.258824;filter:url(#filter30479-2)"
+         id="path28461-8-7"
+         d="m -28.632498,172.60136 c 1.702936,4.93775 5.13035,9.15199 9.185848,12.44354 1.348656,1.0946 2.782167,2.10442 4.366233,2.817 1.584067,0.71257 3.331648,1.11945 5.062377,0.97245 1.6949733,-0.14396 3.3074706,-0.80936 4.788721,-1.64575 1.4812505,-0.8364 2.8560173,-1.84688 4.29298914,-2.75725 2.46262056,-1.56015 5.09983966,-2.82139 7.65715996,-4.22092 3.0824622,-1.68692 6.0695999,-3.59014 8.6646899,-5.95927 1.187948,-1.08451 2.295748,-2.26795 3.607519,-3.19888 1.31177,-0.93094 2.882987,-1.60572 4.487811,-1.49651 1.203853,0.0819 2.332908,0.59386 3.51249,0.84794 0.589792,0.12704 1.200784,0.18932 1.797215,0.0984 0.596431,-0.0909 1.179727,-0.34439 1.597895,-0.77928 0.512367,-0.53286 0.736406,-1.29981 0.709607,-2.03855 -0.0268,-0.73874 -0.284448,-1.45303 -0.628853,-2.10712 -0.68881,-1.30819 -1.734547,-2.43513 -2.200224,-3.83833 -0.414395,-1.24867 -0.330451,-2.59887 -0.293929,-3.91401 0.03652,-1.31513 0.0075,-2.68902 -0.598601,-3.85671 -0.461591,-0.88922 -1.236126,-1.59525 -2.12164,-2.06391 -0.885513,-0.46867 -1.878578,-0.71001 -2.876081,-0.80365 -1.995007,-0.18727 -3.993929,0.19997 -5.994489,0.31349 -2.655817,0.1507 -5.321957,-0.18176 -7.9772499,-0.0221 -3.3112912,0.1991 -6.5570138,1.16053 -9.87428,1.16645 -3.7859765,0.007 -7.5681223,-1.23192 -11.3075401,-0.63996 -1.60458,0.25401 -3.134778,0.8376 -4.675685,1.35219 -1.540906,0.5146 -3.132742,0.96724 -4.757133,0.94371 -1.844198,-0.0267 -3.629272,-0.66537 -5.468985,-0.79666 -0.919856,-0.0656 -1.86247,-1.8e-4 -2.726086,0.32326 -0.863615,0.32344 -1.644513,0.92357 -2.068349,1.7426 -0.242869,0.46932 -0.363194,0.99683 -0.385859,1.52479 -0.02266,0.52795 0.05026,1.05702 0.177828,1.56983 0.255132,1.02563 0.724233,1.98285 1.109821,2.96688 1.392508,3.55373 1.692361,7.44806 2.93678,11.05632" />
+      <path
+         clip-path="url(#clipPath820)"
+         inkscape:label="Upper Beak Shadow"
+         style="opacity:0.3;fill:#000000;filter:url(#filter30475-4)"
+         id="path28461-84-3"
+         d="m -54.3809,165.4735 c 3.308481,2.21892 6.276719,4.94413 8.76949,8.0515 2.313244,2.88358 4.281072,6.1543 7.29931,8.28886 2.132561,1.50819 4.694875,2.3578 7.29406,2.61606 3.051509,0.3032 6.139761,-0.18685 9.08171,-1.05205 2.72664,-0.80188 5.363225,-1.92931 7.78216,-3.4214 4.5982326,-2.83636 8.4392136,-6.99279 13.51002,-8.85709 1.1070251,-0.407 2.2592345,-0.69817 3.3265087,-1.20024 1.0672741,-0.50208 2.071356,-1.25404 2.5810913,-2.31768 0.489979,-1.02241 0.4709637,-2.20249 0.63053,-3.32496 0.1707072,-1.20085 0.5537633,-2.36184 0.7638732,-3.55642 0.2101099,-1.19458 0.2351735,-2.47234 -0.2814032,-3.56975 -0.4277722,-0.90876 -1.2053869,-1.6278 -2.0998754,-2.08466 -0.8944886,-0.45686 -1.9010816,-0.6644 -2.9042801,-0.71362 -2.00639693,-0.0985 -3.9875479,0.41519 -5.9880545,0.59766 -2.649555,0.24167 -5.3179008,-0.0991 -7.97725,-0.019 -3.308278,0.0996 -6.568191,0.84884 -9.87428,1.00503 -3.771652,0.17818 -7.534056,-0.41751 -11.30754,-0.55139 -1.632251,-0.0579 -3.2754,-0.0286 -4.884302,0.25254 -1.608902,0.28112 -3.188197,0.82168 -4.548518,1.72563 -1.319979,0.87714 -2.396737,2.06728 -3.606567,3.09101 -0.604916,0.51187 -1.247757,0.98508 -1.953748,1.34495 -0.705991,0.35987 -1.478799,0.60451 -2.270305,0.64257 -0.40728,0.0196 -0.818345,-0.0152 -1.2213,0.0472 -0.676172,0.10463 -1.303709,0.49355 -1.698284,1.05254 -0.394576,0.55899 -0.550896,1.28053 -0.423046,1.9527 v 1e-5"
+         transform="matrix(1,0,0,0.92110599,159.99984,-43.254675)" />
+    </g>
+    <g
+       inkscape:label="Arms"
+       id="g481">
+      <path
+         transform="translate(160,-57.362183)"
+         d="m 45.10134,224.44951 c 6.084796,4.89463 9.945575,12.28597 11.14096,20.00305 0.932288,6.01859 0.326343,12.19496 -1.030694,18.13223 -1.357038,5.93726 -3.452212,11.67615 -5.531716,17.40051 -0.829244,2.2827 -1.662186,4.5871 -1.991686,6.9933 -0.3295,2.40621 -0.120849,4.95426 1.039536,7.08777 1.330223,2.44578 3.812954,4.13021 6.48184,4.92292 2.634941,0.78263 5.481042,0.76618 8.148186,0.10153 2.667145,-0.66466 7.157372,-1.52591 9.328374,-3.21179 5.515551,-4.28306 6.82474,-11.71935 8.13188,-18.24961 1.363195,-6.8103 0.69637,-13.95038 -0.50149,-20.83014 -1.63342,-9.38136 -4.38172,-18.55105 -7.87991,-27.40773 -2.573144,-6.51466 -5.8695,-12.74244 -9.79135,-18.52016 -3.847635,-5.66839 -9.306853,-10.09303 -13.34018,-15.63502 -1.401311,-1.92547 -3.086675,-3.93159 -4.463417,-5.87845 -2.968456,-4.19771 -2.296208,-3.41451 -4.137707,-6.13155 -1.336068,-1.9713 -3.445653,-2.6487 -5.665474,-3.51096 -2.219821,-0.86226 -4.71266,-1.11623 -7.005012,-0.47108 -3.021449,0.85034 -5.489775,3.23113 -6.802912,6.08208 -1.313136,2.85095 -1.54284,6.12313 -1.031948,9.2201 0.659095,3.99536 2.486278,7.70258 4.54639,11.18873 2.326679,3.93724 5.021993,7.72707 8.53596,10.65407 3.667149,3.05459 8.101532,5.06875 11.82037,8.0602"
+         id="path29705-5-0"
+         style="fill:#020204"
+         inkscape:label="Right Arm" />
+      <path
+         transform="translate(160,-57.362183)"
+         style="fill:#020204"
+         d="m -69.527091,194.03592 c -7.073089,8.03686 -14.352222,15.81627 -18.345769,24.50506 -1.976249,4.41329 -2.910774,9.20725 -4.26498,13.84932 -1.537901,5.27176 -3.626089,10.3703 -5.97071,15.33612 -2.16496,4.58531 -4.54982,9.06291 -6.93891,13.53553 -1.7382,3.25409 -3.50514,6.58104 -4.10782,10.22071 -0.47628,2.87632 -0.1985,5.84423 0.53375,8.66626 0.73225,2.82202 1.90965,5.5106 3.23776,8.10601 5.667249,11.07504 14.170032,20.62168 24.24176,27.92472 4.570626,3.31418 9.466691,6.18109 14.60245,8.52595 2.782468,1.27041 5.713552,2.40436 8.771859,2.45744 1.529154,0.0265 3.074104,-0.22544 4.47434,-0.84055 1.400236,-0.6151 2.650677,-1.60373 3.482541,-2.88709 1.022778,-1.5779 1.369917,-3.53829 1.164614,-5.40743 -0.205303,-1.86914 -0.934843,-3.65294 -1.913244,-5.25873 -2.389971,-3.92251 -6.165196,-6.76055 -9.79642,-9.57343 -7.840549,-6.07358 -15.424654,-12.48039 -22.68212,-19.23996 -2.049117,-1.90854 -4.098407,-3.87759 -5.53019,-6.28412 -1.394295,-2.34352 -2.147602,-5.01376 -2.65783,-7.69253 -1.399719,-7.34873 -1.040921,-15.08286 1.45958,-22.13343 0.978222,-2.75826 2.271183,-5.39201 3.51815,-8.03965 2.161326,-4.58906 4.207248,-9.26564 7.04933,-13.46723 3.537978,-5.23037 8.267489,-9.66049 11.15147,-15.27803 2.434229,-4.74149 3.419942,-10.07236 4.36185,-15.31831 0.736933,-4.10434 2.150416,-8.12437 2.869234,-12.23193 -1.406111,2.66567 -5.937961,7.04283 -8.710695,10.5253 z"
+         id="path14967-1-0"
+         inkscape:label="Left Arm" />
+    </g>
+    <g
+       inkscape:label="Arm Shadows"
+       id="g514">
+      <path
+         style="fill:#838384;filter:url(#filter14666-9)"
+         d="m 290.78125,216.01843 c 0.48482,0.46774 0.98091,0.94261 1.5,1.375 3.66715,3.05459 5.61879,6.48526 9.33763,9.47671 6.0848,4.89463 12.25895,13.34358 13.45434,21.06066 0.93229,6.01859 -0.30093,9.28947 -1.80468,16.3878 -1.50374,7.09832 -5.76944,17.14832 -8.07376,23.99211 -0.9189,2.7291 1.86121,1.60306 1.49609,4.4798 -0.17944,1.41384 -0.19766,2.84238 -0.0346,4.25917 0.0227,-0.27104 0.0388,-0.5525 0.0693,-0.82194 0.44281,-3.92274 1.62331,-7.69479 2.90878,-11.39514 2.47416,-7.12214 5.31434,-14.10109 7.27196,-21.40792 1.95763,-7.30683 1.74028,-12.56443 0.71875,-18.84375 -1.28459,-7.89637 -5.79703,-15.18702 -12.1875,-20 -4.51852,-3.40313 -9.84688,-5.58465 -14.65625,-8.5625 z"
+         id="path29705-9"
+         clip-path="url(#clipPath504)"
+         transform="matrix(1.0180731,0,0,1,-105.25547,-58.362183)"
+         inkscape:label="Right Arm Shadow" />
+      <path
+         style="opacity:0.95;fill:#7c7c7c;filter:url(#filter15053-7)"
+         d="m 232.33049,224.26954 c -2.32126,2.13749 -4.33307,4.61051 -5.95338,7.31823 -2.66801,4.45854 -4.23905,9.46835 -6.17809,14.28882 -1.44362,3.58886 -3.12519,7.19314 -3.32662,11.05622 -0.10346,1.98418 0.19056,3.96588 0.25671,5.95165 0.0662,1.98578 -0.11756,4.05108 -1.08967,5.78391 -0.81338,1.44988 -2.1659,2.58902 -3.73298,3.14402 2.11547,0.70686 4.00453,2.07546 5.33532,3.86539 1.11451,1.49902 1.82759,3.25366 2.79609,4.85091 0.78716,1.29818 1.75335,2.50124 2.94285,3.44463 1.1895,0.94339 2.61141,1.61974 4.11726,1.81293 2.06623,0.26508 4.23574,-0.42815 5.76541,-1.84225 -1.92538,-18.0357 -0.16195,-36.4572 5.15013,-53.80008 0.33544,-1.09515 0.68725,-2.19828 0.77034,-3.34063 0.0831,-1.14235 -0.12896,-2.34792 -0.82414,-3.2582 -0.37014,-0.48467 -0.86838,-0.87059 -1.4302,-1.1078 -0.56182,-0.2372 -1.18588,-0.32512 -1.79136,-0.25236 -0.60549,0.0727 -1.19096,0.306 -1.68059,0.66954 -0.48964,0.36355 -0.88227,0.85651 -1.12706,1.41507 h -2e-5"
+         id="path15007-0"
+         clip-path="url(#clipPath508)"
+         transform="translate(-150.00016,-58.362183)"
+         inkscape:label="Left Arm Shadow" />
+    </g>
+    <g
+       inkscape:label="Feet"
+       id="g457">
+      <g
+         id="g444"
+         inkscape:label="Right Foot">
+        <path
+           inkscape:label="Right Foot Shadow"
+           transform="matrix(1.0268828,0,0,1,157.6864,-58.362183)"
+           style="opacity:0.2;fill:url(#linearGradient18840);filter:url(#filter15115-3)"
+           d="m 86.05618,328.13191 c -0.45671,1.54919 -1.15216,3.04585 -2.04962,4.41089 -1.9805,3.01237 -4.85449,5.2794 -7.7268,7.37015 -4.89889,3.56589 -10.00272,6.83785 -14.56318,10.89029 -3.05551,2.71513 -5.84112,5.75937 -8.42278,8.96491 -2.20789,2.74146 -4.2839,5.61929 -6.80089,8.05729 -2.53964,2.45993 -5.53049,4.44676 -8.75187,5.52933 -3.91796,1.31667 -8.05795,1.2533 -11.83233,0.25938 -2.64475,-0.69647 -5.22365,-1.90703 -6.86216,-4.0969 -1.6448,-2.19828 -2.1777,-5.15218 -2.36802,-8.05186 -0.33651,-5.12875 0.25967,-10.36956 0.8034,-15.57549 0.45167,-4.3257 0.86825,-8.65475 1.03855,-12.97167 0.30984,-7.85202 -0.19668,-15.63586 -1.23186,-23.27336 -0.17336,-1.27909 -0.36202,-2.56818 -0.25656,-3.88562 0.10519,-1.31741 0.5354,-2.6883 1.43615,-3.70529 0.83202,-0.93937 1.9928,-1.49566 3.15071,-1.76892 1.15792,-0.27325 2.32983,-0.2898 3.4927,-0.3215 2.74018,-0.0747 5.49647,-0.24039 8.19521,0.006 1.70282,0.15559 3.37264,0.47459 5.07313,0.6427 2.83764,0.28052 5.78134,0.13286 8.62739,-0.72369 3.06405,-0.92215 5.98631,-2.65158 9.09944,-3.12742 1.27732,-0.19521 2.559,-0.17251 3.80104,0.006 1.26746,0.18218 2.5284,0.54175 3.50235,1.33598 0.74019,0.60362 1.28194,1.43281 1.70583,2.31655 0.63144,1.31651 1.01921,2.77031 1.24115,4.2613 0.19663,1.32082 0.26639,2.68017 0.59789,3.95737 0.54536,2.10123 1.78089,3.88647 3.26736,5.33963 1.48646,1.45316 3.22499,2.60245 4.96058,3.73413 1.72907,1.12743 3.46794,2.24684 5.31472,3.17629 0.86675,0.43621 1.75751,0.83074 2.58612,1.33307 0.8286,0.50234 1.60071,1.12107 2.15093,1.93549 0.74634,1.10471 1.04569,2.55273 0.82168,3.97474 l 2e-5,-1e-5"
+           id="path14483-7-4" />
+        <path
+           inkscape:label="Right Foot"
+           clip-path="none"
+           id="path14296-0"
+           d="m 263.18967,278.25167 c -2.6238,3.11482 -6.268,5.17039 -9.89648,7.01985 -6.1886,3.15437 -12.60169,5.92177 -18.41964,9.71654 -3.89802,2.54249 -7.4959,5.52671 -10.86016,8.74238 -2.87719,2.75012 -5.60582,5.68745 -8.83247,8.01771 -3.25567,2.35122 -7.01915,4.05426 -10.99061,4.6502 -4.83026,0.72481 -9.82134,-0.21289 -14.29898,-2.16416 -3.13754,-1.36728 -6.15569,-3.3229 -7.96301,-6.22931 -1.81425,-2.91754 -2.22807,-6.48813 -2.23266,-9.92375 -0.008,-6.07666 1.11824,-12.09004 2.17848,-18.07349 0.88097,-4.97177 1.71949,-9.95483 2.26013,-14.97502 0.98337,-9.13118 0.9763,-18.35278 0.3199,-27.51327 -0.10993,-1.53416 -0.23754,-3.0832 -0.008,-4.60412 0.22922,-1.52092 0.85475,-3.0367 2.02069,-4.03986 1.07696,-0.9266 2.52093,-1.33598 3.93947,-1.4145 1.41854,-0.0785 2.83404,0.14655 4.23982,0.35197 3.31254,0.48405 6.65159,0.8649 9.88917,1.71656 2.04284,0.53738 4.03315,1.25925 6.0722,1.81081 3.40258,0.92039 6.96639,1.36144 10.46739,0.95192 3.76917,-0.44089 7.42987,-1.85678 11.22363,-1.76474 1.55658,0.0378 3.1015,0.33171 4.58649,0.79985 1.51539,0.47772 3.00914,1.16182 4.12281,2.29512 0.84639,0.8613 1.43579,1.94539 1.87872,3.06879 0.65982,1.67352 1.01492,3.457 1.16703,5.24945 0.13475,1.58788 0.11343,3.19441 0.41433,4.75933 0.49503,2.57458 1.84746,4.92305 3.52848,6.93494 1.68102,2.01189 3.68982,3.72048 5.69641,5.40783 1.99908,1.68103 4.0106,3.35469 6.16708,4.82839 1.0121,0.69165 2.05642,1.33949 3.01736,2.10062 0.96094,0.76113 1.84466,1.6468 2.44543,2.71535 0.81492,1.44944 1.06377,3.2077 0.53758,4.87655 -0.5262,1.66885 -1.48162,3.27659 -2.67059,4.68806 z"
+           style="fill:url(#linearGradient18842)" />
+        <path
+           inkscape:label="Right Foot Hightlights"
+           transform="translate(-250.00016,-58.362183)"
+           clip-path="url(#clipPath419)"
+           id="path14296-3-7"
+           d="m 512.89128,328.72435 c -0.61724,1.54745 -1.48971,2.99275 -2.57146,4.2598 -2.40248,2.814 -5.72921,4.65444 -9.03774,6.31099 -5.65305,2.83043 -11.50277,5.31761 -16.82133,8.73539 -3.55362,2.28361 -6.84076,4.96564 -9.9178,7.85959 -2.62917,2.47273 -5.12496,5.116 -8.06607,7.20809 -2.98093,2.12042 -6.41793,3.6468 -10.03693,4.18063 -4.40931,0.65041 -8.96019,-0.19314 -13.05822,-1.94562 -2.85719,-1.22185 -5.61733,-2.97002 -7.27205,-5.60029 -1.64629,-2.61688 -2.0313,-5.83002 -2.03893,-8.92166 -0.0135,-5.46467 1.01827,-10.87076 1.98945,-16.24846 0.80703,-4.46875 1.57531,-8.9482 2.06402,-13.46287 0.88853,-8.20825 0.8481,-16.49756 0.29214,-24.73502 -0.0931,-1.38017 -0.20023,-2.77381 0.0118,-4.14077 0.21204,-1.36695 0.77803,-2.72737 1.82595,-3.63036 0.9828,-0.84687 2.30304,-1.21795 3.5986,-1.28594 1.29556,-0.068 2.58744,0.14181 3.87096,0.3307 3.02315,0.4449 6.07241,0.77918 9.03106,1.54323 1.86541,0.48173 3.68372,1.13165 5.54531,1.62795 3.10947,0.82898 6.36227,1.22486 9.55911,0.8558 3.44127,-0.39728 6.78665,-1.67148 10.24974,-1.58654 1.42063,0.0348 2.83052,0.30037 4.1885,0.71908 1.38179,0.42605 2.74909,1.03446 3.76507,2.06337 0.76566,0.7754 1.29538,1.75352 1.7157,2.75891 0.62574,1.49674 1.03256,3.09742 1.06577,4.71936 0.0347,1.69374 -0.33552,3.39491 -0.10594,5.07338 0.18638,1.36264 0.7635,2.64802 1.50064,3.80912 0.73713,1.1611 1.634,2.2109 2.52251,3.26069 1.71726,2.02897 3.4393,4.09674 5.5931,5.65457 2.45218,1.77364 5.36188,2.81145 7.89508,4.46732 0.75511,0.49359 1.48596,1.05215 2.01814,1.78058 0.8972,1.22806 1.1387,2.90791 0.62379,4.33898 h 2e-5"
+           style="fill:#cd8907;filter:url(#filter14416-8)" />
+        <path
+           inkscape:label="Right Foot Brighter Highlights"
+           clip-path="url(#clipPath426)"
+           transform="matrix(1.1429721,0,0,1.2323048,-318.99817,-135.48838)"
+           id="path14296-3-1-9"
+           d="m 508.79285,327.92545 c -0.60151,1.26455 -1.38215,2.44372 -2.31134,3.49133 -2.15335,2.42776 -5.06099,4.09917 -8.12349,5.1725 -5.04166,1.76698 -10.54565,2.00437 -15.49471,4.01618 -3.01615,1.22607 -5.73063,3.07339 -8.47914,4.81871 -2.22174,1.41082 -4.49246,2.76887 -6.93206,3.75622 -2.75548,1.1152 -5.68568,1.74047 -8.62582,2.17857 -1.87082,0.27876 -3.76259,0.48423 -5.65156,0.38704 -1.88898,-0.0972 -3.78418,-0.50735 -5.45127,-1.40092 -1.26399,-0.6775 -2.40126,-1.6529 -3.07596,-2.91839 -0.74956,-1.4059 -0.87959,-3.05603 -0.86243,-4.64917 0.0457,-4.24592 1.02557,-8.4458 0.99617,-12.69186 -0.0256,-3.69614 -0.81525,-7.34495 -1.04231,-11.03419 -0.43665,-7.09457 1.2047,-14.31322 -0.23989,-21.27287 -0.23125,-1.11413 -0.54212,-2.22686 -0.52701,-3.36463 0.008,-0.56889 0.0988,-1.14101 0.31541,-1.66709 0.21661,-0.52609 0.56289,-1.00508 1.02461,-1.33751 0.38878,-0.27992 0.85044,-0.45024 1.32336,-0.52677 0.47292,-0.0765 0.95748,-0.0616 1.43166,0.007 0.94836,0.13656 1.85188,0.48215 2.77546,0.73718 2.64193,0.72952 5.43254,0.71432 8.11748,1.26484 1.68527,0.34555 3.31679,0.91149 4.98436,1.33427 2.80028,0.70996 5.72013,1.0133 8.59212,0.70142 3.0885,-0.33539 6.10714,-1.37534 9.21289,-1.30034 1.27305,0.0307 2.53741,0.25005 3.76479,0.58936 1.22771,0.3394 2.45538,0.81951 3.38421,1.69114 0.6693,0.62809 1.15135,1.4307 1.54214,2.26121 0.5703,1.21202 0.96726,2.52854 0.95796,3.868 -0.005,0.6968 -0.11899,1.38758 -0.18672,2.0811 -0.0677,0.69352 -0.0878,1.40368 0.0914,2.07705 0.18009,0.67656 0.55415,1.2867 0.98269,1.84033 0.42854,0.55364 0.91471,1.06002 1.35819,1.60176 1.24195,1.51713 2.12961,3.28544 3.09724,4.99067 0.96764,1.70523 2.05232,3.39266 3.58036,4.62117 2.0797,1.67204 4.77798,2.34016 7.09642,3.66141 0.67877,0.38682 1.33676,0.84082 1.81399,1.45937 0.38231,0.49552 0.63762,1.0882 0.73509,1.70642 0.0975,0.61822 0.0369,1.26071 -0.1744,1.84982 h 9e-5"
+           style="fill:#f5c021;filter:url(#filter14432-2)" />
+        <path
+           clip-path="url(#clipPath433)"
+           inkscape:label="Right Foot Brightest Highlights"
+           id="path16493"
+           d="m 187.30911,230.28754 c 3.27611,-0.88704 6.0662,1.5972 8.44228,3.47233 1.53527,1.30928 3.75348,0.97992 5.63665,1.04213 3.12069,-0.11321 6.22535,0.52281 9.34708,0.13577 6.14462,-0.51932 12.16847,-2.02966 18.34236,-2.28984 2.94948,-0.18579 6.25992,-0.35725 8.80813,1.36517 1.03299,0.7155 2.54702,3.74139 3.56647,2.60489 -0.42031,-3.17821 -2.77748,-6.25589 -5.93906,-7.10224 -2.47492,-0.38942 -4.98985,0.29134 -7.48947,0.0711 -7.42294,-0.17706 -14.79344,-1.5554 -22.23396,-1.16015 -5.17644,0.0448 -10.34657,-0.19501 -15.51546,-0.39662 -2.03057,-0.41489 -2.74674,1.38901 -3.8489,2.08085"
+           style="fill:url(#linearGradient18844);filter:url(#filter17044)" />
+      </g>
+      <g
+         id="g411"
+         inkscape:label="Left Foot">
+        <path
+           inkscape:label="Left Foot"
+           style="fill:url(#linearGradient18854)"
+           d="m 57.57688,222.65692 c 1.59929,-0.66295 3.3982,-0.78361 5.10074,-0.46963 1.70253,0.31398 3.31141,1.04948 4.74342,2.02239 2.86402,1.94583 4.98821,4.77774 7.02263,7.57952 4.67189,6.43406 9.16868,13.00227 13.24488,19.8293 3.30635,5.53766 6.34352,11.25685 10.16415,16.45304 2.49398,3.3919 5.3066,6.53947 7.813,9.92221 2.50639,3.38273 4.72794,7.05586 5.83931,11.11662 1.44411,5.27653 0.88463,11.09291 -1.62666,15.95302 -1.76663,3.41896 -4.47646,6.35228 -7.77242,8.33898 -3.29595,1.9867 -7.17064,3.01444 -11.01635,2.87021 -6.11413,-0.2293 -11.69944,-3.28515 -17.38362,-5.54906 -11.58097,-4.6125 -24.15978,-6.0594 -36.09666,-9.65174 -3.66859,-1.10404 -7.27582,-2.4107 -10.96988,-3.42629 -1.64125,-0.45122 -3.30866,-0.8482 -4.85875,-1.55144 -1.55008,-0.70325 -2.999548,-1.7491 -3.86171,-3.21675 -0.666391,-1.13439 -0.948386,-2.47002 -0.930187,-3.78554 0.0182,-1.31552 0.325889,-2.61453 0.773815,-3.85158 0.895851,-2.47409 2.343262,-4.71374 3.320162,-7.15696 1.59511,-3.98935 1.88169,-8.38839 1.66657,-12.67942 -0.21511,-4.29103 -0.91078,-8.54478 -1.20454,-12.83115 -0.13118,-1.91406 -0.18066,-3.85256 0.18479,-5.73598 0.36545,-1.88343 1.17577,-3.72459 2.55771,-5.05541 1.27406,-1.22693 2.96492,-1.95531 4.69643,-2.31651 1.73151,-0.3612 3.51533,-0.37747 5.28367,-0.33762 1.76833,0.0399 3.54067,0.13425 5.30351,-0.0106 1.76284,-0.14488 3.53347,-0.54055 5.06911,-1.41828 1.45996,-0.83447 2.65433,-2.0745 3.64374,-3.43424 0.9894,-1.35974 1.78909,-2.84573 2.60891,-4.31396 0.81983,-1.46823 1.66834,-2.93151 2.74157,-4.22611 1.07324,-1.2946 2.38923,-2.42304 3.94266,-3.06698"
+           id="path4635-1" />
+        <path
+           inkscape:label="Left Foot Hightlights"
+           transform="translate(160,-57.362183)"
+           clip-path="url(#clipPath401)"
+           id="path13596-6"
+           d="m -99.89049,282.77885 c 1.45515,-0.58619 3.09423,-0.65064 4.62272,-0.30406 1.52849,0.34657 2.94957,1.09015 4.18836,2.047 2.47758,1.91371 4.19983,4.61379 5.85419,7.26861 3.97009,6.43306 7.8514,12.93381 11.5161,19.56716 2.7769,4.99324 5.4247,10.09253 8.83749,14.67892 2.26379,3.04154 4.84735,5.83139 7.15787,8.83675 2.31051,3.00536 4.37126,6.28214 5.3928,9.93347 1.31626,4.70582 0.78265,9.91001 -1.49541,14.23282 -1.63755,3.10576 -4.15203,5.74644 -7.18609,7.5126 -3.03406,1.76617 -6.57924,2.64923 -10.08655,2.48791 -5.59831,-0.25772 -10.71129,-3.05353 -15.98089,-4.95071 -10.10307,-3.66572 -21.05344,-4.15754 -31.41615,-7.02001 -3.71479,-1.00833 -7.33661,-2.35276 -11.06955,-3.29396 -1.65162,-0.41658 -3.33303,-0.75712 -4.90217,-1.4193 -1.56914,-0.66219 -3.04681,-1.68866 -3.89752,-3.16474 -0.63282,-1.09717 -0.88561,-2.38838 -0.84651,-3.65421 0.0391,-1.26584 0.35915,-2.51035 0.80992,-3.69386 0.90155,-2.36701 2.32025,-4.51029 3.22912,-6.87464 1.3787,-3.57425 1.54994,-7.50412 1.29397,-11.32617 -0.25597,-3.82205 -0.9211,-7.60949 -1.15326,-11.4336 -0.10374,-1.70896 -0.11933,-3.43899 0.22634,-5.11576 0.34564,-1.67677 1.07606,-3.30971 2.29486,-4.512 1.32089,-1.30904 3.14116,-2.02413 4.97727,-2.30427 1.83611,-0.28013 3.70601,-0.15808 5.55479,0.007 1.84877,0.16495 3.70503,0.37271 5.56113,0.26163 1.85609,-0.11109 3.7357,-0.56331 5.26886,-1.60694 1.39737,-0.94461 2.44584,-2.32407 3.24439,-3.79842 0.79856,-1.47435 1.3676,-3.05544 1.97644,-4.61656 0.60885,-1.56113 1.26672,-3.12189 2.2218,-4.50973 0.95509,-1.38785 2.23612,-2.60467 3.80568,-3.23473"
+           style="fill:#d99a03;filter:url(#filter14148-8)" />
+        <path
+           inkscape:label="Left Foot Brighter Highlights"
+           clip-path="url(#clipPath391)"
+           transform="matrix(1,0,0,0.98204782,-80.00015,-54.40321)"
+           style="fill:#f5bd0c;filter:url(#filter14140-3)"
+           d="m 138.7532,281.23531 c 1.40907,-0.7122 3.07062,-0.85812 4.61642,-0.53681 1.54579,0.3213 2.97823,1.09063 4.19572,2.09584 2.43498,2.0104 3.98026,4.8747 5.41939,7.68535 3.30494,6.45466 6.3834,13.04983 10.33791,19.12824 2.86875,4.40952 6.17965,8.51701 9.08155,12.90479 3.93557,5.95071 7.13582,12.4957 8.45639,19.50682 0.88822,4.71571 0.85899,9.80955 -1.37244,14.05779 -1.46869,2.79611 -3.85002,5.08988 -6.66339,6.52522 -2.81337,1.43533 -6.0432,2.01701 -9.18889,1.73441 -4.95423,-0.44507 -9.4537,-2.92512 -14.11748,-4.65475 -8.27469,-3.06879 -17.21809,-3.80325 -25.73435,-6.1187 -3.59196,-0.9766 -7.10999,-2.23521 -10.7509,-3.00963 -1.60616,-0.34163 -3.24361,-0.59125 -4.77675,-1.17943 -1.53313,-0.58818 -2.98623,-1.56578 -3.76965,-3.00894 -0.55139,-1.01573 -0.73656,-2.20459 -0.65433,-3.3574 0.0822,-1.15282 0.42084,-2.27486 0.86462,-3.34201 0.88755,-2.13429 2.20087,-4.08935 2.89035,-6.29561 1.01321,-3.24214 0.59672,-6.75718 -0.1636,-10.06777 -0.76031,-3.31059 -1.85667,-6.56127 -2.19448,-9.94121 -0.15046,-1.50543 -0.14681,-3.03993 0.19136,-4.51458 0.33818,-1.47465 1.02687,-2.89176 2.10855,-3.94955 1.3932,-1.36244 3.34372,-2.03997 5.28315,-2.22925 1.93944,-0.18927 3.89217,0.0689 5.82027,0.3512 1.9281,0.28227 3.86824,0.59003 5.8148,0.49986 1.94656,-0.0902 3.92849,-0.61081 5.45316,-1.82432 1.50782,-1.20011 2.45577,-2.98713 2.99939,-4.83599 0.54362,-1.84885 0.71997,-3.78191 0.94267,-5.69612 0.2227,-1.91421 0.50044,-3.8462 1.22971,-5.63 0.72928,-1.7838 1.96094,-3.42814 3.68085,-4.29745"
+           id="path4635-2-4" />
+        <path
+           inkscape:label="Left Foot Brightest Highlights"
+           style="fill:url(#linearGradient18856);filter:url(#filter14176-5)"
+           d="m 76.40702,237.60723 c 2.60622,4.71337 4.1958,10.12156 6.78125,14.875 2.3781,4.37223 5.08446,8.87379 7.5,12.90625 1.07545,1.79534 3.58329,4.5546 6.11895,8.83731 2.29771,3.88081 4.61826,9.29715 5.91658,11.1158 -0.74552,-2.12877 -2.27926,-7.84655 -4.10875,-11.92255 -1.70955,-3.80877 -3.69976,-5.98219 -4.92678,-8.03056 -2.41553,-4.03246 -5.01691,-7.65647 -7.5,-11.5 -3.42521,-5.30181 -6.03558,-11.23523 -9.78125,-16.28125 z"
+           id="path4792-8" />
+      </g>
+    </g>
+    <g
+       inkscape:label="Hand Shadows"
+       id="g526">
+      <path
+         d="m 231.4835,237.27796 c -0.56258,-1.10201 -1.58692,-1.92585 -2.72873,-2.40251 -1.1418,-0.47667 -2.39692,-0.6289 -3.63419,-0.61936 -2.47454,0.0191 -4.93459,0.66357 -7.39999,0.45028 -2.0826,-0.18018 -4.05875,-0.96301 -6.08982,-1.45739 -2.09726,-0.51049 -4.32188,-0.70969 -6.40465,-0.14297 -2.22595,0.60568 -4.18942,2.09362 -5.41915,4.04541 -1.08426,1.72091 -1.59909,3.75274 -1.76111,5.78028 -0.16202,2.02754 0.013,4.06578 0.21815,6.08941 0.1484,1.46363 0.31354,2.93079 0.66764,4.35866 0.35411,1.42788 0.90422,2.82282 1.76608,4.01506 1.24071,1.71632 3.08337,2.9395 5.06938,3.67497 3.24183,1.20053 6.9338,1.13597 10.13167,-0.17718 5.65885,-2.45702 10.44922,-6.8639 13.36879,-12.29857 1.04539,-1.94596 1.8574,-4.01932 2.38189,-6.16513 0.20845,-0.85283 0.37215,-1.72236 0.37977,-2.60027 0.008,-0.8779 -0.14655,-1.76875 -0.54573,-2.55069"
+         id="path29714-8-2"
+         style="opacity:0.35;fill:url(#radialGradient18846);filter:url(#filter14897-2)"
+         inkscape:label="Hand Lower Shadow" />
+      <path
+         d="m 71.483661,295.64014 c -0.562575,-1.10201 -1.586921,-1.92585 -2.728725,-2.40251 -1.141803,-0.47667 -2.396928,-0.6289 -3.634197,-0.61936 -2.474537,0.0191 -4.934587,0.66357 -7.399988,0.45028 -2.082597,-0.18018 -4.058745,-0.96301 -6.08982,-1.45739 -2.097262,-0.51049 -4.321879,-0.70969 -6.40465,-0.14297 -2.225952,0.60568 -4.189424,2.09362 -5.41915,4.04541 -1.084262,1.72091 -1.599093,3.75274 -1.76111,5.78028 -0.162016,2.02754 0.01297,4.06578 0.21815,6.08941 0.148398,1.46363 0.31354,2.93079 0.667645,4.35866 0.354105,1.42788 0.904219,2.82282 1.766075,4.01506 1.240713,1.71632 3.083374,2.9395 5.06938,3.67497 3.241832,1.20053 6.933796,1.13597 10.13167,-0.17718 5.658851,-2.45702 10.449216,-6.8639 13.36879,-12.29857 1.045394,-1.94596 1.857401,-4.01932 2.38189,-6.16513 0.208453,-0.85283 0.372151,-1.72236 0.379775,-2.60027 0.0076,-0.8779 -0.146556,-1.76875 -0.545735,-2.55069"
+         id="path29714-8-3-0"
+         style="opacity:0.35;fill:url(#radialGradient18848);filter:url(#filter14951-8)"
+         transform="matrix(1,0,0,0.72292525,159.99984,20.396294)"
+         inkscape:label="Hand Upper Shadow" />
+    </g>
+    <g
+       inkscape:label="Hand"
+       id="g545">
+      <path
+         d="m 76.1875,285.32775 c -0.405158,-1.10369 -1.118445,-2.08156 -1.990705,-2.86987 -0.872259,-0.78832 -1.900482,-1.39229 -2.982775,-1.85155 -2.164587,-0.91852 -4.520525,-1.26149 -6.83152,-1.69556 -2.179187,-0.40931 -4.34179,-0.90631 -6.52782,-1.27734 -2.27136,-0.38551 -4.617897,-0.63213 -6.8653,-0.1253 -1.965827,0.44333 -3.784499,1.45879 -5.271724,2.81864 -1.487225,1.35984 -2.649109,3.0564 -3.484986,4.89007 -1.472176,3.22952 -1.934512,6.86503 -1.65394,10.40316 0.208815,2.63325 0.875323,5.34594 2.60877,7.33912 1.400654,1.61052 3.387329,2.61526 5.43398,3.22092 3.525017,1.04316 7.366632,0.98822 10.86038,-0.1553 5.766894,-1.93113 10.875681,-5.77387 14.33034,-10.77903 1.138609,-1.64963 2.112174,-3.44809 2.5532,-5.4034 0.335973,-1.48955 0.348308,-3.08112 -0.1779,-4.51456"
+         id="path29714-5-4"
+         style="fill:#020204"
+         transform="translate(159.99984,-58.362183)"
+         inkscape:label="Hand" />
+      <path
+         style="fill:url(#radialGradient18850);filter:url(#filter14812-5)"
+         d="m 362.21875,276.45593 c -0.54933,0.0306 -1.08144,0.0909 -1.625,0.1875 -3.46951,0.61686 -6.64705,2.80857 -8.4375,5.84375 -1.26396,2.14267 -1.83985,4.67634 -1.65625,7.15625 0.0732,-1.74163 0.52946,-3.44685 1.375,-4.96875 1.43442,-2.58185 4.03238,-4.52979 6.9375,-5.0625 1.78976,-0.32819 3.63182,-0.13095 5.4375,0.0937 1.73256,0.2156 3.48115,0.44287 5.1875,0.8125 2.64101,0.57209 5.25428,1.45135 7.46875,3 0.51646,0.36118 0.99955,0.76857 1.40625,1.25 0.40669,0.48143 0.72188,1.03792 0.84375,1.65625 0.17824,0.90428 -0.0794,1.85295 -0.53125,2.65625 -0.45189,0.8033 -1.06491,1.50665 -1.71875,2.15625 -0.52923,0.5258 -1.09482,1.03417 -1.65625,1.53125 2.559,-0.49571 5.15199,-1.19766 7.28125,-2.6875 0.89975,-0.62955 1.71523,-1.38464 2.25,-2.34375 0.53477,-0.95912 0.76245,-2.1212 0.5,-3.1875 -0.17714,-0.71971 -0.57137,-1.3824 -1.0625,-1.9375 -0.49114,-0.55511 -1.0805,-1.01217 -1.6875,-1.4375 -2.67877,-1.87701 -5.81493,-3.07854 -9.0625,-3.46875 -2.08149,-0.38286 -4.18122,-0.70597 -6.28125,-0.96875 -1.64344,-0.20564 -3.32077,-0.37313 -4.96875,-0.28125 z"
+         id="path29714-3-9-9"
+         clip-path="url(#clipPath533)"
+         transform="translate(-150.00016,-58.362183)"
+         inkscape:label="Hand Lower Hightlight" />
+      <path
+         style="fill:url(#linearGradient18852);filter:url(#filter14812-0-9)"
+         d="m 362.21875,276.45593 c -0.54933,0.0306 -1.08144,0.0909 -1.625,0.1875 -3.46951,0.61686 -6.64705,2.80857 -8.4375,5.84375 -1.26396,2.14267 -1.83985,4.67634 -1.65625,7.15625 0.0732,-1.74163 0.52946,-3.44685 1.375,-4.96875 1.43442,-2.58185 4.03238,-4.52979 6.9375,-5.0625 1.78976,-0.32819 3.63182,-0.13095 5.4375,0.0937 1.73256,0.2156 3.48115,0.44287 5.1875,0.8125 2.64101,0.57209 5.25428,1.45135 7.46875,3 0.51646,0.36118 0.99955,0.76857 1.40625,1.25 0.40669,0.48143 0.72188,1.03792 0.84375,1.65625 0.17824,0.90428 -0.0794,1.85295 -0.53125,2.65625 -0.45189,0.8033 -1.06491,1.50665 -1.71875,2.15625 -0.52923,0.5258 -1.09482,1.03417 -1.65625,1.53125 2.559,-0.49571 5.15199,-1.19766 7.28125,-2.6875 0.89975,-0.62955 1.71523,-1.38464 2.25,-2.34375 0.53477,-0.95912 0.76245,-2.1212 0.5,-3.1875 -0.17714,-0.71971 -0.57137,-1.3824 -1.0625,-1.9375 -0.49114,-0.55511 -1.0805,-1.01217 -1.6875,-1.4375 -2.67877,-1.87701 -5.81493,-3.07854 -9.0625,-3.46875 -2.08149,-0.38286 -4.18122,-0.70597 -6.28125,-0.96875 -1.64344,-0.20564 -3.32077,-0.37313 -4.96875,-0.28125 z"
+         id="path29714-3-9-3-8"
+         clip-path="url(#clipPath538)"
+         transform="translate(-150.00016,-58.36218)"
+         inkscape:label="Hand Upper Highlight" />
+    </g>
+    <g
+       inkscape:label="Face"
+       id="g777">
+      <g
+         id="g669"
+         inkscape:label="Eyes">
+        <g
+           inkscape:label="Left Eye"
+           id="g643">
+          <path
+             id="path28795-9-5"
+             d="m -24.767558,113.36218 c -1.780966,0.097 -3.484616,0.91899 -4.787852,2.1367 -1.303235,1.21771 -2.221372,2.81176 -2.786181,4.50357 -1.129618,3.38363 -0.87548,7.05177 -0.618697,10.60973 0.23251,3.22162 0.470404,6.50533 1.676785,9.50158 0.60319,1.49813 1.450246,2.91021 2.580338,4.06395 1.130092,1.15374 2.551736,2.04189 4.118297,2.43447 1.468838,0.36809 3.03816,0.29183 4.482783,-0.16209 1.444622,-0.45392 2.763916,-1.27887 3.846235,-2.33791 1.57904,-1.54507 2.643262,-3.5662 3.253449,-5.68947 0.610186,-2.12328 0.784157,-4.35155 0.752401,-6.56053 -0.03974,-2.76435 -0.400909,-5.53851 -1.265755,-8.16439 -0.864846,-2.62588 -2.245743,-5.10327 -4.172795,-7.08561 -0.933308,-0.96009 -1.997765,-1.80513 -3.198585,-2.39747 -1.200819,-0.59233 -2.543439,-0.92535 -3.880423,-0.85253"
+             style="fill:url(#radialGradient18806)"
+             transform="translate(138.99984,-49.362181)"
+             inkscape:label="Left Eyeball" />
+          <g
+             id="g605"
+             inkscape:label="Left Eye Pupil">
+            <path
+               inkscape:label="Left Eye Pupil"
+               transform="translate(-50.00015,-58.362183)"
+               style="fill:#020204"
+               id="path29453-9"
+               d="m 159.93889,137.11161 c -0.37211,2.24574 -0.38563,4.60199 0.3864,6.74344 0.50979,1.41404 1.35041,2.69692 2.37218,3.79935 0.66903,0.72184 1.42824,1.37779 2.31576,1.80318 0.88752,0.42539 1.91578,0.60638 2.87035,0.36671 0.88113,-0.22123 1.65156,-0.78859 2.22013,-1.49715 0.56856,-0.70857 0.9476,-1.55295 1.2177,-2.42034 0.7974,-2.56075 0.66926,-5.36165 -0.12241,-7.92418 -0.5768,-1.86701 -1.53208,-3.66794 -3.02664,-4.9268 -0.71307,-0.60061 -1.54773,-1.07115 -2.45479,-1.28664 -0.90707,-0.2155 -1.88874,-0.16505 -2.73754,0.22063 -0.9423,0.42817 -1.67159,1.24304 -2.14907,2.16134 -0.47749,0.91829 -0.72288,1.93936 -0.89207,2.96046" />
+            <path
+               inkscape:label="Left Eye Pupil Highlight"
+               style="fill:url(#linearGradient18820);filter:url(#filter29493-2)"
+               d="m 114.68735,77.124997 c 0.24185,0.6337 1.05418,0.86381 1.5,1.375 0.43302,0.49651 0.88735,1.01055 1.125,1.625 0.4549,1.17616 -0.4488,2.91931 0.5,3.75 0.29782,0.26075 0.89472,0.26639 1.1875,0 1.14539,-1.04215 0.89094,-3.14433 0.4375,-4.625 -0.4115,-1.34371 -1.42747,-2.61637 -2.67923,-3.25512 -0.57882,-0.29536 -1.45077,-0.54089 -1.94577,-0.11988 -0.31898,0.2713 -0.27431,0.85878 -0.125,1.25 z"
+               id="path29465-8" />
+          </g>
+          <path
+             transform="translate(59.99984,-58.362183)"
+             clip-path="url(#clipPath631)"
+             style="fill:url(#radialGradient18832)"
+             d="m 50.39208,129.52717 c 2.68537,-1.59933 5.95507,-1.97034 9.066699,-1.67565 3.111629,0.29468 6.125434,1.20847 9.141301,2.02921 2.211625,0.60188 4.451579,1.16149 6.525325,2.13777 2.073747,0.97627 3.99989,2.41568 5.141935,4.40296 0.183191,0.31877 0.345257,0.6497 0.539254,0.96201 0.193996,0.31232 0.42311,0.60867 0.716456,0.83031 0.293346,0.22164 0.656994,0.3643 1.024107,0.34424 0.183557,-0.01 0.365612,-0.0609 0.524176,-0.15388 0.158563,-0.093 0.292945,-0.22871 0.377987,-0.39169 0.09778,-0.18739 0.128079,-0.40446 0.117139,-0.61554 -0.01094,-0.21108 -0.06122,-0.41805 -0.117139,-0.62189 -0.755202,-2.75296 -2.53499,-5.08832 -3.88909,-7.6014 -0.8126,-1.5081 -1.476963,-3.09273 -2.2981,-4.5962 -2.81829,-5.16019 -7.443597,-9.21564 -12.701405,-11.84733 -5.257808,-2.6317 -11.127445,-3.89613 -16.997075,-4.23934 -6.801182,-0.39768 -13.619761,0.40945 -20.32932,1.59099 -2.908599,0.5122 -5.86079,1.11511 -8.435686,2.56156 -1.287447,0.72322 -2.467452,1.65662 -3.388474,2.81087 -0.921022,1.15425 -1.576477,2.53523 -1.78765,3.99673 -0.203522,1.40855 0.0088,2.86057 0.501301,4.19582 0.492484,1.33524 1.258246,2.5585 2.156537,3.66236 1.796584,2.20771 4.100665,3.93361 6.222432,5.83092 2.121308,1.8969 4.09001,3.99204 6.462948,5.56282 1.186469,0.78539 2.472664,1.43499 3.843385,1.81666 1.37072,0.38166 2.829918,0.48917 4.223827,0.20358 1.444987,-0.29606 2.782689,-1.005 3.953624,-1.90197 1.170934,-0.89697 2.186129,-1.98006 3.148417,-3.09793 1.924576,-2.23575 3.722539,-4.68648 6.257089,-6.19599"
+             id="path29551-9"
+             inkscape:label="Left Eyelid" />
+          <path
+             transform="translate(160,-57.362183)"
+             id="path28795-9-2-2"
+             d="m -38.437655,119.37798 c 2.5037,2.34533 4.36502,5.2397 5.625,8.30939 -0.550665,-3.38469 -1.423402,-6.10373 -3.625,-8.30939 -1.35129,-1.26581 -2.88639,-2.37775 -4.625,-3.1587 -1.52128,-0.68334 -3.213598,-1.10788 -4.180828,-1.12552 -0.96723,-0.0176 -1.2022,0.004 -1.40094,0.0134 -0.19874,0.009 -0.35739,0.0162 0.27185,0.0877 0.62924,0.0715 2.03368,0.45118 3.541104,1.12827 1.507424,0.6771 3.042524,1.78904 4.393814,3.05485 z"
+             style="fill:url(#linearGradient18818);filter:url(#filter29447-1)"
+             inkscape:label="Left Eyebrow" />
+        </g>
+        <g
+           inkscape:label="Right Eye"
+           id="g652">
+          <path
+             id="path28795-3"
+             d="m 6.7500001,113.36218 c -2.780425,1.91023 -5.110569,4.57487 -6.24999996,7.75 -1.4360294,4.00163 -0.88583807,8.48071 0.49999996,12.5 1.4194877,4.11688 3.793788,8.04098 7.37932,10.51234 1.7927659,1.23567 3.8680909,2.08301 6.0304019,2.33859 2.162311,0.25558 4.409274,-0.0949 6.340278,-1.10093 2.353116,-1.22596 4.147816,-3.37278 5.262172,-5.78076 1.114356,-2.40798 1.588797,-5.0701 1.737828,-7.71924 0.189892,-3.37546 -0.140469,-6.80646 -1.25,-10 -1.205266,-3.46909 -3.390051,-6.67055 -6.472754,-8.6666 -1.541351,-0.99803 -3.291947,-1.68356 -5.110883,-1.93515 -1.818936,-0.25158 -3.704766,-0.0633 -5.4163629,0.60175 -0.9754713,0.37901 -1.8874384,0.9074 -2.75,1.5"
+             style="fill:url(#radialGradient18808)"
+             transform="translate(138.99984,-49.362181)"
+             inkscape:label="Right Eyeball" />
+          <g
+             id="g613"
+             inkscape:label="Right Eye Pupil">
+            <path
+               inkscape:label="Right Eye Pupil"
+               transform="translate(-150.00015,-58.362183)"
+               style="fill:#020204"
+               id="path28879-6"
+               d="m 302.16152,130.75695 c -1.04548,0.0749 -2.06437,0.4318 -2.95135,0.99028 -0.88699,0.55848 -1.64327,1.31521 -2.23701,2.17899 -1.18748,1.72757 -1.70894,3.84675 -1.793,5.94139 -0.0631,1.5723 0.11098,3.16512 0.63245,4.64977 0.52147,1.48465 1.40089,2.85877 2.61276,3.86251 1.24011,1.02713 2.81647,1.64364 4.42485,1.72094 1.60838,0.0773 3.23948,-0.38665 4.56105,-1.3066 1.05288,-0.73292 1.9021,-1.74168 2.50666,-2.87315 0.60455,-1.13148 0.96879,-2.38348 1.1353,-3.65549 0.29411,-2.24678 -0.0385,-4.59295 -1.07692,-6.60695 -1.03841,-2.01401 -2.80051,-3.67269 -4.92674,-4.45606 -0.92093,-0.3393 -1.90911,-0.51576 -2.88805,-0.44563" />
+            <path
+               inkscape:label="Right Eye Pupil Lower Hightlight"
+               style="fill:#141413;filter:url(#filter28927-8)"
+               d="m 154.6561,79.249997 c -0.86591,0.34162 -2.23657,0.12677 -2.61622,0.9767 -0.22493,0.50357 0.0927,1.33252 0.60343,1.54061 1.03244,0.42063 2.63193,-0.34111 3.04876,-1.3751 0.18104,-0.4491 -0.0934,-1.16101 -0.53974,-1.34865 -0.16515,-0.0694 -0.32958,0.14069 -0.49623,0.20644 z"
+               id="path28891-5" />
+            <path
+               inkscape:label="Right Eye Pupil Upper Highlight"
+               style="fill:url(#linearGradient18812);filter:url(#filter28949-8)"
+               d="m 158.62485,81.499997 c 1.16113,-1.16113 -0.82613,-4.23951 -2.375,-5.5 -1.12184,-0.91296 -4.39063,-1.86851 -4.25,-0.875 0.14063,0.99351 1.60988,2.26647 2.59467,3.23744 1.21236,1.19533 3.47886,3.68903 4.03033,3.13756 z"
+               id="path28887-6" />
+          </g>
+          <path
+             transform="translate(59.99984,-58.362183)"
+             clip-path="url(#clipPath622)"
+             id="path28972-5"
+             d="m 75.25,132.48718 c 2.383746,-1.98014 5.160908,-3.48474 8.12154,-4.40008 6.085564,-1.88147 12.999677,-1.13706 18.37846,2.27508 1.85708,1.17808 3.51244,2.64192 5.23935,4.00367 1.72691,1.36176 3.56115,2.64122 5.63565,3.37133 1.12086,0.39448 2.31818,0.62345 3.5,0.5 1.06768,-0.11153 2.09928,-0.5118 2.98444,-1.11915 0.88515,-0.60736 1.62476,-1.4185 2.18064,-2.33686 1.11176,-1.8367 1.47001,-4.06457 1.27839,-6.20298 -0.38324,-4.27682 -2.79556,-8.05341 -4.81847,-11.84101 -0.63342,-1.18598 -1.23642,-2.39333 -2,-3.5 -2.34327,-3.39616 -6.07312,-5.63562 -9.98498,-6.94794 -3.91185,-1.31233 -8.046257,-1.78639 -12.14002,-2.30206 -1.825736,-0.22998 -3.673032,-0.46998 -5.5,-0.25 -2.099797,0.25283 -4.075978,1.101 -6.125,1.625 -0.972648,0.24874 -1.963662,0.42478 -2.928029,0.70391 -0.964366,0.27912 -1.912957,0.669 -2.696971,1.29609 -1.144817,0.91567 -1.865056,2.29088 -2.176504,3.72338 -0.311449,1.4325 -0.240517,2.92444 -0.01161,4.37242 0.457809,2.89597 1.540886,5.72407 1.438116,8.6542 -0.07058,2.01227 -0.702287,3.98797 -0.625,6 0.02266,0.58987 0.106588,1.17738 0.25,1.75"
+             style="fill:url(#linearGradient18814)"
+             inkscape:label="Right Eyelid" />
+          <path
+             transform="translate(160,-57.362183)"
+             id="path28795-92-2"
+             d="m -4.593905,113.125 c -0.47695,0.59985 -0.90798,1.25231 -1.25,1.96875 2.14641,0.46247 4.19906,1.34575 6.03125,2.5625 3.54507,2.35427 6.237,5.7965 8.125,9.625 0.44076,-0.48807 0.84202,-1.01184 1.1875,-1.59375 -1.89751,-3.9878 -4.64382,-7.5949 -8.3125,-10.03125 -1.76231,-1.17035 -3.72465,-2.05369 -5.78125,-2.53125 z"
+             style="fill:url(#linearGradient18816);filter:url(#filter29350-1)"
+             inkscape:label="Right Eyebrow" />
+        </g>
+      </g>
+      <g
+         id="g735"
+         inkscape:label="Beak">
+        <path
+           inkscape:label="Under Beak"
+           transform="translate(138.99984,-49.362181)"
+           style="fill:url(#radialGradient18810)"
+           d="m -16.39938,136.86218 c 1.767366,-1.98662 2.976192,-4.41053 4.674142,-6.45679 0.848975,-1.02314 1.8284211,-1.95533 2.9816817,-2.61681 1.1532606,-0.66147 2.4919769,-1.0411 3.8165164,-0.9264 1.4744902,0.12769 2.8545436,0.86228 3.93407466,1.87472 1.07953103,1.01244 1.8797683,2.29027 2.51864534,3.62528 0.6117397,1.27831 1.0977635,2.64027 1.97912,3.75 0.940326,1.18398 2.2595274,1.99218 3.4510909,2.92288 0.5957818,0.46535 1.167477,0.96911 1.6383978,1.5605 0.4709209,0.59139 0.8396117,1.27595 0.9909913,2.01662 0.1537234,0.75214 0.077153,1.54506 -0.1851792,2.26653 -0.2623326,0.72148 -0.7066964,1.37174 -1.2596263,1.90429 -1.1058598,1.0651 -2.6135811,1.63957 -4.1338116,1.85466 -3.04046123,0.43016 -6.1146629,-0.47583 -9.1842429,-0.39142 -3.1068902,0.0854 -6.1415551,1.18366 -9.2475441,1.07007 -1.552994,-0.0568 -3.128063,-0.43624 -4.404252,-1.32301 -0.638094,-0.44339 -1.194008,-1.01055 -1.595831,-1.6756 -0.401824,-0.66505 -0.646688,-1.42894 -0.672863,-2.20552 -0.02497,-0.74092 0.148043,-1.48088 0.444075,-2.16055 0.296033,-0.67967 0.712681,-1.30175 1.182123,-1.87552 0.938883,-1.14753 2.086993,-2.10617 3.072492,-3.21393"
+           id="path28849-2" />
+        <g
+           inkscape:label="Beak"
+           id="g712">
+          <path
+             d="m 45.751683,165.03156 c 0.06146,0.29539 0.172509,0.58039 0.32709,0.8395 0.265683,0.44533 0.653935,0.80631 1.073256,1.1114 0.419321,0.30509 0.872799,0.55947 1.311827,0.83545 2.333646,1.46695 4.235362,3.52905 5.924734,5.70709 2.266543,2.92217 4.271913,6.16491 7.29931,8.28886 2.137781,1.49982 4.695713,2.35501 7.29406,2.61606 3.051317,0.30656 6.139876,-0.18595 9.08171,-1.05205 2.726384,-0.80267 5.363099,-1.92956 7.78216,-3.4214 4.598507,-2.83591 8.439249,-6.99271 13.51002,-8.85709 1.10702,-0.40702 2.25922,-0.69819 3.3265,-1.20026 1.06727,-0.50207 2.07136,-1.25403 2.5811,-2.31766 0.48998,-1.02241 0.47097,-2.20249 0.63053,-3.32496 0.1707,-1.20084 0.55374,-2.36184 0.76385,-3.55642 0.2101,-1.19458 0.23517,-2.47233 -0.28138,-3.56975 -0.42775,-0.90878 -1.20535,-1.62786 -2.09983,-2.08475 -0.89448,-0.4569 -1.90108,-0.66447 -2.90429,-0.71372 -2.006415,-0.0985 -3.987581,0.41519 -5.98809,0.59785 -2.649534,0.24193 -5.317874,-0.0982 -7.97725,-0.019 -3.308296,0.0986 -6.568402,0.84468 -9.87428,1.00503 -3.771518,0.18294 -7.534685,-0.39851 -11.30754,-0.55139 -1.634066,-0.0662 -3.279962,-0.0512 -4.891819,0.22531 -1.611857,0.27654 -3.195234,0.82363 -4.541001,1.75286 -1.311442,0.90553 -2.355916,2.14022 -3.560189,3.18405 -0.602137,0.52192 -1.249488,0.99929 -1.966273,1.3474 -0.716785,0.34812 -1.50749,0.564 -2.304158,0.54708 -0.409601,-0.009 -0.830861,-0.0769 -1.2213,0.0472 -0.243915,0.0775 -0.460478,0.22705 -0.643532,0.40593 -0.183054,0.17888 -0.334787,0.38705 -0.477798,0.59931 -0.332537,0.49356 -0.623066,1.01541 -0.867417,1.55807"
+             id="path28461-2"
+             style="fill:url(#radialGradient18822)"
+             transform="translate(59.99984,-58.362183)"
+             inkscape:label="Lower Beak" />
+          <path
+             d="m 60.55673,169.09742 c -0.386462,1.59605 -0.151992,3.33408 0.64359,4.77067 0.795582,1.43659 2.144391,2.5575 3.70231,3.07676 1.977755,0.65919 4.206575,0.33635 6.05477,-0.62813 1.071362,-0.55909 2.051171,-1.34588 2.669379,-2.38425 0.309105,-0.51918 0.523981,-1.09707 0.604518,-1.69591 0.08054,-0.59884 0.02471,-1.2185 -0.184887,-1.78522 -0.229715,-0.62112 -0.640261,-1.16849 -1.146053,-1.59596 -0.505791,-0.42748 -1.104668,-0.7378 -1.733436,-0.94568 -1.257537,-0.41575 -2.610936,-0.42405 -3.933891,-0.36051 -2.005209,0.0963 -4.002918,0.34837 -5.9692,0.75318"
+             id="path28487-2"
+             style="fill:#d9b30d;filter:url(#filter28502-8)"
+             transform="translate(59.99984,-58.362183)"
+             inkscape:label="Lower Beak Highlight" />
+          <path
+             id="path27476-7-8"
+             d="m 54.0663,156.67992 c -1.338955,0.79147 -2.628584,1.66369 -3.8975,2.56317 -0.656705,0.46551 -1.334168,0.96895 -1.68056,1.69557 -0.245501,0.51498 -0.301768,1.09903 -0.309586,1.66948 -0.0078,0.57045 0.02884,1.14399 -0.04618,1.70954 -0.05124,0.38625 -0.154326,0.76619 -0.171537,1.15544 -0.0086,0.19463 0.0047,0.39145 0.05602,0.57938 0.05134,0.18793 0.141902,0.36704 0.275482,0.50885 0.172556,0.18318 0.407931,0.29591 0.64865,0.36931 0.240719,0.0734 0.490638,0.1112 0.73562,0.16878 1.174662,0.27611 2.196917,0.99676 3.094125,1.80366 0.897208,0.8069 1.702883,1.71487 2.638865,2.47645 2.537255,2.06449 5.890478,2.91872 9.161088,2.97254 3.27061,0.0538 6.504204,-0.63066 9.695302,-1.34946 2.506322,-0.56456 5.014978,-1.15472 7.42544,-2.04356 3.702752,-1.36537 7.140748,-3.43167 10.11819,-6.02193 1.349968,-1.17442 2.617219,-2.46364 4.13251,-3.41525 1.340926,-0.84211 2.842622,-1.39796 4.206331,-2.20265 0.12193,-0.072 0.24321,-0.14621 0.35213,-0.23665 0.10893,-0.0905 0.20574,-0.1981 0.26892,-0.3248 0.10917,-0.21894 0.10937,-0.48123 0.0389,-0.71552 -0.0704,-0.23429 -0.20633,-0.44389 -0.36,-0.63425 -0.16999,-0.21058 -0.36336,-0.40158 -0.568951,-0.57756 -1.424379,-1.21921 -3.356756,-1.66245 -5.22581,-1.81067 -1.869053,-0.14822 -3.760672,-0.0434 -5.60996,-0.35238 -1.738647,-0.29048 -3.393268,-0.93881 -5.07175,-1.4773 -1.761942,-0.56527 -3.562776,-1.01251 -5.38903,-1.31044 -4.294756,-0.70063 -8.71732,-0.56641 -12.97748,0.32063 -4.057685,0.84488 -7.971287,2.37056 -11.53927,4.47962"
+             style="fill:#604405;filter:url(#filter15145-6)"
+             transform="translate(59.99984,-58.362183)"
+             inkscape:label="Upper Beak Undershadow" />
+          <path
+             id="path27476-4"
+             d="m 53.63941,152.15408 c -1.929391,1.2986 -3.666135,2.88291 -5.13602,4.68523 -0.840698,1.03083 -1.603727,2.15084 -2.02709,3.41185 -0.332996,0.99185 -0.446478,2.04153 -0.65633,3.06652 -0.07861,0.38398 -0.171386,0.76923 -0.169741,1.16118 8.22e-4,0.19597 0.02568,0.39281 0.08646,0.57912 0.06079,0.18631 0.15831,0.36204 0.294069,0.50337 0.224679,0.23391 0.540409,0.36101 0.858102,0.42632 0.317692,0.0653 0.643798,0.0751 0.966058,0.11177 1.454637,0.16535 2.794463,0.87199 4.000333,1.70216 1.205869,0.83017 2.317112,1.79543 3.554437,2.57795 2.733893,1.72899 5.994554,2.49829 9.226902,2.62285 3.232347,0.12456 6.457354,-0.36641 9.629488,-0.99977 2.520903,-0.50334 5.033924,-1.10072 7.42544,-2.04356 3.662411,-1.44389 6.963507,-3.66693 10.11819,-6.02193 1.43301,-1.06976 2.84598,-2.17318 4.13251,-3.41525 0.43668,-0.42159 0.859162,-0.85947 1.327567,-1.24551 0.468404,-0.38603 0.988159,-0.72177 1.565973,-0.90766 0.880766,-0.28336 1.835622,-0.20203 2.748192,-0.0495 0.68732,0.11488 1.376,0.26902 2.07229,0.24128 0.34815,-0.0139 0.69661,-0.0742 1.02006,-0.2037 0.32345,-0.12954 0.62155,-0.33028 0.8433,-0.59903 0.29139,-0.35317 0.43996,-0.81445 0.4416,-1.2723 0.002,-0.45786 -0.1387,-0.91095 -0.37105,-1.30548 -0.4647,-0.78905 -1.26825,-1.32311 -2.10504,-1.69503 -1.14614,-0.50941 -2.3863,-0.76136 -3.605512,-1.05573 -3.745289,-0.90427 -7.384752,-2.24056 -10.83577,-3.95385 -1.715597,-0.85173 -3.383551,-1.79555 -5.07175,-2.70037 -1.735567,-0.93021 -3.504569,-1.82415 -5.38903,-2.39536 -4.21332,-1.27713 -8.818528,-0.85829 -12.97748,0.58609 -4.619909,1.60447 -8.797447,4.46312 -11.96616,8.18832 v 2e-5"
+             style="fill:url(#linearGradient18824)"
+             transform="translate(59.99984,-58.362183)"
+             inkscape:label="Upper Beak" />
+          <path
+             id="path28357-7"
+             d="m 83.23853,153.07989 c -0.226496,-0.28623 -0.551139,-0.48799 -0.901294,-0.59103 -0.350155,-0.10304 -0.724669,-0.1104 -1.084432,-0.0488 -0.719527,0.12322 -1.364496,0.51049 -1.965744,0.9245 -1.708552,1.17648 -3.218864,2.62822 -4.53731,4.22977 -1.745223,2.11996 -3.18499,4.57171 -3.66755,7.27489 -0.08131,0.45547 -0.135106,0.92132 -0.07821,1.38049 0.0569,0.45916 0.232792,0.91479 0.558708,1.24319 0.286171,0.28835 0.675727,0.46425 1.077847,0.52203 0.40212,0.0578 0.815901,0.002 1.200757,-0.12836 0.769713,-0.26019 1.408987,-0.79942 2.014436,-1.34126 3.335973,-2.98548 6.352522,-6.56776 7.55957,-10.87877 0.121128,-0.43261 0.224012,-0.87566 0.221233,-1.3249 -0.0028,-0.44924 -0.119237,-0.90947 -0.398013,-1.26176"
+             style="fill:#f6da4a;filter:url(#filter14963-7)"
+             transform="translate(59.99984,-58.362183)"
+             inkscape:label="Upper Beak Highlight" />
+          <g
+             id="g681"
+             inkscape:label="Nostrils">
+            <path
+               inkscape:label="Right Nostril"
+               style="opacity:0.8;fill:url(#radialGradient18826);filter:url(#filter15177-1)"
+               d="m 135.25114,88.527667 c 0.23129,0.7424 1.42778,0.61935 2.11906,0.97542 0.60659,0.31244 1.09447,0.99723 1.77651,1.01692 0.65093,0.0188 1.66398,-0.22542 1.74866,-0.87109 0.11187,-0.85303 -1.13379,-1.39511 -1.93536,-1.70762 -1.03148,-0.40216 -2.35301,-0.6062 -3.3206,-0.0682 -0.22173,0.12328 -0.46373,0.41238 -0.38827,0.65458 z"
+               id="path28396-7" />
+            <path
+               inkscape:label="Left Nostril"
+               style="opacity:0.8;fill:url(#radialGradient18828);filter:url(#filter15173-0)"
+               d="m 123.82694,88.107827 c -0.88816,-0.28854 -2.35748,1.27746 -1.87806,2.07886 0.13167,0.22009 0.53491,0.49916 0.80641,0.34992 0.40925,-0.22497 0.74404,-1.02958 1.18746,-1.34496 0.29608,-0.21058 0.22974,-0.97156 -0.11581,-1.08382 z"
+               id="path28398-7" />
+          </g>
+          <path
+             transform="matrix(1.0956223,0,-0.17017853,1.5181314,-76.24447,-140.47964)"
+             style="fill:url(#linearGradient18830);filter:url(#filter28584-4)"
+             d="m 245.90496,158.28406 a 2.608083,2.328125 0 0 1 -2.60809,2.32812 2.608083,2.328125 0 0 1 -2.60808,-2.32812 2.608083,2.328125 0 0 1 2.60808,-2.32813 2.608083,2.328125 0 0 1 2.60809,2.32813 z"
+             id="path28570-8"
+             inkscape:label="Beak Side Highlight"
+             clip-path="url(#clipPath697)" />
+        </g>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/packages/auditd/2.1.2/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json b/packages/auditd/2.1.2/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json
new file mode 100755
index 0000000000..5876ec6437
--- /dev/null
+++ b/packages/auditd/2.1.2/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json
@@ -0,0 +1,54 @@
+{
+  "attributes": {
+    "description": "Dashboard for the Auditd Logs integration",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd.log\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":-43.580390855607845,\"lon\":102.65625},\"top_left\":{\"lat\":43.58039085560784,\"lon\":-102.3046875}},\"mapCollar\":{\"bottom_right\":{\"lat\":-87.16078,\"lon\":180},\"top_left\":{\"lat\":87.16078,\"lon\":-180},\"zoom\":2},\"mapZoom\":2},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"event.action\",\"auditd.log.sequence\",\"user.name\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Auditd] Audit Events",
+    "version": 1
+  },
+  "id": "auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb",
+  "migrationVersion": {
+    "dashboard": "7.9.3"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "auditd-c5411910-0a87-11e7-8b04-eb22a5669f27",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27",
+      "name": "panel_5",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json b/packages/auditd/2.1.2/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json
new file mode 100755
index 0000000000..86bf5b3021
--- /dev/null
+++ b/packages/auditd/2.1.2/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json
@@ -0,0 +1,37 @@
+{
+  "attributes": {
+    "columns": [
+      "event.action",
+      "auditd.log.sequence",
+      "user.name"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd.log\"},\"version\":true}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "Audit Events [Logs Auditd]",
+    "version": 1
+  },
+  "id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json b/packages/auditd/2.1.2/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json
new file mode 100755
index 0000000000..97301fa364
--- /dev/null
+++ b/packages/auditd/2.1.2/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "title": "Event Results [Logs Auditd]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"expression\":\".es(q=\\\"data_stream.dataset:auditd.log NOT event.outcome:failure\\\").label(\\\"Success\\\"), .es(q=\\\"event.outcome:failed\\\").label(\\\"Failure\\\").title(\\\"Audit Event Results\\\")\",\"interval\":\"auto\"},\"title\":\"Event Results [Logs Auditd]\",\"type\":\"timelion\"}"
+  },
+  "id": "auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7",
+  "migrationVersion": {
+    "visualization": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json b/packages/auditd/2.1.2/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json
new file mode 100755
index 0000000000..d177a64903
--- /dev/null
+++ b/packages/auditd/2.1.2/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json
@@ -0,0 +1,27 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.action:\\\"EXECVE\\\" or event.action:\\\"execve\\\"\"}}"
+    },
+    "title": "Top Exec Commands [Logs Auditd]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Command (arg 0)\",\"field\":\"auditd.log.a0\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Audit Top Exec Commands\",\"type\":\"table\"}"
+  },
+  "id": "auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858",
+  "migrationVersion": {
+    "visualization": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json b/packages/auditd/2.1.2/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json
new file mode 100755
index 0000000000..60f17b3005
--- /dev/null
+++ b/packages/auditd/2.1.2/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json
@@ -0,0 +1,27 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Event types breakdown [Logs Auditd]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Audit Event Types\",\"type\":\"pie\"}"
+  },
+  "id": "auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858",
+  "migrationVersion": {
+    "visualization": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json b/packages/auditd/2.1.2/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json
new file mode 100755
index 0000000000..781e18cede
--- /dev/null
+++ b/packages/auditd/2.1.2/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json
@@ -0,0 +1,27 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Event Account Tag Cloud [Logs Auditd]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":42,\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"Audit Event Account Tag Cloud\",\"type\":\"tagcloud\"}"
+  },
+  "id": "auditd-c5411910-0a87-11e7-8b04-eb22a5669f27",
+  "migrationVersion": {
+    "visualization": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/kibana/visualization/auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27.json b/packages/auditd/2.1.2/kibana/visualization/auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27.json
new file mode 100755
index 0000000000..71876608a7
--- /dev/null
+++ b/packages/auditd/2.1.2/kibana/visualization/auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27.json
@@ -0,0 +1,27 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Event Address Geo Location [Logs Auditd]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Audit Event Address Geo Location\",\"type\":\"tile_map\"}"
+  },
+  "id": "auditd-d1726930-0a7f-11e7-8b04-eb22a5669f27",
+  "migrationVersion": {
+    "visualization": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/auditd/2.1.2/manifest.yml b/packages/auditd/2.1.2/manifest.yml
new file mode 100755
index 0000000000..117a2af1f6
--- /dev/null
+++ b/packages/auditd/2.1.2/manifest.yml
@@ -0,0 +1,32 @@
+name: auditd
+title: Auditd
+version: 2.1.2
+release: ga
+description: Collect logs from Linux audit daemon with Elastic Agent.
+type: integration
+icons:
+  - src: /img/linux.svg
+    title: linux
+    size: 299x354
+    type: image/svg+xml
+format_version: 1.0.0
+license: basic
+categories:
+  - os_system
+conditions:
+  kibana.version: ^7.17.0 || ^8.0.0
+screenshots:
+  - src: /img/kibana-audit-auditd.png
+    title: Auditd Kibana Dashboard
+    size: 1230x997
+    type: image/png
+policy_templates:
+  - name: auditd
+    title: Auditd logs
+    description: Collect logs from Auditd instances
+    inputs:
+      - type: logfile
+        title: "Collect Auditd application logs (input: logfile)"
+        description: "Collecting application logs from Auditd instances (input: logfile)"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/auth0/0.1.4/changelog.yml b/packages/auth0/0.1.4/changelog.yml
new file mode 100755
index 0000000000..ca8bbeb8d5
--- /dev/null
+++ b/packages/auth0/0.1.4/changelog.yml
@@ -0,0 +1,26 @@
+# newer versions go on top
+- version: "0.1.4"
+  changes:
+    - description: Update Readme
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3065
+- version: "0.1.3"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.1.2"
+  changes:
+    - description: Fix documentation bug
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2761
+- version: "0.1.1"
+  changes:
+    - description: Update Auth0 logo image
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2749
+- version: "0.1.0"
+  changes:
+    - description: Initial commit
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2152
diff --git a/packages/auth0/0.1.4/data_stream/logs/agent/stream/http_endpoint.yml.hbs b/packages/auth0/0.1.4/data_stream/logs/agent/stream/http_endpoint.yml.hbs
new file mode 100755
index 0000000000..1203728f14
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/agent/stream/http_endpoint.yml.hbs
@@ -0,0 +1,41 @@
+type: http_endpoint
+enabled: true
+prefix: json
+
+{{#if listen_address}}
+listen_address: {{listen_address}}
+{{/if}}
+{{#if listen_port}}
+listen_port: {{listen_port}}
+{{/if}}
+{{#if url}}
+url: {{url}}
+{{/if}}
+
+{{#if secret_value}}
+secret.header: Authorization
+secret.value: "{{secret_value}}"
+{{/if}}
+
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+
+{{#if preserve_original_event}}
+preserve_original_event: true
+{{/if}}
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/auth0/0.1.4/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/auth0/0.1.4/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..af1e5a307a
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1105 @@
+---
+description: Pipeline for processing Auth0 log stream events
+processors:
+- set:
+    field: ecs.version
+    value: '1.12.0'
+- set:
+    field: auth0.logs.data
+    copy_from: json.data
+- date:
+    field: auth0.logs.data.date
+    formats:
+      - ISO8601
+- set:
+    field: log.level
+    value: info
+- set:
+    field: log.level
+    value: error
+    if: ctx?.auth0?.logs?.data?.details?.error != null
+- set:
+    field: source.ip
+    copy_from: auth0.logs.data.ip
+    if: ctx?.auth0?.logs?.data?.ip != null
+# IP Geolocation Lookup
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+    if: 'ctx.source?.geo == null && ctx?.source?.ip != null'
+# IP Autonomous System (AS) Lookup
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+        - asn
+        - organization_name
+    ignore_missing: true
+    if: ctx?.source?.ip != null
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+- set:
+    field: network.type
+    value: ipv6
+    if: 'ctx.source?.ip != null && ctx.source?.ip.contains(":")'
+- set:
+    field: network.type
+    value: ipv4
+    if: 'ctx.network?.type == null && ctx.source?.ip != null'
+- set:
+    field: user.name
+    copy_from: auth0.logs.data.user_name
+    if: 'ctx?.auth0?.logs?.data?.user_name != null'
+- set:
+    field: user.id
+    copy_from: auth0.logs.data.user_id
+    if: 'ctx?.auth0?.logs?.data?.user_id != null'
+- user_agent:
+    field: auth0.logs.data.user_agent
+    ignore_missing: true
+- set:
+    field: event.id
+    copy_from: auth0.logs.data.log_id
+    if: 'ctx?.auth0?.logs?.data?.log_id != null'
+##
+# Event kind, code and action
+##
+- set:
+    field: event.kind
+    value: event
+- append:
+    field: event.category
+    value: authentication
+- script:
+    lang: painless
+    description: Sets event type, category and action based on type
+    if: ctx?.auth0?.logs?.data?.type != null
+    params:
+      actions:
+        f:
+          classification: "Login - Failure"
+          value: "Failed login"
+          type:
+            - info
+          action: failed-login
+        fc:
+          classification: "Login - Failure"
+          value: "Failed connector login"
+          type:
+            - info
+          action: failed-connector-login
+        fco:
+          classification: "Login - Failure"
+          value: "Origin is not in the application's Allowed Origins list"
+          type:
+            - info
+          action: origin-not-allowed
+        fcoa:
+          classification: "Login - Failure"
+          value: "Failed cross-origin authentication"
+          type:
+            - info
+          action: failed-cross-origin-authentication
+        fens:
+          classification: "Login - Failure"
+          value: "Failed native social login"
+          type:
+            - info
+          action: failed-native-social-login
+        fp:
+          classification: "Login - Failure"
+          value: "Incorrect password"
+          type:
+            - info
+          action: incorrect-password
+        fu:
+          classification: "Login - Failure"
+          value: "Invalid email or username"
+          type:
+            - info
+            - indicator
+          category:
+            - threat
+          action: invalid-username-or-email
+        w:
+          classification: "Login - Notification"
+          value: "Warnings during login"
+          type:
+            - info
+            - indicator
+          category:
+            - threat
+          action: warnings-during-login
+        s:
+          classification: "Login - Success"
+          value: "Successful login"
+          type:
+            - info
+            - start
+          category:
+            - session
+          action: successful-login
+        scoa:
+          classification: "Login - Success"
+          value: "Successful cross-origin authentication"
+          type:
+            - info
+            - start
+          category:
+            - session
+          action: successful-cross-origin-authentication
+        sens:
+          classification: "Login - Success"
+          value: "Successful native social login"
+          type:
+            - info
+            - start
+          category:
+            - session
+          action: successful-native-social-login
+        flo:
+          classification: "Logout - Failure"
+          value: "User logout failed"
+          type:
+            - info
+          category:
+            - session
+          action: user-logout-failed
+        slo:
+          classification: "Logout - Success"
+          value: "User successfully logged out"
+          type:
+            - info
+            - end
+          category:
+            - session
+          action: user-logout-successful
+        fs:
+          classification: "Signup - Failure"
+          value: "User signup failed"
+          type:
+            - info
+            - creation
+            - user
+          category:
+            - iam
+          action: user-signup-failed
+        fsa:
+          classification: "Silent Authentication - Failure"
+          value: "Failed silent authentication"
+          type:
+            - info
+            - indicator
+          category:
+            - threat
+          action: failed-silent-authentication
+        ssa:
+          classification: "Silent Authentication - Success"
+          value: "Successful silent authentication"
+          type:
+            - info
+          action: successful-silent-authentication
+        feacft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Authorization Code for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-auth-code-for-access-token
+        feccft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Access Token for a Client Credentials Grant"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-access-token-for-client-cred-grant
+        fede:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Device Code for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-device-code-for-access-token
+        feoobft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Password and OOB Challenge for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-password-oob-challenge-for-access-token
+        feotpft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Password and OTP Challenge for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-password-otp-challenge-for-access-token
+        fepft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Password for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-password-for-access-token
+        fepotpft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Passwordless OTP for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-passwordless-otp-for-access-token
+        fercft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Password and MFA Recovery code for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-password-mfa-recovery-code-for-access-token
+        ferrt:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Rotating Refresh Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-rotating-refresh-token
+        fertft:
+          classification: "Token Exchange - Failure"
+          value: "Failed exchange of Refresh Token for Access Token"
+          type:
+            - info
+            - protocol
+            - error
+          category:
+            - network
+            - web
+          action: failed-exchange-refresh-token-for-access-token
+        seacft:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Authorization Code for Access Token"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-auth-code-for-access-token
+        seccft:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Access Token for a Client Credentials Grant"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-access-token-for-client-cred-grant
+        sede:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Device Code for Access Token"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-device-code-for-access-token
+        seoobft:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Password and OOB Challenge for Access Token"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-password-oob-challange-for-access-token
+        seotpft:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Password and OTP Challenge for Access Token"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-password-otp-challenge-for-access-token
+        sepft:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Password for Access Token"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-password-for-access-token
+        sercft:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Password and MFA Recovery code for Access Token"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-mfa-recovery-code-for-access-token
+        sertft:
+          classification: "Token Exchange - Success"
+          value: "Successful exchange of Refresh Token for Access Token"
+          type:
+            - info
+            - protocol
+            - access
+          category:
+            - network
+            - web
+          action: success-exchange-refresh-token-for-access-token
+        fapi:
+          classification: "Management API - Failure"
+          value: "Failed Management API operation"
+          type:
+            - info
+            - error
+          category:
+            - web
+          action: failed-mgmt-api-operation
+        sapi:
+          classification: "Management API - Success"
+          value: "Successful Management API operation"
+          type:
+            - info
+            - access
+            - change
+          category:
+            - web
+            - iam
+          action: success-mgmt-api-op
+        mgmt_api_read:
+          classification: "Management API - Success"
+          value: "API GET operation returning secrets completed successfully"
+          type:
+            - info
+            - access
+          category:
+            - web
+            - iam
+          action: success-mgmt-api-op-secrets-returned
+        admin_update_launch:
+          classification: "System - Notification"
+          value: "Auth0 Update Launched"
+          type:
+            - change
+          category:
+            - configuration
+          action: auth0-update-launched
+        api_limit:
+          classification: "System - Notification"
+          value: "The maximum number of requests to the Authentication or Management APIs in given time has reached"
+          type:
+            - info
+            - access
+          category:
+            - network
+          action: max-requests-reached
+        coff:
+          classification: "System - Notification"
+          value: "AD/LDAP Connector is offline"
+          type:
+            - error
+            - connection
+          category:
+            - network
+            - web
+          action: ad-ldap-connector-offline
+        con:
+          classification: "System - Notification"
+          value: "AD/LDAP Connector is online and working"
+          type:
+            - info
+            - connection
+          category:
+            - network
+          action: ad-ldap-connector-online
+        depnote:
+          classification: "System - Notification"
+          value: "Deprecation Notice"
+          type:
+            - info
+          action: deprecation-notice
+        fcpro:
+          classification: "System - Notification"
+          value: "Failed to provision a AD/LDAP connector"
+          type:
+            - info
+            - connection
+            - error
+          category:
+            - network
+          action: failed-ad-ldap-provision
+        fui:
+          classification: "System - Notification"
+          value: "Failed to import users"
+          type:
+            - info
+            - user
+            - error
+          category:
+            - iam
+            - web
+          action: failed-to-import-users
+        limit_delegation:
+          classification: "System - Notification"
+          value: "Rate limit exceeded to /delegation endpoint"
+          type:
+            - info
+            - access
+          category:
+            - network
+          action: rate-limit-exceeded-to-delegation-endpoint
+        limit_mu:
+          classification: "System - Notification"
+          value: "An IP address is blocked with 100 failed login attempts using different usernames"
+          type:
+            - indicator
+            - info
+          category:
+            - threat
+            - intrusion_detection
+          action: hundred-failed-logins-ip-address-blocked
+        limit_wc:
+          classification: "System - Notification"
+          value: "An IP address is blocked with 10 failed login attempts into a single account from the same IP address"
+          type:
+            - indicator
+            - info
+          category:
+            - threat
+            - intrusion_detection
+          action: ten-failed-logins-ip-address-blocked
+        sys_os_update_start:
+          classification: "System - Notification"
+          value: "Auth0 OS Update Started"
+          type:
+            - change
+            - start
+            - installation
+          category:
+            - configuration
+            - package
+          action: auth0-os-update-started
+        sys_os_update_end:
+          classification: "System - Notification"
+          value: "Auth0 OS Update Ended"
+          type:
+            - change
+            - end
+            - installation
+          category:
+            - configuration
+            - package
+          action: auth0-os-update-ended
+        sys_update_start:
+          classification: "System - Notification"
+          value: "Auth0 Update Started"
+          type:
+            - change
+            - start
+            - installation
+          category:
+            - configuration
+            - package
+          action: auth0-update-started
+        sys_update_end:
+          classification: "System - Notification"
+          value: "Auth0 Update Ended"
+          type:
+            - change
+            - end
+            - installation
+          category:
+            - configuration
+            - package
+          action: auth0-update-ended
+        fce:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to change user email"
+          type:
+            - change
+            - user
+          category:
+            - iam
+          action: failed-to-change-user-email
+        fcp:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to change password"
+          type:
+            - change
+            - user
+          category:
+            - iam
+          action: failed-to-change-password
+        fcpn:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to change phone number"
+          type:
+            - change
+            - user
+          category:
+            - iam
+          action: failed-to-change-phone-number
+        fcpr:
+          classification: "User/Behavioral - Failure"
+          value: "Failed change password request"
+          type:
+            - change
+            - user
+          category:
+            - iam
+          action: failed-change-password-request
+        fcu:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to change username"
+          type:
+            - change
+            - user
+          category:
+            - iam
+          action: failed-to-change-username
+        fd:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to generate delegation token"
+          type:
+            - info
+            - user
+          category:
+            - iam
+          action: failed-to-generate-delegation-token
+        fdeaz:
+          classification: "User/Behavioral - Failure"
+          value: "Device authorization request failed"
+          type:
+            - info
+            - user
+          category:
+            - iam
+          action: failed-device-authorization-request
+        fdecc:
+          classification: "User/Behavioral - Failure"
+          value: "User did not confirm device"
+          type:
+            - info
+          action: user-device-not-confirmed
+        fdu:
+          classification: "User/Behavioral - Failure"
+          value: "Failed user deletion"
+          type:
+            - deletion
+            - user
+          category:
+            - iam
+          action: failed-user-deletion
+        fn:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to send email notification"
+          type:
+            - info
+          action: failed-to-send-email-notification
+        fv:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to send verification email"
+          type:
+            - info
+          action: failed-to-send-verification-email
+        fvr:
+          classification: "User/Behavioral - Failure"
+          value: "Failed to process verification email request"
+          type:
+            - info
+          action: failed-to-process-verification-email
+        cs:
+          classification: "User/Behavioral - Notification"
+          value: "Passwordless login code has been sent"
+          type:
+            - info
+          action: passwordless-login-code-sent
+        du:
+          classification: "User/Behavioral - Notification"
+          value: "User has been deleted"
+          type:
+            - info
+            - user
+            - deletion
+          category:
+            - iam
+          action: user-deleted
+        gd_enrollment_complete:
+          classification: "User/Behavioral - Notification"
+          value: "A first time MFA user has successfully enrolled using one of the factors"
+          type:
+            - info
+            - change
+            - end
+          category:
+            - iam
+            - session
+          action: mfa-enrollment-completed
+        gd_start_enroll:
+          classification: "User/Behavioral - Notification"
+          value: "Multi-factor authentication enroll has started"
+          type:
+            - info
+            - change
+            - start
+          category:
+            - iam
+            - session
+          action: mfa-enrollment-started
+        gd_unenroll:
+          classification: "User/Behavioral - Notification"
+          value: "Device used for second factor authentication has been unenrolled"
+          type:
+            - info
+            - deletion
+          category:
+            - iam
+          action: mfa-device-unenrolled
+        gd_update_device_account:
+          classification: "User/Behavioral - Notification"
+          value: "Device used for second factor authentication has been updated"
+          type:
+            - info
+            - change
+          category:
+            - iam
+          action: mfa-device-updated
+        ublkdu:
+          classification: "User/Behavioral - Notification"
+          value: "User block setup by anomaly detection has been released"
+          type:
+            - info
+          action: user-login-block-released
+        sce:
+          classification: "User/Behavioral - Success"
+          value: "Successfully changed user email"
+          type:
+            - info
+            - change
+            - user
+          category:
+            - iam
+          action: user-email-changed-successfully
+        scp:
+          classification: "User/Behavioral - Success"
+          value: "Successfully changed password"
+          type:
+            - info
+            - change
+            - user
+          category:
+            - iam
+          action: user-password-changed-successfully
+        scpn:
+          classification: "User/Behavioral - Success"
+          value: "Successfully changed phone number"
+          type:
+            - info
+            - change
+            - user
+          category:
+            - iam
+          action: user-phone-number-changed-successfully
+        scpr:
+          classification: "User/Behavioral - Success"
+          value: "Successful change password request"
+          type:
+            - info
+            - change
+            - user
+          category:
+            - iam
+          action: user-password-change-request-successful
+        scu:
+          classification: "User/Behavioral - Success"
+          value: "Successfully changed username"
+          type:
+            - info
+            - change
+            - user
+          category:
+            - iam
+          action: username-changed-successfully
+        sdu:
+          classification: "User/Behavioral - Success"
+          value: "User successfully deleted"
+          type:
+            - info
+            - deletion
+          category:
+            - iam
+          action: user-deleted-successfully
+        srrt:
+          classification: "User/Behavioral - Success"
+          value: "Successfully revoked a Refresh Token"
+          type:
+            - info
+            - deletion
+          category:
+            - iam
+          action: revoked-refresh-token-successfully
+        sui:
+          classification: "User/Behavioral - Success"
+          value: "Successfully imported users"
+          type:
+            - info
+            - user
+          category:
+            - iam
+          action: imported-users-successfully
+        sv:
+          classification: "User/Behavioral - Success"
+          value: "Sent verification email"
+          type:
+            - info
+            - user
+          category:
+            - iam
+          action: sent-verification-email
+        svr:
+          classification: "User/Behavioral - Success"
+          value: "Successfully processed verification email request"
+          type:
+            - info
+            - user
+          category:
+            - iam
+          action: email-verification-processed-successfully
+        fcph:
+          classification: "Other"
+          value: "Failed Post Change Password Hook"
+          type:
+            - change
+            - user
+          category:
+            - iam
+          action: failed-post-change-password-hook
+        fdeac:
+          classification: "Other"
+          value: "Failed to activate device"
+          type:
+            - info
+          action: failed-to-activate-device
+        fi:
+          classification: "Other"
+          value: "Failed to accept a user invitation. This could happen if the user accepts an invitation using a different email address than provided in the invitation, or due to a system failure while provisioning the invitation."
+          type:
+            - info
+          action: failed-to-accept-user-invitation
+        gd_auth_failed:
+          classification: "Other"
+          value: "Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure."
+          type:
+            - info
+          action: mfa-authentication-failed-wrong-code
+        gd_auth_rejected:
+          classification: "Other"
+          value: "A user rejected a Multi-factor authentication request via push-notification."
+          type:
+            - info
+          action: user-rejected-mfa-request
+        gd_auth_succeed:
+          classification: "Other"
+          value: "Multi-factor authentication success."
+          type:
+            - info
+          action: mfa-authentication-succeeded
+        gd_otp_rate_limit_exceed:
+          classification: "Other"
+          value: "A user, during enrollment or authentication, enters an incorrect code more than the maximum allowed number of times. Ex: A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row."
+          type:
+            - info
+            - indicator
+          category:
+            - threat
+          action: user-entered-too-many-incorrect-codes
+        gd_recovery_failed:
+          classification: "Other"
+          value: "A user enters a wrong recovery code when attempting to authenticate."
+          type:
+            - info
+          action: user-entered-wrong-recovery-code
+        gd_recovery_rate_limit_exceed:
+          classification: "Other"
+          value: "A user enters a wrong recovery code too many times."
+          type:
+            - info
+            - indicator
+          category:
+            - threat
+          action: user-entered-too-many-wrong-codes
+        gd_recovery_succeed:
+          classification: "Other"
+          value: "A user successfully authenticates with a recovery code"
+          type:
+            - info
+          action: recovery-succeeded
+        gd_send_pn:
+          classification: "Other"
+          value: "Push notification for MFA sent successfully sent."
+          type:
+            - info
+          action: push-notification-sent
+        gd_send_sms:
+          classification: "Other"
+          value: "SMS for MFA successfully sent."
+          type:
+            - info
+          action: sms-sent
+        gd_send_sms_failure:
+          classification: "Other"
+          value: "Attempt to send SMS for MFA failed."
+          type:
+            - info
+          action: failed-to-send-sms
+        gd_send_voice:
+          classification: "Other"
+          value: "Voice call for MFA successfully made."
+          type:
+            - info
+          action: voice-call-made
+        gd_send_voice_failure:
+          classification: "Other"
+          value: "Attempt to make Voice call for MFA failed."
+          type:
+            - info
+          action: voice-call-failure
+        gd_start_auth:
+          classification: "Other"
+          value: "Second factor authentication event started for MFA."
+          type:
+            - info
+          action: 2fa-auth-event-started
+        gd_tenant_update:
+          classification: "Other"
+          value: "Guardian tenant update"
+          type:
+            - info
+          action: guardian-tenant-update
+        limit_sul:
+          classification: "Other"
+          value: "A user is temporarily prevented from logging in because more than 20 logins per minute occurred from the same IP address"
+          type:
+            - info
+            - indicator
+          category:
+            - threat
+          action: user-blocked-too-many-failed-logins-from-same-ip
+        mfar:
+          classification: "Other"
+          value: "A user has been prompted for multi-factor authentication (MFA). When using Adaptive MFA, Auth0 includes details about the risk assessment."
+          type:
+            - info
+          action: user-prompted-for-mfa
+        pla:
+          classification: "Other"
+          value: "This log is generated before a login and helps in monitoring the behavior of bot detection without having to enable it."
+          type:
+            - info
+          action: pre-login-assessment
+        pwd_leak:
+          classification: "Other"
+          value: "Someone behind the IP address attempted to login with a leaked password."
+          type:
+            - info
+          category:
+            - intrusion_detection
+          action: login-with-breached-password
+        scph:
+          classification: "Other"
+          value: "Success Post Change Password Hook"
+          type:
+            - info
+          action: success-post-change-password-hook
+        sd:
+          classification: "Other"
+          value: "Success delegation"
+          type:
+            - info
+          action: success-delegation
+        si:
+          classification: "Other"
+          value: "Successfully accepted a user invitation"
+          type:
+            - info
+          action: successfully-accepted-user-invitation
+        ss:
+          classification: "Other"
+          value: "Success Signup"
+          type:
+            - info
+          action: success-signup
+    source: |-
+         def eventType = ctx.auth0.logs.data.type;
+         def actions = params.get('actions');
+         def actionData = actions.get(eventType);
+         if (actionData == null) {
+             ctx.event.action = 'unknown-' + eventType;
+             ctx.event.type = ['info'];
+             return;
+         }
+         // overwrite type abbreviation with actual value
+         def eventTypeVal = actionData.get('value');
+         if (eventTypeVal != null) {
+             ctx.auth0.logs.data.type = eventTypeVal;
+         }
+         // event.type
+         def actionType = actionData.get('type');
+         if (actionType != null) {
+           ctx.event.type = new ArrayList(actionType);
+         }
+         // event.category
+         def actionCategory = actionData.get('category');
+         if (actionCategory != null) {
+           for (def c : actionCategory) {
+             ctx.event.category.add(c);
+           }
+         }
+         // event.action
+         def action = actionData.get('action');
+         if (action != null) {
+           ctx.event.action = action;
+         }
+         // auth0 event category / classification group
+         def classification = actionData.get('classification');
+         if (classification != null) {
+           ctx.auth0.logs.data.classification = classification;
+         }
+         // event.outcome
+         if (classification.toLowerCase().contains("success")) {
+           ctx.event.outcome = "success";
+         } else if (classification.toLowerCase().contains("failure")) {
+           ctx.event.outcome = "failure";
+         } else {
+           ctx.event.outcome = "unknown";
+         }
+- date:
+    if: ctx?.auth0?.logs?.data?.details?.initiatedAt != null
+    field: auth0.logs.data.details.initiatedAt
+    target_field: auth0.logs.data.login.initiatedAt
+    formats:
+      - UNIX_MS
+- date:
+    if: ctx?.auth0?.logs?.data?.details?.completedAt != null
+    field: auth0.logs.data.details.completedAt
+    target_field: auth0.logs.data.login.completedAt
+    formats:
+      - UNIX_MS
+- convert:
+    if:  ctx?.auth0?.logs?.data?.details?.elapsedTime != null
+    field: auth0.logs.data.details.elapsedTime
+    target_field: auth0.logs.data.login.elapsedTime
+    type: long
+    ignore_missing: true
+- convert:
+    if: "ctx.auth0.logs.data.type == 'Successful login'"
+    field: auth0.logs.data.details.stats.loginsCount
+    target_field: auth0.logs.data.login.stats.loginsCount
+    type: long
+    ignore_missing: true
+##
+# Clean up
+##
+- remove:
+    field: 
+      - json
+      - auth0.logs.data.ip
+      - auth0.logs.data.user_name
+      - auth0.logs.data.user_id
+      - auth0.logs.data.user_agent
+      - auth0.logs.data.log_id
+    ignore_missing: true
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/auth0/0.1.4/data_stream/logs/fields/agent.yml b/packages/auth0/0.1.4/data_stream/logs/fields/agent.yml
new file mode 100755
index 0000000000..b4f84cf84a
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/fields/agent.yml
@@ -0,0 +1,3 @@
+- name: input.type
+  type: keyword
+  description: Input type.
diff --git a/packages/auth0/0.1.4/data_stream/logs/fields/base-fields.yml b/packages/auth0/0.1.4/data_stream/logs/fields/base-fields.yml
new file mode 100755
index 0000000000..bc27cfd1c1
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event timestamp.
+  value: auth0
+- name: event.dataset
+  type: constant_keyword
+  description: Event timestamp.
+  value: auth0.logs
diff --git a/packages/auth0/0.1.4/data_stream/logs/fields/ecs.yml b/packages/auth0/0.1.4/data_stream/logs/fields/ecs.yml
new file mode 100755
index 0000000000..b2d6d71186
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/fields/ecs.yml
@@ -0,0 +1,298 @@
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: destination.user.domain
+  type: keyword
+- description: Unique identifier of the user.
+  name: destination.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.user.name
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Identification code for this event, if one exists.
+    Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+  name: event.code
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    Source of the event.
+    Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+  name: event.provider
+  type: keyword
+- description: |-
+    Sequence number of the event.
+    The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+  name: event.sequence
+  type: long
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: Directory where the file is located. It should include the drive letter, when appropriate.
+  name: file.directory
+  type: keyword
+- description: |-
+    File extension, excluding the leading dot.
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: file.extension
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: |-
+    Array of process arguments, starting with the absolute path to the executable.
+    May be filtered to protect sensitive information.
+  name: process.args
+  type: keyword
+- description: |-
+    Length of the process.args array.
+    This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+  name: process.args_count
+  type: long
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.command_line
+  type: wildcard
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: |-
+    Process title.
+    The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.title
+  type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: source.user.domain
+  type: keyword
+- description: Unique identifier of the user.
+  name: source.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.name
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+    The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+  name: network.type
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+  name: user_agent.os.family
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Operating system kernel version as a raw string.
+  name: user_agent.os.kernel
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system platform (such centos, ubuntu, windows).
+  name: user_agent.os.platform
+  type: keyword
+- description: |-
+    Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+    One of these following values should be used (lowercase): linux, macos, unix, windows.
+    If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+  name: user_agent.os.type
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/auth0/0.1.4/data_stream/logs/fields/fields.yml b/packages/auth0/0.1.4/data_stream/logs/fields/fields.yml
new file mode 100755
index 0000000000..fc2da86b51
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/fields/fields.yml
@@ -0,0 +1,126 @@
+- name: auth0
+  type: group
+  description: Fields for Auth0 events.
+  fields:
+    - name: logs
+      type: group
+      description: Fields for Auth0 log events.
+      fields:
+        - name: log_id
+          type: keyword
+          description: Unique log event identifier
+        - name: data
+          type: group
+          description: log stream event data
+          fields:
+            - name: log_id
+              type: keyword
+              description: Unique log event identifier
+            - name: date
+              type: date
+              description: Date when the event occurred in ISO 8601 format.
+            - name: type
+              type: keyword
+              description: Type of event.
+            - name: description
+              type: text
+              description: Description of this event.
+            - name: connection
+              type: keyword
+              description: Name of the connection the event relates to.
+            - name: connection_id
+              type: keyword
+              description: ID of the connection the event relates to.
+            - name: client_id
+              type: keyword
+              description: ID of the client (application).
+            - name: client_name
+              type: keyword
+              description: Name of the client (application).
+            - name: ip
+              type: ip
+              description: IP address of the log event source.
+            - name: hostname
+              type: keyword
+              description: Hostname the event applies to.
+            - name: user_id
+              type: keyword
+              description: ID of the user involved in the event.
+            - name: user_name
+              type: keyword
+              description: Name of the user involved in the event.
+            - name: audience
+              type: keyword
+              description: API audience the event applies to.
+            - name: scope
+              type: keyword
+              description: Scope permissions applied to the event.
+            - name: strategy
+              type: keyword
+              description: Name of the strategy involved in the event.
+            - name: strategy_type
+              type: keyword
+              description: Type of strategy involved in the event.
+            - name: log_id
+              type: keyword
+              description: Unique ID of the event.
+            - name: is_mobile
+              type: boolean
+              description: Whether the client was a mobile device (true) or desktop/laptop/server (false).
+            - name: classification
+              type: keyword
+              description: Log stream filters
+            - name: details
+              type: flattened
+              description: Additional useful details about this event (values here depend upon event type).
+            - name: login
+              type: group
+              description: Filtered fields for login type
+              fields:
+                - name: initiatedAt
+                  type: date
+                  description: Time at which the operation was initiated
+                - name: completedAt
+                  type: date
+                  description: Time at which the operation was completed
+                - name: elapsedTime
+                  type: long
+                  description: Number of milliseconds the operation took to complete.
+                - name: stats
+                  type: group
+                  description: login stats
+                  fields:
+                    - name: loginsCount
+                      type: long
+                      description: Total number of logins performed by the user
+            - name: user_agent
+              type: text
+              description: User agent string from the client device that caused the event.
+            - name: location_info
+              type: group
+              description: Information about the location that triggered this event based on the IP.
+              fields:
+                - name: country_code
+                  type: keyword
+                  description: Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code
+                - name: country_code3
+                  type: keyword
+                  description: Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code
+                - name: country_name
+                  type: keyword
+                  description: Full country name in English.
+                - name: city_name
+                  type: keyword
+                  description: Full city name in English.
+                - name: latitude
+                  type: keyword
+                  description: Global latitude (horizontal) position.
+                - name: longitude
+                  type: keyword
+                  description: Global longitude (vertical) position.
+                - name: time_zone
+                  type: keyword
+                  description: Time zone name as found in the [tz database](https://www.iana.org/time-zones).
+                - name: continent_code
+                  type: keyword
+                  description: Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America).
diff --git a/packages/auth0/0.1.4/data_stream/logs/manifest.yml b/packages/auth0/0.1.4/data_stream/logs/manifest.yml
new file mode 100755
index 0000000000..0e7b6a206d
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/manifest.yml
@@ -0,0 +1,74 @@
+title: "Auth0 logs via Webhooks"
+type: logs
+streams:
+  - input: http_endpoint
+    title: Auth0 log events
+    description: Receives log events from Auth0
+    template_path: http_endpoint.yml.hbs
+    vars:
+      - name: listen_address
+        type: text
+        title: Listen Address
+        description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces.
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        multi: false
+        required: true
+        show_user: true
+        default: 8383
+      - name: url
+        type: text
+        title: Webhook path
+        description: URL path where the webhook will accept requests.
+        multi: false
+        required: true
+        show_user: false
+        default: /auth0/logs
+      - name: secret_value
+        type: text
+        description: Authorization token
+        multi: false
+        required: false
+        show_user: true
+      - name: ssl
+        type: yaml
+        title: TLS
+        description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options.
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          enabled: false
+          certificate: "/etc/pki/client/cert.pem"
+          key: "/etc/pki/client/cert.key"
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - auth0-logstream
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/auth0/0.1.4/data_stream/logs/sample_event.json b/packages/auth0/0.1.4/data_stream/logs/sample_event.json
new file mode 100755
index 0000000000..02d4e4c023
--- /dev/null
+++ b/packages/auth0/0.1.4/data_stream/logs/sample_event.json
@@ -0,0 +1,156 @@
+{
+    "@timestamp": "2021-11-03T03:25:28.923Z",
+    "agent": {
+        "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c",
+        "hostname": "docker-fleet-agent",
+        "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "auth0": {
+        "logs": {
+            "data": {
+                "classification": "Login - Success",
+                "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB",
+                "client_name": "Default App",
+                "connection": "Username-Password-Authentication",
+                "connection_id": "con_1a5wCUmAs6VOU17n",
+                "date": "2021-11-03T03:25:28.923Z",
+                "details": {
+                    "completedAt": 1635909928922,
+                    "elapsedTime": 1110091,
+                    "initiatedAt": 1635908818831,
+                    "prompts": [
+                        {
+                            "completedAt": 1635909903693,
+                            "connection": "Username-Password-Authentication",
+                            "connection_id": "con_1a5wCUmAs6VOU17n",
+                            "identity": "6182002f34f4dd006b05b5c7",
+                            "name": "prompt-authenticate",
+                            "stats": {
+                                "loginsCount": 1
+                            },
+                            "strategy": "auth0"
+                        },
+                        {
+                            "completedAt": 1635909903745,
+                            "elapsedTime": 1084902,
+                            "flow": "universal-login",
+                            "initiatedAt": 1635908818843,
+                            "name": "login",
+                            "timers": {
+                                "rules": 5
+                            },
+                            "user_id": "auth0|6182002f34f4dd006b05b5c7",
+                            "user_name": "neo@test.com"
+                        },
+                        {
+                            "completedAt": 1635909928352,
+                            "elapsedTime": 23378,
+                            "flow": "consent",
+                            "grantInfo": {
+                                "audience": "https://dev-yoj8axza.au.auth0.com/userinfo",
+                                "id": "618201284369c9b4f9cd6d52",
+                                "scope": "openid profile"
+                            },
+                            "initiatedAt": 1635909904974,
+                            "name": "consent"
+                        }
+                    ],
+                    "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc",
+                    "stats": {
+                        "loginsCount": 1
+                    }
+                },
+                "hostname": "dev-yoj8axza.au.auth0.com",
+                "login": {
+                    "completedAt": "2021-11-03T03:25:28.922Z",
+                    "elapsedTime": 1110091,
+                    "initiatedAt": "2021-11-03T03:06:58.831Z",
+                    "stats": {
+                        "loginsCount": 1
+                    }
+                },
+                "strategy": "auth0",
+                "strategy_type": "database",
+                "type": "Successful login"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "auth0.logs",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "1.12.0"
+    },
+    "elastic_agent": {
+        "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "action": "successful-login",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication",
+            "session"
+        ],
+        "dataset": "auth0.logs",
+        "id": "90020211103032530111223343147286033102509916061341581378",
+        "ingested": "2022-01-20T05:57:05Z",
+        "kind": "event",
+        "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}",
+        "outcome": "success",
+        "type": [
+            "info",
+            "start"
+        ]
+    },
+    "input": {
+        "type": "http_endpoint"
+    },
+    "log": {
+        "level": "info"
+    },
+    "network": {
+        "type": "ipv4"
+    },
+    "source": {
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "auth0-logstream"
+    ],
+    "user": {
+        "id": "auth0|6182002f34f4dd006b05b5c7",
+        "name": "neo@test.com"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Other"
+        },
+        "name": "Firefox",
+        "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0",
+        "os": {
+            "name": "Ubuntu"
+        },
+        "version": "93.0."
+    }
+}
\ No newline at end of file
diff --git a/packages/auth0/0.1.4/docs/README.md b/packages/auth0/0.1.4/docs/README.md
new file mode 100755
index 0000000000..a40c20f6ac
--- /dev/null
+++ b/packages/auth0/0.1.4/docs/README.md
@@ -0,0 +1,330 @@
+# Auth0 Log Streams Integration
+
+Auth0 offers integrations that push log events via log streams to Elasticsearch. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch.
+
+The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
+
+For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security).
+
+## Compatability
+
+The package collects log events sent via log stream webhooks.
+
+## Configuration
+
+### Enabling the integration in Elastic
+
+1. In Kibana go to **Management > Integrations**
+2. In "Search for integrations" search bar type **Auth0**
+3. Click on "Auth0" integration from the search results.
+4. Click on **Add Auth0** button to add Auth0 integration.
+
+### Configure the Auth0 integration
+
+1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8383/auth0/logs`.
+2. Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud.
+3. Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration.
+
+### Creating the stream in Auth0
+
+1. From the Auth0 management console, navigate to **Logs > Streams** and click **+ Create Stream**.
+2. Choose **Custom Webhook**.
+3. Name the new **Event Stream** appropriately (e.g. Elastic) and click **Create**.
+4. In **Payload URL**, paste the **Endpoint URL** collected during Step 1 of **Configure the Auth0 integration** section.
+5. In **Authorization Token**, paste the **Authorization Token**. This must match the value entered in Step 2 of **Configure the Auth0 integration** section.
+6. In **Content Type**, choose  **application/json**.
+7. In **Content Format**, choose  **JSON Lines**.
+8. **Click Save**.
+
+## Log Events
+
+Enable to collect Auth0 log events for all the applications configured for the chosen log stream.
+
+## Logs
+
+### Log Stream Events
+
+The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log events are available in the `auth0.logs` field group.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| auth0.logs.data.audience | API audience the event applies to. | keyword |
+| auth0.logs.data.classification | Log stream filters | keyword |
+| auth0.logs.data.client_id | ID of the client (application). | keyword |
+| auth0.logs.data.client_name | Name of the client (application). | keyword |
+| auth0.logs.data.connection | Name of the connection the event relates to. | keyword |
+| auth0.logs.data.connection_id | ID of the connection the event relates to. | keyword |
+| auth0.logs.data.date | Date when the event occurred in ISO 8601 format. | date |
+| auth0.logs.data.description | Description of this event. | text |
+| auth0.logs.data.details | Additional useful details about this event (values here depend upon event type). | flattened |
+| auth0.logs.data.hostname | Hostname the event applies to. | keyword |
+| auth0.logs.data.ip | IP address of the log event source. | ip |
+| auth0.logs.data.is_mobile | Whether the client was a mobile device (true) or desktop/laptop/server (false). | boolean |
+| auth0.logs.data.location_info.city_name | Full city name in English. | keyword |
+| auth0.logs.data.location_info.continent_code | Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). | keyword |
+| auth0.logs.data.location_info.country_code | Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword |
+| auth0.logs.data.location_info.country_code3 | Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword |
+| auth0.logs.data.location_info.country_name | Full country name in English. | keyword |
+| auth0.logs.data.location_info.latitude | Global latitude (horizontal) position. | keyword |
+| auth0.logs.data.location_info.longitude | Global longitude (vertical) position. | keyword |
+| auth0.logs.data.location_info.time_zone | Time zone name as found in the [tz database](https://www.iana.org/time-zones). | keyword |
+| auth0.logs.data.log_id | Unique ID of the event. | keyword |
+| auth0.logs.data.login.completedAt | Time at which the operation was completed | date |
+| auth0.logs.data.login.elapsedTime | Number of milliseconds the operation took to complete. | long |
+| auth0.logs.data.login.initiatedAt | Time at which the operation was initiated | date |
+| auth0.logs.data.login.stats.loginsCount | Total number of logins performed by the user | long |
+| auth0.logs.data.scope | Scope permissions applied to the event. | keyword |
+| auth0.logs.data.strategy | Name of the strategy involved in the event. | keyword |
+| auth0.logs.data.strategy_type | Type of strategy involved in the event. | keyword |
+| auth0.logs.data.type | Type of event. | keyword |
+| auth0.logs.data.user_agent | User agent string from the client device that caused the event. | text |
+| auth0.logs.data.user_id | ID of the user involved in the event. | keyword |
+| auth0.logs.data.user_name | Name of the user involved in the event. | keyword |
+| auth0.logs.log_id | Unique log event identifier | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event timestamp. | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event timestamp. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| input.type | Input type. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.title.text | Multi-field of `process.title`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
+
+An example event for `logs` looks as following:
+
+```json
+{
+    "@timestamp": "2021-11-03T03:25:28.923Z",
+    "agent": {
+        "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c",
+        "hostname": "docker-fleet-agent",
+        "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "auth0": {
+        "logs": {
+            "data": {
+                "classification": "Login - Success",
+                "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB",
+                "client_name": "Default App",
+                "connection": "Username-Password-Authentication",
+                "connection_id": "con_1a5wCUmAs6VOU17n",
+                "date": "2021-11-03T03:25:28.923Z",
+                "details": {
+                    "completedAt": 1635909928922,
+                    "elapsedTime": 1110091,
+                    "initiatedAt": 1635908818831,
+                    "prompts": [
+                        {
+                            "completedAt": 1635909903693,
+                            "connection": "Username-Password-Authentication",
+                            "connection_id": "con_1a5wCUmAs6VOU17n",
+                            "identity": "6182002f34f4dd006b05b5c7",
+                            "name": "prompt-authenticate",
+                            "stats": {
+                                "loginsCount": 1
+                            },
+                            "strategy": "auth0"
+                        },
+                        {
+                            "completedAt": 1635909903745,
+                            "elapsedTime": 1084902,
+                            "flow": "universal-login",
+                            "initiatedAt": 1635908818843,
+                            "name": "login",
+                            "timers": {
+                                "rules": 5
+                            },
+                            "user_id": "auth0|6182002f34f4dd006b05b5c7",
+                            "user_name": "neo@test.com"
+                        },
+                        {
+                            "completedAt": 1635909928352,
+                            "elapsedTime": 23378,
+                            "flow": "consent",
+                            "grantInfo": {
+                                "audience": "https://dev-yoj8axza.au.auth0.com/userinfo",
+                                "id": "618201284369c9b4f9cd6d52",
+                                "scope": "openid profile"
+                            },
+                            "initiatedAt": 1635909904974,
+                            "name": "consent"
+                        }
+                    ],
+                    "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc",
+                    "stats": {
+                        "loginsCount": 1
+                    }
+                },
+                "hostname": "dev-yoj8axza.au.auth0.com",
+                "login": {
+                    "completedAt": "2021-11-03T03:25:28.922Z",
+                    "elapsedTime": 1110091,
+                    "initiatedAt": "2021-11-03T03:06:58.831Z",
+                    "stats": {
+                        "loginsCount": 1
+                    }
+                },
+                "strategy": "auth0",
+                "strategy_type": "database",
+                "type": "Successful login"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "auth0.logs",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "1.12.0"
+    },
+    "elastic_agent": {
+        "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "action": "successful-login",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication",
+            "session"
+        ],
+        "dataset": "auth0.logs",
+        "id": "90020211103032530111223343147286033102509916061341581378",
+        "ingested": "2022-01-20T05:57:05Z",
+        "kind": "event",
+        "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}",
+        "outcome": "success",
+        "type": [
+            "info",
+            "start"
+        ]
+    },
+    "input": {
+        "type": "http_endpoint"
+    },
+    "log": {
+        "level": "info"
+    },
+    "network": {
+        "type": "ipv4"
+    },
+    "source": {
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "auth0-logstream"
+    ],
+    "user": {
+        "id": "auth0|6182002f34f4dd006b05b5c7",
+        "name": "neo@test.com"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Other"
+        },
+        "name": "Firefox",
+        "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0",
+        "os": {
+            "name": "Ubuntu"
+        },
+        "version": "93.0."
+    }
+}
+```
diff --git a/packages/auth0/0.1.4/img/auth0-logo.svg b/packages/auth0/0.1.4/img/auth0-logo.svg
new file mode 100755
index 0000000000..e0f2aa1d36
--- /dev/null
+++ b/packages/auth0/0.1.4/img/auth0-logo.svg
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 25.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 624.54 655.77" style="enable-background:new 0 0 624.54 655.77;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:none;stroke:#6C55FF;stroke-width:0.885;stroke-miterlimit:10;}
+	.st2{fill:none;stroke:#6C55FF;stroke-width:0.7694;stroke-miterlimit:10;}
+	.st3{fill:none;stroke:#6C55FF;stroke-width:0.75;stroke-miterlimit:10;}
+	.st4{fill:none;stroke:#635DFF;stroke-width:2;stroke-miterlimit:10;}
+	.st5{fill:none;stroke:#6C55FF;stroke-width:0.9418;stroke-miterlimit:10;}
+	.st6{fill:none;stroke:#6C55FF;stroke-width:0.9418;stroke-miterlimit:10;stroke-dasharray:3.1702,6.3404;}
+	.st7{fill:none;stroke:#6C55FF;stroke-width:2.3871;stroke-miterlimit:10;}
+	.st8{fill:none;stroke:#6C55FF;stroke-width:1.0333;stroke-miterlimit:10;}
+	.st9{fill:none;stroke:#6C55FF;stroke-width:0.9915;stroke-miterlimit:10;}
+	.st10{fill:none;stroke:#1F6FF2;stroke-width:0.316;stroke-miterlimit:10;}
+	.st11{fill:none;stroke:#6C55FF;stroke-width:0.4306;stroke-miterlimit:10;}
+	.st12{fill:none;stroke:#6C55FF;stroke-width:1.4031;stroke-miterlimit:10;}
+	.st13{fill:none;stroke:#1F6FF2;stroke-width:0.1677;stroke-miterlimit:10;}
+	.st14{fill:none;stroke:#1F6FF2;stroke-width:0.3378;stroke-miterlimit:10;}
+	.st15{fill:none;stroke:#6C55FF;stroke-width:1.5;stroke-miterlimit:10;}
+	.st16{fill:none;stroke:#6C55FF;stroke-width:0.4603;stroke-miterlimit:10;}
+	.st17{fill:none;stroke:#6C55FF;stroke-width:0.9807;stroke-miterlimit:10;}
+	.st18{fill:none;stroke:#6C55FF;stroke-width:0.9773;stroke-linejoin:round;stroke-miterlimit:10;}
+	.st19{fill:none;stroke:#6C55FF;stroke-width:0.9807;stroke-miterlimit:10;stroke-dasharray:3.4731,6.9462;}
+	.st20{fill:#808184;}
+	.st21{fill:none;stroke:#000000;stroke-width:5.276;stroke-miterlimit:10;}
+	.st22{fill:none;stroke:#000000;stroke-width:1.9389;stroke-miterlimit:10;}
+	.st23{fill:none;stroke:#6C55FF;stroke-width:2.3051;stroke-miterlimit:10;}
+</style>
+<g id="fondo">
+</g>
+<g id="Layer_1">
+	<g>
+		<g>
+			<path d="M426.98,518.53c-20.33,0-33.25,9.22-39.37,24.21h-1.55v-68.12h-30.5V652.7h31.18v-77.27c0-19.13,11.89-30.15,28.6-30.15
+				c16.37,0,26.02,10.43,26.02,28.26v79.16h31.18v-84.37C472.55,536.37,454.46,518.53,426.98,518.53z"/>
+			<path d="M556.85,474.32c-42.21,0-67.6,33.03-67.69,90.42c0,57.56,25.31,91.02,67.69,91.02c42.38,0.09,67.69-33.37,67.69-91.02
+				C624.54,507.44,599.06,474.32,556.85,474.32z M521.34,564.74c0.09-41.86,13.73-63.91,35.52-63.91
+				c14.89,0,25.96,10.23,31.54,29.95l-66.49,48.31C521.52,574.6,521.33,569.82,521.34,564.74z M556.85,628.91
+				c-15.39,0-26.73-10.88-32.09-32.01l66.86-48.57c0.53,5.08,0.82,10.55,0.83,16.42C592.46,606.95,578.82,628.91,556.85,628.91z"/>
+			<path d="M215.21,597.09c0,20.16-14.39,30.15-28.17,30.15c-14.99,0-24.98-10.6-24.98-27.4v-79.43h-31.18v84.26
+				c0,31.79,18.09,49.79,44.11,49.79c19.81,0,33.77-10.43,39.8-25.25h1.38v23.52h30.24V520.41h-31.19V597.09z"/>
+			<path d="M60.38,518.41c-27.82,0-49.18,12.4-56.07,36.52l29.11,4.13c3.1-9.04,11.89-16.8,27.13-16.8
+				c14.47,0,22.39,7.41,22.39,20.41v0.52c0,8.96-9.39,9.39-32.73,11.89C24.55,577.84,0,585.5,0,615.31
+				c0,26.01,19.04,39.79,44.27,39.79c20.76,0,33.16-9.73,38.85-20.84h1.03v18.17h29.97v-88.54
+				C114.12,528.92,85.61,518.41,60.38,518.41z M83.03,604.97c0,14.73-11.89,27.22-30.66,27.22c-13.01,0-22.31-5.94-22.31-17.4
+				c0-11.97,10.42-16.97,24.38-18.95c8.18-1.12,24.55-3.19,28.6-6.46V604.97z"/>
+			<path d="M312.97,487.35h-31.18v33.13h-18.93v24.78h18.93v73.25c-0.17,24.9,17.92,37.13,41.35,36.45
+				c7.02-0.2,12.29-1.33,15.86-2.34v-24.7c-2.36,0.32-7.89,1.02-11.9,1.11c-7.83,0.18-14.13-2.76-14.13-15.33v-68.44h26.11v-24.78
+				h-26.11V487.35z"/>
+		</g>
+		<path d="M450.53,0H316.57l41.4,129.02l133.96,0l-108.38,76.94l41.4,129.75h0c69.77-50.82,92.57-127.74,66.98-206.69L450.53,0z
+			 M141.21,129.02h133.96L316.57,0H182.61L141.21,129.02L141.21,129.02c-25.58,78.95-2.79,155.86,66.98,206.69l0,0l41.4-129.75
+			L141.21,129.02z M208.19,335.7l108.38,76.76l108.38-76.76l-108.38-78.06L208.19,335.7z"/>
+	</g>
+</g>
+<g id="Layer_2">
+</g>
+</svg>
diff --git a/packages/auth0/0.1.4/img/auth0-screenshot.png b/packages/auth0/0.1.4/img/auth0-screenshot.png
new file mode 100755
index 0000000000..72b880f161
Binary files /dev/null and b/packages/auth0/0.1.4/img/auth0-screenshot.png differ
diff --git a/packages/auth0/0.1.4/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/0.1.4/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json
new file mode 100755
index 0000000000..86e7ba2c55
--- /dev/null
+++ b/packages/auth0/0.1.4/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json
@@ -0,0 +1,132 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\":{\"columnOrder\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\",\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\"],\"columns\":{\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\"],\"layerId\":\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"title\":\"Auth0 Log Stream Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\":{\"columnOrder\":[\"234dec72-0dd2-42cb-b486-059fa3e0a077\",\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"columns\":{\"234dec72-0dd2-42cb-b486-059fa3e0a077\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"9fb2da13-fb8b-4041-b60e-0840068dc570\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"layerId\":\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"234dec72-0dd2-42cb-b486-059fa3e0a077\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"w\":14,\"x\":15,\"y\":0},\"panelIndex\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"w\":9,\"x\":29,\"y\":0},\"panelIndex\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"title\":\"Number of Failed Logins\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Signup - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Signup - Success\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"title\":\"Number of Successful Signups\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e7270679-c5d0-496a-9fd2-7409b402bdb0\":{\"columnOrder\":[\"60724141-ecf4-4f42-b263-d12cd64fe1a3\",\"14ed1312-1743-452e-89e9-52018d6db787\"],\"columns\":{\"14ed1312-1743-452e-89e9-52018d6db787\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"60724141-ecf4-4f42-b263-d12cd64fe1a3\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Success\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"14ed1312-1743-452e-89e9-52018d6db787\"],\"layerId\":\"e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"60724141-ecf4-4f42-b263-d12cd64fe1a3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"w\":15,\"x\":0,\"y\":10},\"panelIndex\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"title\":\"Rate of Successful Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\":{\"columnOrder\":[\"56478895-2ad9-4541-9b3c-debffe3de81d\",\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"columns\":{\"56478895-2ad9-4541-9b3c-debffe3de81d\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d8ee79e4-d617-4809-9065-217bcd1f628c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"layerId\":\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"56478895-2ad9-4541-9b3c-debffe3de81d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"w\":14,\"x\":15,\"y\":10},\"panelIndex\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"w\":19,\"x\":29,\"y\":10},\"panelIndex\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"panelRefName\":\"panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"panelRefName\":\"panel_253f1007-1537-4012-a663-48bccf233f4c\",\"type\":\"search\",\"version\":\"7.15.1\"}]",
+    "timeRestore": false,
+    "title": "Auth0",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.1",
+  "id": "auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf",
+  "migrationVersion": {
+    "dashboard": "7.15.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "6089a77e-3c96-4414-9932-eda55ced3d07:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-1",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-1",
+      "type": "index-pattern"
+    },
+    {
+      "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9",
+      "name": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a:panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a",
+      "type": "visualization"
+    },
+    {
+      "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf",
+      "name": "253f1007-1537-4012-a663-48bccf233f4c:panel_253f1007-1537-4012-a663-48bccf233f4c",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/auth0/0.1.4/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/0.1.4/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json
new file mode 100755
index 0000000000..3d37f68df5
--- /dev/null
+++ b/packages/auth0/0.1.4/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "columns": [
+      "auth0.logs.data.connection",
+      "auth0.logs.data.user_name",
+      "auth0.logs.data.user_agent"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"auth0.logs\\\" \"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "Auth0 logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.1",
+  "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/auth0/0.1.4/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json b/packages/auth0/0.1.4/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json
new file mode 100755
index 0000000000..59f6851d51
--- /dev/null
+++ b/packages/auth0/0.1.4/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "IP Addresses of failed logins",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"auth0.logs.data.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"IP Addresses of failed logins\",\"type\":\"tagcloud\"}"
+  },
+  "coreMigrationVersion": "7.15.1",
+  "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/auth0/0.1.4/manifest.yml b/packages/auth0/0.1.4/manifest.yml
new file mode 100755
index 0000000000..eaa580219c
--- /dev/null
+++ b/packages/auth0/0.1.4/manifest.yml
@@ -0,0 +1,34 @@
+format_version: 1.0.0
+name: auth0
+title: "Auth0 Log Streams Integration"
+version: 0.1.4
+license: basic
+description: Collect logs from Auth0 with Elastic Agent.
+type: integration
+categories:
+  - cloud
+  - network
+  - security
+release: experimental
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+screenshots:
+  - src: /img/auth0-screenshot.png
+    title: Auth0 Dashboard
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/auth0-logo.svg
+    title: Auth0 logo
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: auth0_events
+    title: Auth0 log stream events via Webhooks
+    description: Collect Auth0 log streams events via Webhooks.
+    inputs:
+      - type: http_endpoint
+        title: Collect Auth0 log streams events via Webhooks
+        description: Collecting Auth0 log stream events via Webhooks.
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/carbon_black_cloud/0.1.1/changelog.yml b/packages/carbon_black_cloud/0.1.1/changelog.yml
new file mode 100755
index 0000000000..a28a981386
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/changelog.yml
@@ -0,0 +1,11 @@
+# newer versions go on top
+- version: 0.1.1
+  changes:
+    - description: Captured domain from username and hostname
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3106
+- version: 0.1.0
+  changes:
+    - description: Initial draft of the package.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2760
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/0.1.1/data_stream/alert/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/0.1.1/data_stream/alert/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..2f738b21a6
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,52 @@
+config_version: 2
+interval: {{interval}}
+request.timeout: 2m
+request.method: POST
+
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+
+request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search
+request.transforms:
+  - set:
+      target: header.X-Auth-Token
+      value: {{custom_api_secret_key}}/{{custom_api_id}}
+  - set:
+      target: body.criteria.last_update_time.start
+      value: '[[.cursor.last_update_timestamp]]'
+      default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]'
+  - set:
+      target: body.criteria.last_update_time.end
+      value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]'
+  - set:
+      target: body.sort
+      value: '[{ "field": "last_update_time", "order": "ASC"}]'
+      value_type: json
+response.pagination: 
+  - set:
+      target: body.criteria.last_update_time.start
+      value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]'
+      fail_on_template_error: true
+cursor:
+  last_update_timestamp:
+    value: '[[.last_event.last_update_time]]'
+response.split:
+  target: body.results
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f6f5fc171e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,313 @@
+---
+description: Pipeline for parsing Carbon Black Cloud alerts.
+processors:
+  - set:
+      field: ecs.version
+      value: "8.0.0"
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - fingerprint:
+      fields:
+        - json.id
+        - json.create_time
+        - json.last_update_time
+      target_field: _id
+      ignore_missing: true
+  - date:
+      field: json.create_time
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - ISO8601
+  - set:
+      field: event.kind
+      value: alert
+  - rename:
+      field: json.id
+      target_field: event.id
+      ignore_missing: true
+  - rename:
+      field: json.first_event_time
+      target_field: event.start
+      ignore_missing: true
+  - rename:
+      field: json.last_event_time
+      target_field: event.end
+      ignore_missing: true
+  - rename:
+      field: json.severity
+      target_field: event.severity
+      ignore_missing: true
+  - urldecode:
+      field: json.alert_url
+      target_field: event.url
+      ignore_missing: true
+  - rename:
+      field: json.reason
+      target_field: event.reason
+      ignore_missing: true
+  - convert:
+      field: json.device_id
+      target_field: host.id
+      type: string
+      ignore_missing: true
+  - set:
+      field: host.os.type
+      value: windows
+      if: ctx?.json?.device_os == "WINDOWS"
+  - set:
+      field: host.os.type
+      value: linux
+      if: ctx?.json?.device_os == "LINUX"
+  - set:
+      field: host.os.type
+      value: macos
+      if: ctx?.json?.device_os == "MAC"
+  - set:
+      field: event.kind
+      value: alert
+  - rename:
+      field: json.device_os_version
+      target_field: host.os.version
+      ignore_missing: true
+  - rename:
+      field: json.device_name
+      target_field: host.hostname
+      ignore_missing: true
+  - grok:
+      field: host.hostname
+      patterns:
+        - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$'
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: host.name
+      value: "{{{host.hostname}}}"
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_internal_ip}}}"
+      if: ctx?.json?.device_internal_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_external_ip}}}"
+      if: ctx?.json?.device_external_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.device_username
+      target_field: user.name
+      ignore_missing: true
+  - grok:
+      field: user.name
+      patterns:
+        - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$'
+      ignore_missing: true
+      ignore_failure: true
+  - append:
+      field: related.ip
+      value: 
+        - "{{{json.device_internal_ip}}}"
+        - "{{{json.device_external_ip}}}"
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: 
+        - "{{{user.name}}}"
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: 
+        - "{{{host.hostname}}}"
+        - "{{{user.domain}}}"
+      allow_duplicates: false
+  - append:
+      field: related.hash
+      value:
+        - "{{{json.threat_cause_actor_md5}}}"
+        - "{{{json.threat_cause_actor_sha256}}}"
+      allow_duplicates: false
+  - rename:
+      field: json.process_name
+      target_field: process.name
+      ignore_missing: true
+  - rename:
+      field: json.process_path
+      target_field: process.executable
+      ignore_missing: true
+  - rename:
+      field: json.process_guid
+      target_field: process.entity_id
+      ignore_missing: true
+  - rename:
+      field: json.vendor_name
+      target_field: carbon_black_cloud.alert.vendor_name
+      ignore_missing: true
+  - rename:
+      field: json.product_name
+      target_field: carbon_black_cloud.alert.product_name
+      ignore_missing: true
+  - rename:
+      field: json.serial_number
+      target_field: carbon_black_cloud.alert.serial_number
+      ignore_missing: true
+  - rename:
+      field: json.policy_id
+      target_field: carbon_black_cloud.alert.policy.id
+      ignore_missing: true
+  - rename:
+      field: json.policy_name
+      target_field: carbon_black_cloud.alert.policy.name
+      ignore_missing: true
+  - rename:
+      field: json.threat_id
+      target_field: carbon_black_cloud.alert.threat_id
+      ignore_missing: true
+  - rename:
+      field: json.policy_applied
+      target_field: carbon_black_cloud.alert.policy.applied
+      ignore_missing: true
+  - rename:
+      field: json.threat_activity_c2
+      target_field: carbon_black_cloud.alert.threat_activity.c2
+      ignore_missing: true
+  - rename:
+      field: json.threat_activity_dlp
+      target_field: carbon_black_cloud.alert.threat_activity.dlp
+      ignore_missing: true
+  - rename:
+      field: json.threat_activity_phish
+      target_field: carbon_black_cloud.alert.threat_activity.phish
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_name
+      target_field: carbon_black_cloud.alert.threat_cause.actor.name
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_process_pid
+      target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_sha256
+      target_field: carbon_black_cloud.alert.threat_cause.actor.sha256
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_actor_md5
+      target_field: carbon_black_cloud.alert.threat_cause.actor.md5
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_cause_event_id
+      target_field: carbon_black_cloud.alert.threat_cause.cause_event_id
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_parent_guid
+      target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_process_guid
+      target_field: carbon_black_cloud.alert.threat_cause.process.guid
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_reputation
+      target_field: carbon_black_cloud.alert.threat_cause.reputation
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_threat_category
+      target_field: carbon_black_cloud.alert.threat_cause.threat_category
+      ignore_missing: true
+  - rename:
+      field: json.threat_cause_vector
+      target_field: carbon_black_cloud.alert.threat_cause.vector
+      ignore_missing: true
+  - rename:
+      field: json.ioc_field
+      target_field: carbon_black_cloud.alert.ioc.field
+      ignore_missing: true
+  - rename:
+      field: json.ioc_hit
+      target_field: carbon_black_cloud.alert.ioc.hit
+      ignore_missing: true
+  - rename:
+      field: json.ioc_id
+      target_field: carbon_black_cloud.alert.ioc.id
+      ignore_missing: true
+  - rename:
+      field: json.report_id
+      target_field: carbon_black_cloud.alert.report.id
+      ignore_missing: true
+  - rename:
+      field: json.report_name
+      target_field: carbon_black_cloud.alert.report.name
+      ignore_missing: true
+  - rename:
+      field: json.org_key
+      target_field: carbon_black_cloud.alert.organization_key
+      ignore_missing: true
+  - rename:
+      field: json.device_location
+      target_field: carbon_black_cloud.alert.device.location
+      ignore_missing: true
+  - rename:
+      field: json.device_os
+      target_field: carbon_black_cloud.alert.device.os
+      ignore_missing: true
+  - rename:
+      field: json.device_internal_ip
+      target_field: carbon_black_cloud.alert.device.internal_ip
+      ignore_missing: true
+  - rename:
+      field: json.device_external_ip
+      target_field: carbon_black_cloud.alert.device.external_ip
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+  - lowercase:
+      field: json.category
+      ignore_missing: true
+  - script:
+      description: Adds all the remaining fields in fields under carbon_black_cloud.alert
+      lang: painless
+      if: ctx?.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue();
+        }
+  - remove:
+      field:
+        - json
+        - carbon_black_cloud.alert.create_time
+        - carbon_black_cloud.alert.device_id
+        - carbon_black_cloud.alert.alert_url
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/base-fields.yml
new file mode 100755
index 0000000000..14fb618ea4
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: carbon_black_cloud
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: carbon_black_cloud.alert
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/ecs.yml
new file mode 100755
index 0000000000..cfad6817c1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/ecs.yml
@@ -0,0 +1,117 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: event.end contains the date when the event ended or when the activity was last observed.
+  name: event.end
+  type: date
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+  name: event.start
+  type: date
+- description: |-
+    URL linking to an external system to continue investigation of this event.
+    This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+  name: event.url
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: Host ip addresses.
+  name: host.ip
+  type: ip
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: |-
+    Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+    One of these following values should be used (lowercase): linux, macos, unix, windows.
+    If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+  name: host.os.type
+  type: keyword
+- description: Operating system version as a raw string.
+  name: host.os.version
+  type: keyword
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/fields.yml
new file mode 100755
index 0000000000..3eca3a1515
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/fields/fields.yml
@@ -0,0 +1,218 @@
+- name: carbon_black_cloud.alert
+  type: group
+  fields:
+    - name: blocked_threat_category
+      type: keyword
+      description: The category of threat which we were able to take action on.
+    - name: category
+      type: keyword
+      description: The category of the alert.
+    - name: count
+      type: long
+    - name: created_by_event_id
+      type: keyword
+      description: Event identifier that initiated the alert.
+    - name: device
+      type: group
+      fields:
+        - name: location
+          type: keyword
+          description: The Location of device.
+        - name: os
+          type: keyword
+          description: OS of the device.
+        - name: internal_ip
+          type: ip
+          description: Internal IP of the device.
+        - name: external_ip
+          type: ip
+          description: External IP of the device.
+    - name: document_guid
+      type: keyword
+      description: Unique ID of document.
+    - name: ioc
+      type: group
+      fields:
+        - name: field
+          type: keyword
+          description: The field the indicator of comprise (IOC) hit contains.
+        - name: hit
+          type: keyword
+          description: IOC field value or IOC query that matches.
+        - name: id
+          type: keyword
+          description: The identifier of the IOC that cause the hit.
+    - name: kill_chain_status
+      type: keyword
+      description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert.
+    - name: last_update_time
+      type: date
+      description: The last time the alert was updated as an ISO 8601 UTC timestamp.
+    - name: legacy_alert_id
+      type: keyword
+      description: The legacy identifier for the alert.
+    - name: not_blocked_threat_category
+      type: keyword
+      description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule).
+    - name: notes_present
+      type: boolean
+      description: Indicates if notes are associated with the threat_id.
+    - name: organization_key
+      type: keyword
+      description: The unique identifier for the organization associated with the alert.
+    - name: policy
+      type: group
+      fields:
+        - name: applied
+          type: keyword
+          description: Whether a policy was applied.
+        - name: id
+          type: long
+          description: The identifier for the policy associated with the device at the time of the alert.
+        - name: name
+          type: keyword
+          description: The name of the policy associated with the device at the time of the alert.
+    - name: product_id
+      type: keyword
+      description: The hexadecimal id of the USB device's product.
+    - name: product_name
+      type: keyword
+      description: The name of the USB device’s vendor.
+    - name: reason_code
+      type: keyword
+      description: Shorthand enum for the full-text reason.
+    - name: report
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: The identifier of the report that contains the IOC.
+        - name: name
+          type: keyword
+          description: The name of the report that contains the IOC.
+    - name: run_state
+      type: keyword
+      description: Whether the threat in the alert ran.
+    - name: sensor_action
+      type: keyword
+      description: The action taken by the sensor, according to the rule of the policy.
+    - name: serial_number
+      type: keyword
+      description: The serial number of the USB device.
+    - name: status
+      type: keyword
+      description: status of alert.
+    - name: tags
+      type: keyword
+      description: Tags associated with the alert.
+    - name: target_value
+      type: keyword
+      description: The priority of the device assigned by the policy.
+    - name: threat_activity
+      type: group
+      fields:
+        - name: c2
+          type: keyword
+          description: Whether the alert involved a command and control (c2) server.
+        - name: dlp
+          type: keyword
+          description: Whether the alert involved data loss prevention (DLP).
+        - name: phish
+          type: keyword
+          description: Whether the alert involved phishing.
+    - name: threat_cause
+      type: group
+      fields:
+        - name: actor
+          type: group
+          fields:
+            - name: md5
+              type: keyword
+              description: MD5 of the threat cause actor.
+            - name: name
+              type: keyword
+              description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.'
+            - name: process_pid
+              type: keyword
+              description: Process identifier (PID) of the actor process.
+            - name: sha256
+              type: keyword
+              description: SHA256 of the threat cause actor.
+        - name: cause_event_id
+          type: keyword
+          description: ID of the Event that triggered the threat.
+        - name: process
+          type: group
+          fields:
+            - name: guid
+              type: keyword
+              description: The global unique identifier of the process.
+            - name: parent
+              type: group
+              fields:
+                - name: guid
+                  type: keyword
+                  description: The global unique identifier of the process.
+        - name: reputation
+          type: keyword
+          description: Reputation of the threat cause.
+        - name: threat_category
+          type: keyword
+          description: Category of the threat cause.
+        - name: vector
+          type: keyword
+          description: The source of the threat cause.
+    - name: threat_id
+      type: keyword
+      description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices.
+    - name: threat_indicators
+      type: group
+      description: List of the threat indicators that make up the threat.
+      fields:
+        - name: process_name
+          type: keyword
+          description: Process name associated with threat.
+        - name: sha256
+          type: keyword
+          description: Sha256 associated with threat.
+        - name: ttps
+          type: keyword
+          description: Tactics, techniques and procedures associated with threat.
+    - name: type
+      type: keyword
+      description: Type of alert.
+    - name: vendor_id
+      type: keyword
+      description: The hexadecimal id of the USB device's vendor.
+    - name: vendor_name
+      type: keyword
+      description: The name of the USB device’s vendor.
+    - name: watchlists
+      type: group
+      description: List of watchlists associated with an alert.
+      fields:
+        - name: id
+          type: keyword
+          description: The identifier of watchlist.
+        - name: name
+          type: keyword
+          description: The name of the watchlist.
+    - name: workflow
+      type: group
+      description: Tracking system for alerts as they are triaged and resolved.
+      fields:
+        - name: changed_by
+          type: keyword
+          description: The name of user who changed the workflow.
+        - name: comment
+          type: keyword
+          description: Comment associated with workflow.
+        - name: last_update_time
+          type: date
+          description: The last update time of workflow.
+        - name: remediation
+          type: keyword
+          description: N/A
+        - name: state
+          type: keyword
+          description: The state of workflow.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/0.1.1/data_stream/alert/manifest.yml
new file mode 100755
index 0000000000..477667ce22
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/manifest.yml
@@ -0,0 +1,95 @@
+title: Alert
+type: logs
+streams:
+  - input: httpjson
+    title: Collect alerts from Carbon Black Cloud
+    description: Collect alerts from Carbon Black Cloud.
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: interval
+        type: text
+        title: Interval
+        description: Interval to fetch alerts from Carbon Black Cloud.
+        multi: false
+        required: true
+        show_user: true
+        default: 1m
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        description: How far back to pull the alerts from the Carbon Black Cloud API.
+        default: 24h
+        multi: false
+        required: true
+        show_user: true
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - carbon_black_cloud-alert
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+  - input: aws-s3
+    title: Collect alerts from Carbon Black Cloud
+    description: Collect alerts from Carbon Black Cloud.
+    template_path: aws-s3.yml.hbs
+    vars:
+      - name: bucket_list_prefix
+        type: text
+        title: Bucket Prefix
+        description: Prefix to apply for the list request to the S3 bucket.
+        multi: false
+        required: true
+        show_user: true
+      - name: interval
+        type: text
+        title: Interval
+        description: Interval to fetch alerts from AWS S3 bucket.
+        multi: false
+        required: true
+        show_user: true
+        default: 1m
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - carbon_black_cloud-alert
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/0.1.1/data_stream/alert/sample_event.json
new file mode 100755
index 0000000000..67e2c63a32
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/alert/sample_event.json
@@ -0,0 +1,114 @@
+{
+    "@timestamp": "2020-11-17T22:05:13.000Z",
+    "agent": {
+        "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102",
+        "hostname": "docker-fleet-agent",
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "carbon_black_cloud": {
+        "alert": {
+            "category": "warning",
+            "device": {
+                "external_ip": "81.2.69.143",
+                "internal_ip": "81.2.69.144",
+                "location": "UNKNOWN",
+                "os": "WINDOWS"
+            },
+            "last_update_time": "2020-11-17T22:05:13Z",
+            "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
+            "organization_key": "ABCD6X3T",
+            "policy": {
+                "applied": "APPLIED",
+                "id": 6997287,
+                "name": "Standard"
+            },
+            "product_id": "0x5406",
+            "product_name": "U3 Cruzer Micro",
+            "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
+            "run_state": "DID_NOT_RUN",
+            "sensor_action": "DENY",
+            "serial_number": "0875920EF7C2A304",
+            "target_value": "MEDIUM",
+            "threat_cause": {
+                "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
+                "threat_category": "NON_MALWARE",
+                "vector": "REMOVABLE_MEDIA"
+            },
+            "threat_id": "t5678",
+            "type": "DEVICE_CONTROL",
+            "vendor_id": "0x0781",
+            "vendor_name": "SanDisk",
+            "workflow": {
+                "changed_by": "Carbon Black",
+                "last_update_time": "2020-11-17T22:02:16Z",
+                "state": "OPEN"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.alert",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-04-14T11:46:13.154Z",
+        "dataset": "carbon_black_cloud.alert",
+        "end": "2020-11-17T22:02:16Z",
+        "id": "test1",
+        "ingested": "2022-04-14T11:46:14Z",
+        "kind": "alert",
+        "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}",
+        "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
+        "severity": 3,
+        "start": "2020-11-17T22:02:16Z",
+        "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976"
+    },
+    "host": {
+        "hostname": "DESKTOP-002",
+        "id": "2",
+        "ip": [
+            "81.2.69.144",
+            "81.2.69.143"
+        ],
+        "name": "DESKTOP-002",
+        "os": {
+            "type": "windows",
+            "version": "Windows 10 x64"
+        }
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "hosts": [
+            "DESKTOP-002"
+        ],
+        "ip": [
+            "81.2.69.144",
+            "81.2.69.143"
+        ],
+        "user": [
+            "test34@demo.com"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-alert"
+    ],
+    "user": {
+        "name": "test34@demo.com"
+    }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..310b6e05d5
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,45 @@
+config_version: 2
+interval: {{interval}}
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search
+request.transforms:
+  - set:
+      target: header.X-Auth-Token
+      value: {{custom_api_secret_key}}/{{custom_api_id}}
+  - set:
+      target: body.start
+      value: '0'
+      value_type: int
+  - set:
+      target: body.rows
+      value: '10000'
+      value_type: int
+request.timeout: 2m
+response.pagination: 
+  - set:
+      target: body.start
+      value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]'
+      value_type: int
+      fail_on_template_error: true
+response.split:
+  target: body.results
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..94f7482f37
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,132 @@
+---
+description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary.
+processors:
+- rename:
+    field: message
+    target_field: event.original
+    ignore_missing: true
+- set:
+    field: ecs.version
+    value: '8.0.0'
+- json:
+    field: event.original
+    target_field: json
+- rename:
+    field: json.host_name
+    target_field: host.hostname
+    ignore_missing: true
+- convert:
+    field: json.device_id
+    type: string
+    target_field: host.id
+    ignore_missing: true
+- rename:
+    field: json.name
+    target_field: host.name
+    ignore_missing: true
+- rename:
+    field: json.os_info.os_name
+    target_field: host.os.name
+    ignore_missing: true
+- set:
+    field: host.os.type
+    value: windows
+    if: ctx?.json?.os_info.os_type == "WINDOWS"
+- set:
+    field: host.os.type
+    value: ubuntu
+    if: ctx?.json?.os_info.os_type == "UBUNTU"
+- set:
+    field: host.os.type
+    value: centos
+    if: ctx?.json?.os_info.os_type == "CENTOS"
+- remove :
+    field: json.os_info.os_type
+    ignore_missing: true
+- remove :
+    field: json.device_id
+    ignore_missing: true
+- rename:
+    field: json.os_info.os_version
+    target_field: host.os.version
+    ignore_missing: true
+- rename:
+    field: json.highest_risk_score
+    target_field: vulnerability.score.base
+    ignore_missing: true
+- rename:
+    field: json.severity
+    target_field: vulnerability.severity
+    ignore_missing: true
+- date:
+    field: json.last_sync_ts
+    formats:
+      - ISO8601
+    target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp
+- remove:
+    field: json.last_sync_ts
+    ignore_missing: true
+- rename:
+    field: json.sync_status
+    target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status
+    ignore_missing: true
+- rename:
+    field: json.sync_type
+    target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type
+    ignore_missing: true
+- rename:
+    field: json.type
+    target_field: carbon_black_cloud.asset_vulnerability_summary.type
+    ignore_missing: true
+- rename:
+    field: json.vm_id
+    target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id
+    ignore_missing: true
+- rename:
+    field: json.vm_name
+    target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name
+    ignore_missing: true
+- rename:
+    field: json.vuln_count
+    target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count
+    ignore_missing: true
+- append:
+    field: related.hosts
+    value: "{{{host.hostname}}}"
+    allow_duplicates: false
+- script:
+    description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary
+    lang: painless
+    if: ctx?.json != null
+    source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue();
+        }   
+- remove:
+    field: json
+    ignore_missing: true
+- script:
+    description: Drops null/empty values recursively
+    lang: painless
+    source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml
new file mode 100755
index 0000000000..e6791517a6
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: carbon_black_cloud
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: carbon_black_cloud.asset_vulnerability_summary
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/ecs.yml
new file mode 100755
index 0000000000..bae6099a14
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/ecs.yml
@@ -0,0 +1,57 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: host.os.name
+  type: keyword
+- description: |-
+    Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+    One of these following values should be used (lowercase): linux, macos, unix, windows.
+    If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+  name: host.os.type
+  type: keyword
+- description: Operating system version as a raw string.
+  name: host.os.version
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+    Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
+  name: vulnerability.score.base
+  type: float
+- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+  name: vulnerability.severity
+  type: keyword
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/fields.yml
new file mode 100755
index 0000000000..a70b2974e8
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/fields/fields.yml
@@ -0,0 +1,39 @@
+- name: carbon_black_cloud.asset_vulnerability_summary
+  type: group
+  fields:
+    - name: os_info
+      type: group
+      fields:
+        - name: os_arch
+          type: keyword
+          description: The identifier is for the Operating system architecture.
+    - name: last_sync
+      type: group
+      fields:
+        - name: timestamp
+          type: date
+          description: The identifier is for the Last sync time.
+    - name: sync
+      type: group
+      fields:
+        - name: status
+          type: keyword
+          description: The identifier is for the Device sync status.
+        - name: type
+          type: keyword
+          description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync.
+    - name: type
+      type: keyword
+      description: The identifier is for the Device type.
+    - name: vm
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: The identifier is for the Virtual Machine ID.
+        - name: name
+          type: keyword
+          description: The identifier is for the Virtual Machine name.
+    - name: vuln_count
+      type: integer
+      description: The identifier is for the Number of vulnerabilities at this level.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/manifest.yml
new file mode 100755
index 0000000000..b7bf78f84d
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/manifest.yml
@@ -0,0 +1,42 @@
+title: Asset Vulnerability Summary
+type: logs
+streams:
+  - input: httpjson
+    title: Collect asset vulnerability summary from Carbon Black Cloud
+    description: Collect asset vulnerability summary from Carbon Black Cloud.
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: interval
+        type: text
+        title: Interval
+        description: Interval to query asset vulnerability summary in Carbon Black Cloud.
+        multi: false
+        required: true
+        show_user: true
+        default: 1h
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - carbon_black_cloud-asset-vulnerability-summary
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/sample_event.json
new file mode 100755
index 0000000000..c31987aefe
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/asset_vulnerability_summary/sample_event.json
@@ -0,0 +1,76 @@
+{
+    "@timestamp": "2022-04-14T11:47:25.371Z",
+    "agent": {
+        "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8",
+        "hostname": "docker-fleet-agent",
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "carbon_black_cloud": {
+        "asset_vulnerability_summary": {
+            "last_sync": {
+                "timestamp": "2022-01-17T08:33:37.384Z"
+            },
+            "os_info": {
+                "os_arch": "64-bit"
+            },
+            "sync": {
+                "status": "COMPLETED",
+                "type": "SCHEDULED"
+            },
+            "type": "ENDPOINT",
+            "vuln_count": 1770
+        }
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-04-14T11:47:25.371Z",
+        "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+        "ingested": "2022-04-14T11:47:26Z",
+        "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}"
+    },
+    "host": {
+        "hostname": "DESKTOP-008",
+        "id": "8",
+        "name": "DESKTOP-008KK",
+        "os": {
+            "name": "Microsoft Windows 10 Education",
+            "type": "windows",
+            "version": "10.0.17763"
+        }
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "hosts": [
+            "DESKTOP-008"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-asset-vulnerability-summary"
+    ],
+    "vulnerability": {
+        "score": {
+            "base": 10
+        },
+        "severity": "CRITICAL"
+    }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/0.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..2693bd2bbb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,32 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+
+request.url: {{hostname}}/integrationServices/v3/auditlogs
+request.transforms:
+  - set:
+      target: header.X-Auth-Token
+      value: {{api_secret_key}}/{{api_id}}
+response.split:
+  target: body.notifications
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..09c8373acb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,93 @@
+---
+description: Pipeline for parsing Carbon Black Cloud audit logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - date:
+      field: json.eventTime
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - UNIX_MS
+  - set:
+      field: event.kind
+      value: event
+  - set:
+      field: event.outcome
+      value: success
+  - set: 
+      field: event.outcome
+      value: failed
+      if: ctx?.json?.flagged == true
+  - rename: 
+      field: json.description
+      target_field: event.reason
+  - rename: 
+      field: json.clientIp
+      target_field: client.ip
+      ignore_missing: true
+  - rename: 
+      field: json.loginName
+      target_field: client.user.id
+      ignore_missing: true
+  - rename: 
+      field: json.eventId
+      target_field: event.id
+      ignore_missing: true
+  - rename: 
+      field: json.orgName
+      target_field: organization.name
+      ignore_missing: true
+  - urldecode: 
+      field: json.requestUrl
+      target_field: url.original
+      ignore_missing: true
+  - rename: 
+      field: json.verbose
+      target_field: carbon_black_cloud.audit.verbose
+      ignore_missing: true
+  - rename: 
+      field: json.flagged
+      target_field: carbon_black_cloud.audit.flagged
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{client.ip}}}"
+      allow_duplicates: false
+  - remove:
+      field: json
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..a14e71251a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: carbon_black_cloud
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: carbon_black_cloud.audit
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..b5cd2cc086
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,55 @@
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: Unique identifier of the user.
+  name: client.user.id
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: organization.name
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..24af5d42b9
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/fields/fields.yml
@@ -0,0 +1,9 @@
+- name: carbon_black_cloud.audit
+  type: group
+  fields:
+    - name: flagged
+      type: boolean
+      description: true if action is failed otherwise false.
+    - name: verbose
+      type: boolean
+      description: true if verbose audit log otherwise false.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/0.1.1/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..929093a4ef
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/manifest.yml
@@ -0,0 +1,42 @@
+title: Audit
+type: logs
+streams:
+  - input: httpjson
+    title: Collect audit logs from Carbon Black Cloud
+    description: Collect audit logs from Carbon Black Cloud.
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: interval
+        type: text
+        title: Interval
+        description: Interval to fetch audit logs from Carbon Black Cloud.
+        multi: false
+        required: true
+        show_user: true
+        default: 1m
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - carbon_black_cloud-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/0.1.1/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..4ecd8ed454
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/audit/sample_event.json
@@ -0,0 +1,63 @@
+{
+    "@timestamp": "2022-02-10T16:04:30.263Z",
+    "agent": {
+        "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9",
+        "hostname": "docker-fleet-agent",
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "carbon_black_cloud": {
+        "audit": {
+            "flagged": false,
+            "verbose": false
+        }
+    },
+    "client": {
+        "ip": "10.10.10.10",
+        "user": {
+            "id": "abc@demo.com"
+        }
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-04-14T11:48:30.094Z",
+        "dataset": "carbon_black_cloud.audit",
+        "id": "2122f8ce8xxxxxxxxxxxxx",
+        "ingested": "2022-04-14T11:48:31Z",
+        "kind": "event",
+        "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}",
+        "outcome": "success",
+        "reason": "Logged in successfully"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "organization": {
+        "name": "cb-xxxx-xxxx.com"
+    },
+    "related": {
+        "ip": [
+            "10.10.10.10"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-audit"
+    ]
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..3a6c8fc6df
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,587 @@
+---
+description: Pipeline for parsing Carbon Black Cloud Endpoint Events.
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - date:
+      field: json.create_time
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - ISO8601
+  - rename:
+      field: json.action
+      target_field: event.action
+      ignore_missing: true
+  - rename:
+      field: json.event_id
+      target_field: event.id
+      ignore_missing: true
+  - rename:
+      field: json.event_description
+      target_field: event.reason
+      ignore_missing: true
+  - rename:
+      field: json.filemod_name
+      target_field: file.path
+      ignore_missing: true
+  - rename:
+      field: json.modload_name
+      target_field: dll.path
+      ignore_missing: true
+  - set:
+      field: network.transport
+      value: udp
+      if: ctx?.json?.netconn_protocol == "PROTO_UDP"
+  - set:
+      field: network.transport
+      value: tcp
+      if: ctx?.json?.netconn_protocol == "PROTO_TCP"
+  - set:
+      field: network.direction
+      value: inbound
+      if: ctx?.json?.netconn_inbound == true
+  - set:
+      field: network.direction
+      value: outbound
+      if: ctx?.json?.netconn_inbound == false
+  - rename:
+      field: json.remote_port
+      target_field: source.port
+      ignore_missing: true
+  - rename:
+      field: json.remote_ip
+      target_field: source.ip
+      ignore_missing: true
+  - rename:
+      field: json.netconn_domain
+      target_field: source.address
+      ignore_missing: true
+  - rename:
+      field: json.local_port
+      target_field: client.port
+      ignore_missing: true
+  - rename:
+      field: json.local_ip
+      target_field: client.ip
+      ignore_missing: true
+  - convert:
+      field: json.device_id
+      target_field: host.id
+      type: string
+      ignore_missing: true
+  - set:
+      field: host.os.type
+      value: windows
+      if: ctx?.json?.device_os == "WINDOWS"
+  - set:
+      field: host.os.type
+      value: linux
+      if: ctx?.json?.device_os == "LINUX"
+  - set:
+      field: host.os.type
+      value: macos
+      if: ctx?.json?.device_os == "MAC"
+  - rename:
+      field: json.device_name
+      target_field: host.hostname
+      ignore_missing: true
+  - grok:
+      field: host.hostname
+      patterns:
+        - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$'
+      ignore_missing: true
+      ignore_failure: true 
+  - set:
+      field: host.name
+      value: "{{{host.hostname}}}"
+      ignore_failure: true
+  - rename:
+      field: json.device_group
+      target_field: host.os.family
+      ignore_missing: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_internal_ip}}}"
+      if: ctx?.json?.device_internal_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_external_ip}}}"
+      if: ctx?.json?.device_external_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.device_group
+      target_field: host.os.family
+      ignore_missing: true
+  - rename:
+      field: json.process_cmdline
+      target_field: process.command_line
+      ignore_missing: true
+  - rename:
+      field: json.process_guid
+      target_field: process.entity_id
+      ignore_missing: true
+  - rename:
+      field: json.process_path
+      target_field: process.executable
+      ignore_missing: true
+  - rename:
+      field: json.process_pid
+      target_field: process.pid
+      ignore_missing: true
+  - rename:
+      field: json.parent_cmdline
+      target_field: process.parent.command_line
+      ignore_missing: true
+  - rename:
+      field: json.parent_guid
+      target_field: process.parent.entity_id
+      ignore_missing: true
+  - rename:
+      field: json.parent_path
+      target_field: process.parent.executable
+      ignore_missing: true
+  - rename:
+      field: json.parent_pid
+      target_field: process.parent.pid
+      ignore_missing: true
+  - rename:
+      field: json.regmod_name
+      target_field: registry.path
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: 
+        - "{{{json.device_internal_ip}}}"
+        - "{{{json.device_external_ip}}}"
+        - "{{{json.netconn_proxy_ip}}}"
+        - "{{{source.ip}}}"
+        - "{{{client.ip}}}"
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: 
+        - "{{{json.process_username}}}"
+        - "{{{json.childproc_username}}}"
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: 
+        - "{{{host.hostname}}}"
+        - "{{{user.domain}}}"
+      allow_duplicates: false
+  - script:
+      description: Dynamically map MD5 and SHA256 hash
+      lang: painless
+      source: |
+        void mapHashField(def ctx, def hashes, def key) {
+            for (hash in hashes) {
+                if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;}
+                if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;}
+            }
+        }
+        if (ctx.json?.process_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.process_hash, "process_hash");
+        }
+        if (ctx.json?.parent_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.parent_hash, "parent_hash");
+        }
+        if (ctx.json?.filemod_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash");
+        }
+        if (ctx.json?.childproc_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash");
+        }
+        if (ctx.json?.crossproc_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash");
+        }
+        if (ctx.json?.scriptload_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash");
+        }
+  - rename:
+      field: json.process_hash_md5
+      target_field: process.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.process_hash_sha256
+      target_field: process.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: json.parent_hash_md5
+      target_field: process.parent.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.parent_hash_sha256
+      target_field: process.parent.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: json.backend_timestamp
+      target_field: carbon_black_cloud.endpoint_event.backend.timestamp
+      ignore_missing: true
+  - rename:
+      field: json.device_timestamp
+      target_field: carbon_black_cloud.endpoint_event.device.timestamp
+      ignore_missing: true
+  - rename:
+      field: json.device_os
+      target_field: carbon_black_cloud.endpoint_event.device.os
+      ignore_missing: true
+  - rename:
+      field: json.childproc_name
+      target_field: carbon_black_cloud.endpoint_event.childproc.name
+      ignore_missing: true
+  - rename:
+      field: json.org_key
+      target_field: carbon_black_cloud.endpoint_event.organization_key
+      ignore_missing: true
+  - rename:
+      field: json.process_duration
+      target_field: carbon_black_cloud.endpoint_event.process.duration
+      ignore_missing: true
+  - foreach:
+      field: json.process_publisher
+      processor:
+        split:
+          field: _ingest._value.state
+          separator: " \\| "
+          ignore_missing: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.process_publisher
+      target_field: carbon_black_cloud.endpoint_event.process.publisher
+      ignore_missing: true
+  - rename:
+      field: json.process_reputation
+      target_field: carbon_black_cloud.endpoint_event.process.reputation
+      ignore_missing: true
+  - rename:
+      field: json.process_terminated
+      target_field: carbon_black_cloud.endpoint_event.process.terminated
+      ignore_missing: true
+  - rename:
+      field: json.process_username
+      target_field: carbon_black_cloud.endpoint_event.process.username
+      ignore_missing: true
+  - rename:
+      field: json.parent_reputation
+      target_field: carbon_black_cloud.endpoint_event.process.parent.reputation
+      ignore_missing: true
+  - rename:
+      field: json.target_cmdline
+      target_field: carbon_black_cloud.endpoint_event.target_cmdline
+      ignore_missing: true
+  - rename:
+      field: json.type
+      target_field: carbon_black_cloud.endpoint_event.type
+      ignore_missing: true
+
+# Mapping for endpoint.event.crossproc event type
+
+  - rename:
+      field: json.crossproc_action
+      target_field: carbon_black_cloud.endpoint_event.crossproc.action
+      ignore_missing: true  
+  - rename:
+      field: json.crossproc_api
+      target_field: carbon_black_cloud.endpoint_event.crossproc.api
+      ignore_missing: true  
+  - rename:
+      field: json.crossproc_guid
+      target_field: carbon_black_cloud.endpoint_event.crossproc.guid
+      ignore_missing: true
+  - rename:
+      field: json.crossproc_name
+      target_field: carbon_black_cloud.endpoint_event.crossproc.name
+      ignore_missing: true
+  - rename:
+      field: json.crossproc_target
+      target_field: carbon_black_cloud.endpoint_event.crossproc.target
+      ignore_missing: true
+  - rename:
+      field: json.crossproc_reputation
+      target_field: carbon_black_cloud.endpoint_event.crossproc.reputation
+      ignore_missing: true
+  - foreach:
+      field: json.crossproc_publisher
+      processor:
+        split:
+          field: _ingest._value.state
+          separator: " \\| "
+          ignore_missing: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.crossproc_publisher
+      target_field: carbon_black_cloud.endpoint_event.crossproc.publisher
+      ignore_missing: true
+  - rename:
+      field: json.crossproc_hash_md5
+      target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.crossproc_hash_sha256
+      target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256
+      ignore_missing: true
+
+# Mapping for endpoint.event.filemod event type
+
+  - rename:
+      field: json.filemod_hash_md5
+      target_field: file.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.filemod_hash_sha256
+      target_field: file.hash.sha256
+      ignore_missing: true
+
+# Mapping for endpoint.event.fileless_scriptload event type
+
+  - rename:
+      field: json.fileless_scriptload_cmdline
+      target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline
+      ignore_missing: true
+  - rename:
+      field: json.fileless_scriptload_cmdline_length
+      target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length
+      ignore_missing: true
+  - rename:
+      field: json.fileless_scriptload_hash_md5
+      target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.fileless_scriptload_hash_sha256
+      target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256
+      ignore_missing: true
+
+# Mapping for endpoint.event.moduleload event type
+
+  - rename:
+      field: json.modload_md5
+      target_field: dll.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.modload_sha256
+      target_field: dll.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: json.modload_effective_reputation
+      target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation
+      ignore_missing: true
+  - rename:
+      field: json.modload_count
+      target_field: carbon_black_cloud.endpoint_event.modload.count
+      ignore_missing: true
+  - foreach:
+      field: json.modload_publisher
+      processor:
+        split:
+          field: _ingest._value.state
+          separator: " \\| "
+          ignore_missing: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.modload_publisher
+      target_field: carbon_black_cloud.endpoint_event.modload.publisher
+      ignore_missing: true
+
+# Mapping for endpoint.event.netconn_proxy event type
+
+  - rename:
+      field: json.netconn_proxy_domain
+      target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain
+      ignore_missing: true
+  - rename:
+      field: json.netconn_proxy_port
+      target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port
+      ignore_missing: true
+  - rename:
+      field: json.netconn_proxy_ip
+      target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip
+      ignore_missing: true
+
+# Mapping for endpoint.event.procstart event type
+
+  - rename:
+      field: json.childproc_guid
+      target_field: carbon_black_cloud.endpoint_event.childproc.guid
+      ignore_missing: true
+  - rename:
+      field: json.childproc_name
+      target_field: carbon_black_cloud.endpoint_event.childproc.name
+      ignore_missing: true
+  - rename:
+      field: json.childproc_pid
+      target_field: carbon_black_cloud.endpoint_event.childproc.pid
+      ignore_missing: true
+  - foreach:
+      field: json.childproc_publisher
+      processor:
+        split:
+          field: _ingest._value.state
+          separator: " \\| "
+          ignore_missing: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.childproc_publisher
+      target_field: carbon_black_cloud.endpoint_event.childproc.publisher
+      ignore_missing: true
+  - rename:
+      field: json.childproc_reputation
+      target_field: carbon_black_cloud.endpoint_event.childproc.reputation
+      ignore_missing: true
+  - rename:
+      field: json.childproc_username
+      target_field: carbon_black_cloud.endpoint_event.childproc.username
+      ignore_missing: true
+  - rename:
+      field: json.childproc_hash_md5
+      target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.childproc_hash_sha256
+      target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256
+      ignore_missing: true
+
+# Mapping for NGAV endpoint.event.scriptload event type
+
+  - rename:
+      field: json.scriptload_name
+      target_field: carbon_black_cloud.endpoint_event.scriptload.name
+      ignore_missing: true
+  - foreach:
+      field: json.scriptload_publisher
+      processor:
+        split:
+          field: _ingest._value.state
+          separator: " \\| "
+          ignore_missing: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.scriptload_publisher
+      target_field: carbon_black_cloud.endpoint_event.scriptload.publisher
+      ignore_missing: true
+  - rename:
+      field: json.scriptload_count
+      target_field: carbon_black_cloud.endpoint_event.scriptload.count
+      ignore_missing: true
+  - rename:
+      field: json.scriptload_hash_md5
+      target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.scriptload_hash_sha256
+      target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: json.scriptload_effective_reputation
+      target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation
+      ignore_missing: true
+  - rename:
+      field: json.scriptload_reputation
+      target_field: carbon_black_cloud.endpoint_event.scriptload.reputation
+      ignore_missing: true
+  - rename:
+      field: json.device_internal_ip
+      target_field: carbon_black_cloud.endpoint_event.device.internal_ip
+      ignore_missing: true
+  - rename:
+      field: json.device_external_ip
+      target_field: carbon_black_cloud.endpoint_event.device.external_ip
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+  - append:
+      field: related.hash
+      value:
+        - "{{{process.hash.md5}}}"
+        - "{{{process.hash.sha256}}}"
+        - "{{{process.parent.hash.md5}}}"
+        - "{{{process.parent.hash.sha256}}}"
+        - "{{{file.hash.md5}}}"
+        - "{{{file.hash.sha256}}}"
+        - "{{{dll.hash.md5}}}"
+        - "{{{dll.hash.sha256}}}"
+        - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}"
+        - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}"
+        - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}"
+        - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}"
+        - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}"
+        - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}"
+        - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}"
+        - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}"
+      allow_duplicates: false
+  - script:
+      description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event
+      lang: painless
+      if: ctx?.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue();
+        }
+  - remove:
+      field:
+        - json
+        - carbon_black_cloud.endpoint_event.create_time
+        - carbon_black_cloud.endpoint_event.device_id
+        - carbon_black_cloud.endpoint_event.process_hash
+        - carbon_black_cloud.endpoint_event.parent_hash
+        - carbon_black_cloud.endpoint_event.crossproc_hash
+        - carbon_black_cloud.endpoint_event.filemod_hash
+        - carbon_black_cloud.endpoint_event.childproc_hash
+        - carbon_black_cloud.endpoint_event.modload_hash
+        - carbon_black_cloud.endpoint_event.scriptload_hash
+        - carbon_black_cloud.endpoint_event.netconn_inbound
+        - carbon_black_cloud.endpoint_event.netconn_protocol
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - script:
+      description: Remove duplicate values
+      lang: painless
+      source: |
+        if (ctx?.related?.user != null) {
+            ctx.related.user = new HashSet(ctx.related.user)
+        }
+        if (ctx?.related?.hash != null) {
+            ctx.related.hash = new HashSet(ctx.related.hash)
+        }
+        if (ctx?.related?.ip != null) {
+            ctx.related.ip = new HashSet(ctx.related.ip)
+        }
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/base-fields.yml
new file mode 100755
index 0000000000..9b3253d2db
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: carbon_black_cloud
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: carbon_black_cloud.endpoint_event
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/ecs.yml
new file mode 100755
index 0000000000..11a1880a0a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/ecs.yml
@@ -0,0 +1,193 @@
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: MD5 hash.
+  name: dll.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: dll.hash.sha256
+  type: keyword
+- description: Full file path of the library.
+  name: dll.path
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: MD5 hash.
+  name: file.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: file.hash.sha256
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: Host ip addresses.
+  name: host.ip
+  type: ip
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+  name: host.os.family
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: host.os.name
+  type: keyword
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.command_line
+  type: wildcard
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: MD5 hash.
+  name: process.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: process.hash.sha256
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.command_line
+  type: wildcard
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.parent.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.executable
+  type: keyword
+- description: MD5 hash.
+  name: process.parent.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: process.parent.hash.sha256
+  type: keyword
+- description: Process id.
+  name: process.parent.pid
+  type: long
+- description: Process id.
+  name: process.pid
+  type: long
+- description: Full path, including hive, key and value
+  name: registry.path
+  type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/fields.yml
new file mode 100755
index 0000000000..199988ffb6
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/fields/fields.yml
@@ -0,0 +1,239 @@
+- name: carbon_black_cloud.endpoint_event
+  type: group
+  fields:
+    - name: alert_id
+      type: keyword
+      description: The ID of the Alert this event is associated with.
+    - name: backend
+      type: group
+      fields:
+        - name: timestamp
+          type: keyword
+          description: Time when the backend received the batch of events.
+    - name: childproc
+      type: group
+      fields:
+        - name: guid
+          type: keyword
+          description: Unique ID of the child process.
+        - name: hash
+          type: group
+          fields:
+            - name: md5
+              type: keyword
+              description: Cryptographic MD5 hashes of the executable file backing the child process.
+            - name: sha256
+              type: keyword
+              description: Cryptographic SHA256 hashes of the executable file backing the child process.
+        - name: name
+          type: keyword
+          description: Full path to the target of the crossproc event on the device's local file system.
+        - name: pid
+          type: long
+          description: OS-reported Process ID of the child process.
+        - name: publisher
+          type: group
+          description: Signature entry for the childproc as reported by the endpoint.
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the publisher.
+            - name: state
+              type: keyword
+              description: The state of the publisher.
+        - name: reputation
+          type: keyword
+          description: Carbon Black Cloud Reputation string for the childproc.
+        - name: username
+          type: keyword
+          description: The username associated with the user context that the child process was started under.
+    - name: crossproc
+      type: group
+      fields:
+        - name: action
+          type: keyword
+          description: The action taken on cross-process.
+        - name: api
+          type: keyword
+          description: Name of the operating system API called by the actor process.
+        - name: guid
+          type: keyword
+          description: Unique ID of the cross process.
+        - name: hash
+          type: group
+          fields:
+            - name: md5
+              type: keyword
+              description: Cryptographic MD5 hashes of the target of the crossproc event.
+            - name: sha256
+              type: keyword
+              description: Cryptographic SHA256 hashes of the target of the crossproc event.
+        - name: name
+          type: keyword
+          description: Full path to the target of the crossproc event on the device's local file system.
+        - name: publisher
+          type: group
+          description: Signature entry for the crossproc as reported by the endpoint.
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the publisher.
+            - name: state
+              type: keyword
+              description: The state of the publisher.
+        - name: reputation
+          type: keyword
+          description: Carbon Black Cloud Reputation string for the crossproc.
+        - name: target
+          type: boolean
+          description: True if the process was the target of the cross-process event; false if the process was the actor.
+    - name: device
+      type: group
+      fields:
+        - name: os
+          type: keyword
+          description: Os name.
+        - name: timestamp
+          type: keyword
+          description: Time seen on sensor.
+        - name: internal_ip
+          type: ip
+          description: Internal IP of the device.
+        - name: external_ip
+          type: ip
+          description: External IP of the device.
+    - name: event_origin
+      type: keyword
+      description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard.
+    - name: fileless_scriptload
+      type: group
+      fields:
+        - name: cmdline
+          type: keyword
+          description: Deobfuscated script content run in a fileless context by the process.
+        - name: cmdline_length
+          type: keyword
+          description: Character count of the deobfuscated script content run in a fileless context.
+        - name: hash
+          type: group
+          fields:
+            - name: md5
+              type: keyword
+              description: MD5 hash of the deobfuscated script content run by the process in a fileless context.
+            - name: sha256
+              type: keyword
+              description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context.
+    - name: modload
+      type: group
+      fields:
+        - name: count
+          type: long
+          description: Count of modload events reported by the sensor since last initialization.
+        - name: effective_reputation
+          type: keyword
+          description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred.
+        - name: publisher
+          type: group
+          description: Signature entry for the moduleload as reported by the endpoint.
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the publisher.
+            - name: state
+              type: keyword
+              description: The state of the publisher.
+    - name: netconn
+      type: group
+      fields:
+        - name: proxy
+          type: group
+          fields:
+            - name: domain
+              type: keyword
+              description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address.
+            - name: ip
+              type: keyword
+              description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection.
+            - name: port
+              type: keyword
+              description: UDP/TCP port number associated with the "proxy" end of this network connection.
+    - name: organization_key
+      type: keyword
+      description: The organization key associated with the console instance.
+    - name: process
+      type: group
+      fields:
+        - name: duration
+          type: long
+          description: The time difference in seconds between the process start and process terminate event.
+        - name: parent
+          type: group
+          fields:
+            - name: reputation
+              type: keyword
+              description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+        - name: publisher
+          type: group
+          description: Signature entry for the process as reported by the endpoint.
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the publisher.
+            - name: state
+              type: keyword
+              description: The state of the publisher.
+        - name: reputation
+          type: keyword
+          description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+        - name: terminated
+          type: boolean
+          description: True if process was terminated elase false.
+        - name: username
+          type: keyword
+          description: The username associated with the user context that this process was started under.
+    - name: schema
+      type: long
+      description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way.
+    - name: scriptload
+      type: group
+      fields:
+        - name: count
+          type: long
+          description: Count of scriptload events across all processes reported by the sensor since last initialization.
+        - name: effective_reputation
+          type: keyword
+          description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred.
+        - name: hash
+          type: group
+          fields:
+            - name: md5
+              type: keyword
+              description: Cryptographic MD5 hashes of the target of the scriptload event.
+            - name: sha256
+              type: keyword
+              description: Cryptographic SHA256 hashes of the target of the scriptload event.
+        - name: name
+          type: keyword
+          description: Full path to the target of the crossproc event on the device's local file system.
+        - name: publisher
+          type: group
+          description: Signature entry for the scriptload as reported by the endpoint.
+          fields:
+            - name: name
+              type: keyword
+              description: The name of the publisher.
+            - name: state
+              type: keyword
+              description: The state of the publisher.
+        - name: reputation
+          type: keyword
+          description: Carbon Black Cloud Reputation string for the scriptload.
+    - name: sensor_action
+      type: keyword
+      description: The sensor action taken on event.
+    - name: target_cmdline
+      type: keyword
+      description: Process command line associated with the target process.
+    - name: type
+      type: keyword
+      description: The event type.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/manifest.yml
new file mode 100755
index 0000000000..0f52e82022
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/manifest.yml
@@ -0,0 +1,48 @@
+title: Endpoint Event
+type: logs
+streams:
+  - input: aws-s3
+    title: Collect endpoint events from Carbon Black Cloud
+    description: Collect endpoint events from Carbon Black Cloud.
+    template_path: aws-s3.yml.hbs
+    vars:
+      - name: bucket_list_prefix
+        type: text
+        title: Bucket Prefix
+        description: Prefix to apply for the list request to the S3 bucket.
+        multi: false
+        required: true
+        show_user: true
+      - name: interval
+        type: text
+        title: Interval
+        description: Interval to fetch endpoint events from AWS S3 bucket.
+        multi: false
+        required: true
+        show_user: true
+        default: 1m
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - carbon_black_cloud-endpoint-event
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/sample_event.json
new file mode 100755
index 0000000000..958377158a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/endpoint_event/sample_event.json
@@ -0,0 +1,96 @@
+{
+    "process": {
+        "parent": {
+            "pid": 1684,
+            "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
+            "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
+            "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
+            "hash": {
+                "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5",
+                "md5": "03dd698da2671383c9b4f868c9931879"
+            }
+        },
+        "pid": 4880,
+        "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37",
+        "command_line": "\"route.exe\" print",
+        "executable": "c:\\windows\\system32\\route.exe",
+        "hash": {
+            "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6",
+            "md5": "2498272dc48446891182747428d02a30"
+        }
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "carbon_black_cloud": {
+        "endpoint_event": {
+            "schema": 1,
+            "event_origin": "EDR",
+            "process": {
+                "duration": 2,
+                "parent": {
+                    "reputation": "REP_RESOLVING"
+                },
+                "publisher": [
+                    {
+                        "name": "Microsoft Windows",
+                        "state": [
+                            "FILE_SIGNATURE_STATE_SIGNED",
+                            "FILE_SIGNATURE_STATE_VERIFIED",
+                            "FILE_SIGNATURE_STATE_TRUSTED",
+                            "FILE_SIGNATURE_STATE_OS",
+                            "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+                        ]
+                    }
+                ],
+                "reputation": "REP_RESOLVING",
+                "terminated": true,
+                "username": "NT AUTHORITY\\SYSTEM"
+            },
+            "organization_key": "XXXXXXXX",
+            "backend": {
+                "timestamp": "2022-02-10 11:52:50 +0000 UTC"
+            },
+            "target_cmdline": "\"route.exe\" print",
+            "type": "endpoint.event.procend",
+            "device": {
+                "os": "WINDOWS",
+                "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC",
+                "external_ip": "67.43.156.12"
+            },
+            "sensor_action": "ACTION_ALLOW"
+        }
+    },
+    "host": {
+        "hostname": "client-cb2",
+        "id": "4034605",
+        "os": {
+            "type": "windows"
+        },
+        "ip": [
+            "67.43.156.13"
+        ]
+    },
+    "event": {
+        "action": "ACTION_PROCESS_TERMINATE",
+        "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}"
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.endpoint_event",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "elastic_agent": {
+        "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5",
+        "snapshot": true,
+        "version": "8.0.0"
+    },
+    "input": {
+        "type": "aws-s3"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-endpoint-event"
+    ]
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..1699bc69c1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,293 @@
+---
+description: Pipeline for parsing Carbon Black Cloud watchlist hit.
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - set:
+      field: event.kind
+      value: event
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - date:
+      field: json.create_time
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - ISO8601
+  - rename:
+      field: json.severity
+      target_field: event.severity
+      ignore_missing: true
+  - convert:
+      field: json.device_id
+      target_field: host.id
+      type: string
+      ignore_missing: true
+  - set:
+      field: host.os.type
+      value: windows
+      if: ctx?.json?.device_os == "WINDOWS"
+  - set:
+      field: host.os.type
+      value: linux
+      if: ctx?.json?.device_os == "LINUX"
+  - set:
+      field: host.os.type
+      value: macos
+      if: ctx?.json?.device_os == "MAC"
+  - rename:
+      field: json.device_os_version
+      target_field: host.os.version
+      ignore_missing: true
+  - rename:
+      field: json.device_name
+      target_field: host.hostname
+      ignore_missing: true
+  - grok:
+      field: host.hostname
+      patterns:
+        - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$'
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: host.name
+      value: "{{{host.hostname}}}"
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_internal_ip}}}"
+      if: ctx?.json?.device_internal_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: host.ip
+      value: "{{{json.device_external_ip}}}"
+      if: ctx?.json?.device_external_ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.process_cmdline
+      target_field: process.command_line
+      ignore_missing: true
+  - rename:
+      field: json.process_guid
+      target_field: process.entity_id
+      ignore_missing: true
+  - rename:
+      field: json.process_path
+      target_field: process.executable
+      ignore_missing: true
+  - rename:
+      field: json.process_pid
+      target_field: process.pid
+      ignore_missing: true
+  - rename:
+      field: json.parent_cmdline
+      target_field: process.parent.command_line
+      ignore_missing: true
+  - rename:
+      field: json.parent_guid
+      target_field: process.parent.entity_id
+      ignore_missing: true
+  - rename:
+      field: json.parent_path
+      target_field: process.parent.executable
+      ignore_missing: true
+  - rename:
+      field: json.parent_pid
+      target_field: process.parent.pid
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: 
+        - "{{{json.device_internal_ip}}}"
+        - "{{{json.device_external_ip}}}"
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value:
+        - "{{{json.parent_username}}}"
+        - "{{{json.process_username}}}"
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: 
+        - "{{{host.hostname}}}"
+        - "{{{user.domain}}}"
+      allow_duplicates: false
+  - script:
+      description: Dynamically map MD5 and SHA256 hash
+      lang: painless
+      source: |
+        void mapHashField(def ctx, def hashes, def key) {
+            for (hash in hashes) {
+                if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;}
+                if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;}
+            }
+        }
+        if (ctx.json?.process_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.process_hash, "process_hash");
+        }
+        if (ctx.json?.parent_hash instanceof List) {
+            mapHashField(ctx, ctx.json?.parent_hash, "parent_hash");
+        }
+  - rename:
+      field: json.process_hash_md5
+      target_field: process.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.process_hash_sha256
+      target_field: process.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: json.parent_hash_md5
+      target_field: process.parent.hash.md5
+      ignore_missing: true
+  - rename:
+      field: json.parent_hash_sha256
+      target_field: process.parent.hash.sha256
+      ignore_missing: true
+  - append:
+      field: related.hash
+      value:
+        - "{{{process.hash.md5}}}"
+        - "{{{process.hash.sha256}}}"
+        - "{{{process.parent.hash.md5}}}"
+        - "{{{process.parent.hash.sha256}}}"
+      allow_duplicates: false
+  - rename:
+      field: json.device_os
+      target_field: carbon_black_cloud.watchlist_hit.device.os
+      ignore_missing: true
+  - rename:
+      field: json.device_internal_ip
+      target_field: carbon_black_cloud.watchlist_hit.device.internal_ip
+      ignore_missing: true
+  - rename:
+      field: json.device_external_ip
+      target_field: carbon_black_cloud.watchlist_hit.device.external_ip
+      ignore_missing: true
+  - rename:
+      field: json.ioc_hit
+      target_field: carbon_black_cloud.watchlist_hit.ioc.hit
+      ignore_missing: true
+  - rename:
+      field: json.ioc_id
+      target_field: carbon_black_cloud.watchlist_hit.ioc.id
+      ignore_missing: true
+  - rename:
+      field: json.org_key
+      target_field: carbon_black_cloud.watchlist_hit.organization_key
+      ignore_missing: true
+  - foreach:
+      field: json.parent_publisher
+      processor:
+        split:
+          field: _ingest._value.state
+          separator: " \\| "
+          ignore_missing: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.parent_publisher
+      target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher
+      ignore_missing: true
+  - rename:
+      field: json.parent_reputation
+      target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation
+      ignore_missing: true
+  - rename:
+      field: json.parent_username
+      target_field: carbon_black_cloud.watchlist_hit.process.parent.username
+      ignore_missing: true
+  - foreach:
+      field: json.process_publisher
+      processor:
+        split:
+          field: _ingest._value.state
+          separator: " \\| "
+          ignore_missing: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.process_publisher
+      target_field: carbon_black_cloud.watchlist_hit.process.publisher
+      ignore_missing: true
+  - rename:
+      field: json.process_reputation
+      target_field: carbon_black_cloud.watchlist_hit.process.reputation
+      ignore_missing: true
+  - rename:
+      field: json.process_username
+      target_field: carbon_black_cloud.watchlist_hit.process.username
+      ignore_missing: true
+  - rename:
+      field: json.report_id
+      target_field: carbon_black_cloud.watchlist_hit.report.id
+      ignore_missing: true
+  - rename:
+      field: json.report_name
+      target_field: carbon_black_cloud.watchlist_hit.report.name
+      ignore_missing: true
+  - rename:
+      field: json.report_tags
+      target_field: carbon_black_cloud.watchlist_hit.report.tags
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+  - script:
+      description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit
+      lang: painless
+      if: ctx?.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue();
+        }
+  - remove:
+      field:
+        - json
+        - carbon_black_cloud.watchlist_hit.create_time
+        - carbon_black_cloud.watchlist_hit.device_id
+        - carbon_black_cloud.watchlist_hit.process_hash
+        - carbon_black_cloud.watchlist_hit.parent_hash
+      ignore_missing: true
+  - script:
+      description: Remove duplicate values
+      lang: painless
+      source: |
+        if (ctx?.related?.user != null) {
+            ctx.related.user = new HashSet(ctx.related.user)
+        }
+        if (ctx?.related?.hash != null) {
+            ctx.related.hash = new HashSet(ctx.related.hash)
+        }
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/base-fields.yml
new file mode 100755
index 0000000000..89df536282
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: carbon_black_cloud
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: carbon_black_cloud.watchlist_hit
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/ecs.yml
new file mode 100755
index 0000000000..5257b0ad7a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/ecs.yml
@@ -0,0 +1,127 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: Host ip addresses.
+  name: host.ip
+  type: ip
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: |-
+    Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+    One of these following values should be used (lowercase): linux, macos, unix, windows.
+    If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+  name: host.os.type
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.command_line
+  type: wildcard
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: MD5 hash.
+  name: process.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: process.hash.sha256
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.command_line
+  type: wildcard
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.parent.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.executable
+  type: keyword
+- description: MD5 hash.
+  name: process.parent.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: process.parent.hash.sha256
+  type: keyword
+- description: Process id.
+  name: process.parent.pid
+  type: long
+- description: Process id.
+  name: process.pid
+  type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/fields.yml
new file mode 100755
index 0000000000..25cb25005e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/fields/fields.yml
@@ -0,0 +1,89 @@
+- name: carbon_black_cloud.watchlist_hit
+  type: group
+  fields:
+    - name: device
+      type: group
+      fields:
+        - name: os
+          type: keyword
+          description: OS Type of device (Windows/OSX/Linux).
+        - name: internal_ip
+          type: ip
+          description: Internal IP of the device.
+        - name: external_ip
+          type: ip
+          description: External IP of the device.
+    - name: ioc
+      type: group
+      fields:
+        - name: field
+          type: keyword
+          description: Field the IOC hit contains.
+        - name: hit
+          type: keyword
+          description: IOC field value, or IOC query that matches.
+        - name: id
+          type: keyword
+          description: ID of the IOC that caused the hit.
+    - name: organization_key
+      type: keyword
+      description: The organization key associated with the console instance.
+    - name: process
+      type: group
+      fields:
+        - name: parent
+          type: group
+          fields:
+            - name: publisher
+              type: group
+              description: signature entry for the process as reported by the endpoint.
+              fields:
+                - name: name
+                  type: keyword
+                  description: The name of the publisher.
+                - name: state
+                  type: keyword
+                  description: The state of the publisher.
+            - name: reputation
+              type: keyword
+              description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+            - name: username
+              type: keyword
+              description: The username associated with the user context that this process was started under.
+        - name: publisher
+          type: group
+          description: signature entry for the process as reported by the endpoint.
+        - name: reputation
+          type: keyword
+          description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+        - name: username
+          type: keyword
+          description: The username associated with the user context that this process was started under.
+    - name: report
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: ID of the watchlist report(s) that detected a hit on the process.
+        - name: name
+          type: keyword
+          description: Name of the watchlist report(s) that detected a hit on the process.
+        - name: tags
+          type: keyword
+          description: List of tags associated with the report(s) that detected a hit on the process.
+    - name: schema
+      type: long
+      description: Schema version.
+    - name: type
+      type: keyword
+      description: The watchlist hit type.
+    - name: watchlists
+      type: group
+      description: List of watchlists that contain the report of the ioc hit.
+      fields:
+        - name: id
+          type: keyword
+          description: The ID of the watchlists.
+        - name: name
+          type: keyword
+          description: The name of the watchlists.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/manifest.yml
new file mode 100755
index 0000000000..7782458210
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/manifest.yml
@@ -0,0 +1,48 @@
+title: Watchlist Hit
+type: logs
+streams:
+  - input: aws-s3
+    title: Collect watchlist hit from Carbon Black Cloud
+    description: Collect watchlist hit from Carbon Black Cloud.
+    template_path: aws-s3.yml.hbs
+    vars:
+      - name: bucket_list_prefix
+        type: text
+        title: Bucket Prefix
+        description: Prefix to apply for the list request to the S3 bucket.
+        multi: false
+        required: true
+        show_user: true
+      - name: interval
+        type: text
+        title: Interval
+        description: Interval to fetch watchlist hit from AWS S3 bucket.
+        multi: false
+        required: true
+        show_user: true
+        default: 1m
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - carbon_black_cloud-watchlist-hit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/sample_event.json
new file mode 100755
index 0000000000..0a5e6c32fb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/data_stream/watchlist_hit/sample_event.json
@@ -0,0 +1,130 @@
+{
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-watchlist-hit"
+    ],
+    "input": {
+        "type": "aws-s3"
+    },
+    "data_stream": {
+        "namespace": "default",
+        "type": "logs",
+        "dataset": "carbon_black_cloud.watchlist_hit"
+    },
+    "agent": {
+        "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "process": {
+        "parent": {
+            "pid": 4076,
+            "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1",
+            "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"",
+            "executable": "c:\\windows\\syswow64\\cmd.exe",
+            "hash": {
+                "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22",
+                "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b"
+            }
+        },
+        "pid": 7516,
+        "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6",
+        "command_line": "sc  query aella_conf ",
+        "executable": "c:\\windows\\syswow64\\sc.exe",
+        "hash": {
+            "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2",
+            "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8"
+        }
+    },
+    "carbon_black_cloud": {
+        "watchlist_hit": {
+            "schema": 1,
+            "process": {
+                "parent": {
+                    "publisher": [
+                        {
+                            "name": "Microsoft Windows",
+                            "state": [
+                                "FILE_SIGNATURE_STATE_SIGNED",
+                                "FILE_SIGNATURE_STATE_VERIFIED",
+                                "FILE_SIGNATURE_STATE_TRUSTED",
+                                "FILE_SIGNATURE_STATE_OS",
+                                "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+                            ]
+                        }
+                    ],
+                    "reputation": "REP_WHITE",
+                    "username": "NT AUTHORITY\\SYSTEM"
+                },
+                "publisher": [
+                    {
+                        "name": "Microsoft Windows",
+                        "state": [
+                            "FILE_SIGNATURE_STATE_SIGNED",
+                            "FILE_SIGNATURE_STATE_VERIFIED",
+                            "FILE_SIGNATURE_STATE_TRUSTED",
+                            "FILE_SIGNATURE_STATE_OS",
+                            "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+                        ]
+                    }
+                ],
+                "reputation": "REP_WHITE",
+                "username": "NT AUTHORITY\\SYSTEM"
+            },
+            "organization_key": "xxxxxxxx",
+            "report": {
+                "name": "Discovery - System Service Discovery Detected",
+                "id": "CFnKBKLTv6hUkBGFobRdg-565571",
+                "tags": [
+                    "attack",
+                    "attackframework",
+                    "threathunting",
+                    "hunting",
+                    "t1007",
+                    "recon",
+                    "discovery",
+                    "windows"
+                ]
+            },
+            "watchlists": [
+                {
+                    "name": "ATT\u0026CK Framework",
+                    "id": "P5f9AW29TGmTOvBW156Cig"
+                }
+            ],
+            "type": "watchlist.hit",
+            "ioc": {
+                "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true",
+                "id": "565571-0"
+            },
+            "device": {
+                "internal_ip": "10.10.156.12",
+                "external_ip": "67.43.156.12",
+                "os": "WINDOWS"
+            }
+        }
+    },
+    "host": {
+        "hostname": "Carbonblack-win1",
+        "os": {
+            "type": "windows"
+        },
+        "ip": [
+            "10.10.156.12",
+            "67.43.156.12"
+        ],
+        "id": "4467271"
+    },
+    "event": {
+        "kind": "event",
+        "severity": 3,
+        "agent_id_status": "verified",
+        "ingested": "2022-02-17T07:23:31Z",
+        "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc  query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}",
+        "dataset": "carbon_black_cloud.watchlist_hit"
+    }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/docs/README.md b/packages/carbon_black_cloud/0.1.1/docs/README.md
new file mode 100755
index 0000000000..91ec079104
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/docs/README.md
@@ -0,0 +1,1042 @@
+# Carbon Black Cloud
+
+The Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket.
+
+## Compatibility
+
+This module has been tested against `Alerts API(v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`.
+
+## Requirements
+
+### In order to ingest data from the AWS S3 bucket you must:
+1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket.
+2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
+
+
+### In order to ingest data from the APIs you must generate API keys and API Secret Keys:
+1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**.
+2. Click Add API Key.
+3. Give the API key a unique name and description.
+    - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table.  
+     **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level.
+    - Optional: Add authorized IP addresses.
+    - You can restrict the use of an API key to a specific set of IP addresses for security reasons.  
+     **Note:** Authorized IP addresses are not available with Custom keys.
+4. To apply the changes, click Save.
+
+#### Access Levels & Permissions
+- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included.
+
+| Data stream                 | Access Level and Permissions               |
+| --------------------------- | ------------------------------------------ |
+| Audit   	                  | API                                        |
+| Alert                       | Custom orgs.alerts (Read)                  |
+| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) |
+
+
+## Note
+
+- The alert data stream has a 15-minute delay to ensure that no occurrences are missed.
+
+## Logs
+
+### Audit
+
+This is the `audit` dataset.
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2022-02-10T16:04:30.263Z",
+    "agent": {
+        "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9",
+        "hostname": "docker-fleet-agent",
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "carbon_black_cloud": {
+        "audit": {
+            "flagged": false,
+            "verbose": false
+        }
+    },
+    "client": {
+        "ip": "10.10.10.10",
+        "user": {
+            "id": "abc@demo.com"
+        }
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-04-14T11:48:30.094Z",
+        "dataset": "carbon_black_cloud.audit",
+        "id": "2122f8ce8xxxxxxxxxxxxx",
+        "ingested": "2022-04-14T11:48:31Z",
+        "kind": "event",
+        "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}",
+        "outcome": "success",
+        "reason": "Logged in successfully"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "organization": {
+        "name": "cb-xxxx-xxxx.com"
+    },
+    "related": {
+        "ip": [
+            "10.10.10.10"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-audit"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean |
+| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.user.id | Unique identifier of the user. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| organization.name | Organization name. | keyword |
+| organization.name.text | Multi-field of `organization.name`. | match_only_text |
+| related.ip | All of the IPs seen on your event. | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+
+
+### Alert
+
+This is the `alert` dataset.
+
+An example event for `alert` looks as following:
+
+```json
+{
+    "@timestamp": "2020-11-17T22:05:13.000Z",
+    "agent": {
+        "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102",
+        "hostname": "docker-fleet-agent",
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "carbon_black_cloud": {
+        "alert": {
+            "category": "warning",
+            "device": {
+                "external_ip": "81.2.69.143",
+                "internal_ip": "81.2.69.144",
+                "location": "UNKNOWN",
+                "os": "WINDOWS"
+            },
+            "last_update_time": "2020-11-17T22:05:13Z",
+            "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
+            "organization_key": "ABCD6X3T",
+            "policy": {
+                "applied": "APPLIED",
+                "id": 6997287,
+                "name": "Standard"
+            },
+            "product_id": "0x5406",
+            "product_name": "U3 Cruzer Micro",
+            "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
+            "run_state": "DID_NOT_RUN",
+            "sensor_action": "DENY",
+            "serial_number": "0875920EF7C2A304",
+            "target_value": "MEDIUM",
+            "threat_cause": {
+                "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
+                "threat_category": "NON_MALWARE",
+                "vector": "REMOVABLE_MEDIA"
+            },
+            "threat_id": "t5678",
+            "type": "DEVICE_CONTROL",
+            "vendor_id": "0x0781",
+            "vendor_name": "SanDisk",
+            "workflow": {
+                "changed_by": "Carbon Black",
+                "last_update_time": "2020-11-17T22:02:16Z",
+                "state": "OPEN"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.alert",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-04-14T11:46:13.154Z",
+        "dataset": "carbon_black_cloud.alert",
+        "end": "2020-11-17T22:02:16Z",
+        "id": "test1",
+        "ingested": "2022-04-14T11:46:14Z",
+        "kind": "alert",
+        "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}",
+        "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
+        "severity": 3,
+        "start": "2020-11-17T22:02:16Z",
+        "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976"
+    },
+    "host": {
+        "hostname": "DESKTOP-002",
+        "id": "2",
+        "ip": [
+            "81.2.69.144",
+            "81.2.69.143"
+        ],
+        "name": "DESKTOP-002",
+        "os": {
+            "type": "windows",
+            "version": "Windows 10 x64"
+        }
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "hosts": [
+            "DESKTOP-002"
+        ],
+        "ip": [
+            "81.2.69.144",
+            "81.2.69.143"
+        ],
+        "user": [
+            "test34@demo.com"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-alert"
+    ],
+    "user": {
+        "name": "test34@demo.com"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword |
+| carbon_black_cloud.alert.category | The category of the alert. | keyword |
+| carbon_black_cloud.alert.count |  | long |
+| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword |
+| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.alert.device.location | The Location of device. | keyword |
+| carbon_black_cloud.alert.device.os | OS of the device. | keyword |
+| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword |
+| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword |
+| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword |
+| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword |
+| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword |
+| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date |
+| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword |
+| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword |
+| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean |
+| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword |
+| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword |
+| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long |
+| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword |
+| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword |
+| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword |
+| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword |
+| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword |
+| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword |
+| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword |
+| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword |
+| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword |
+| carbon_black_cloud.alert.status | status of alert. | keyword |
+| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword |
+| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword |
+| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword |
+| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword |
+| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword |
+| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword |
+| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword |
+| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword |
+| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword |
+| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword |
+| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword |
+| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword |
+| carbon_black_cloud.alert.type | Type of alert. | keyword |
+| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword |
+| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword |
+| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword |
+| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword |
+| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword |
+| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword |
+| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date |
+| carbon_black_cloud.alert.workflow.remediation | N/A | keyword |
+| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+
+
+### Endpoint Event
+
+This is the `endpoint_event` dataset.
+
+An example event for `endpoint_event` looks as following:
+
+```json
+{
+    "process": {
+        "parent": {
+            "pid": 1684,
+            "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
+            "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
+            "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
+            "hash": {
+                "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5",
+                "md5": "03dd698da2671383c9b4f868c9931879"
+            }
+        },
+        "pid": 4880,
+        "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37",
+        "command_line": "\"route.exe\" print",
+        "executable": "c:\\windows\\system32\\route.exe",
+        "hash": {
+            "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6",
+            "md5": "2498272dc48446891182747428d02a30"
+        }
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "carbon_black_cloud": {
+        "endpoint_event": {
+            "schema": 1,
+            "event_origin": "EDR",
+            "process": {
+                "duration": 2,
+                "parent": {
+                    "reputation": "REP_RESOLVING"
+                },
+                "publisher": [
+                    {
+                        "name": "Microsoft Windows",
+                        "state": [
+                            "FILE_SIGNATURE_STATE_SIGNED",
+                            "FILE_SIGNATURE_STATE_VERIFIED",
+                            "FILE_SIGNATURE_STATE_TRUSTED",
+                            "FILE_SIGNATURE_STATE_OS",
+                            "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+                        ]
+                    }
+                ],
+                "reputation": "REP_RESOLVING",
+                "terminated": true,
+                "username": "NT AUTHORITY\\SYSTEM"
+            },
+            "organization_key": "XXXXXXXX",
+            "backend": {
+                "timestamp": "2022-02-10 11:52:50 +0000 UTC"
+            },
+            "target_cmdline": "\"route.exe\" print",
+            "type": "endpoint.event.procend",
+            "device": {
+                "os": "WINDOWS",
+                "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC",
+                "external_ip": "67.43.156.12"
+            },
+            "sensor_action": "ACTION_ALLOW"
+        }
+    },
+    "host": {
+        "hostname": "client-cb2",
+        "id": "4034605",
+        "os": {
+            "type": "windows"
+        },
+        "ip": [
+            "67.43.156.13"
+        ]
+    },
+    "event": {
+        "action": "ACTION_PROCESS_TERMINATE",
+        "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}"
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.endpoint_event",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "elastic_agent": {
+        "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5",
+        "snapshot": true,
+        "version": "8.0.0"
+    },
+    "input": {
+        "type": "aws-s3"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-endpoint-event"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword |
+| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long |
+| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean |
+| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword |
+| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword |
+| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long |
+| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword |
+| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword |
+| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword |
+| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long |
+| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean |
+| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long |
+| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long |
+| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword |
+| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword |
+| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword |
+| carbon_black_cloud.endpoint_event.type | The event type. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dll.hash.md5 | MD5 hash. | keyword |
+| dll.hash.sha256 | SHA256 hash. | keyword |
+| dll.path | Full file path of the library. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| registry.path | Full path, including hive, key and value | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+
+
+### Watchlist Hit
+
+This is the `watchlist_hit` dataset.
+
+An example event for `watchlist_hit` looks as following:
+
+```json
+{
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-watchlist-hit"
+    ],
+    "input": {
+        "type": "aws-s3"
+    },
+    "data_stream": {
+        "namespace": "default",
+        "type": "logs",
+        "dataset": "carbon_black_cloud.watchlist_hit"
+    },
+    "agent": {
+        "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "process": {
+        "parent": {
+            "pid": 4076,
+            "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1",
+            "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"",
+            "executable": "c:\\windows\\syswow64\\cmd.exe",
+            "hash": {
+                "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22",
+                "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b"
+            }
+        },
+        "pid": 7516,
+        "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6",
+        "command_line": "sc  query aella_conf ",
+        "executable": "c:\\windows\\syswow64\\sc.exe",
+        "hash": {
+            "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2",
+            "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8"
+        }
+    },
+    "carbon_black_cloud": {
+        "watchlist_hit": {
+            "schema": 1,
+            "process": {
+                "parent": {
+                    "publisher": [
+                        {
+                            "name": "Microsoft Windows",
+                            "state": [
+                                "FILE_SIGNATURE_STATE_SIGNED",
+                                "FILE_SIGNATURE_STATE_VERIFIED",
+                                "FILE_SIGNATURE_STATE_TRUSTED",
+                                "FILE_SIGNATURE_STATE_OS",
+                                "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+                            ]
+                        }
+                    ],
+                    "reputation": "REP_WHITE",
+                    "username": "NT AUTHORITY\\SYSTEM"
+                },
+                "publisher": [
+                    {
+                        "name": "Microsoft Windows",
+                        "state": [
+                            "FILE_SIGNATURE_STATE_SIGNED",
+                            "FILE_SIGNATURE_STATE_VERIFIED",
+                            "FILE_SIGNATURE_STATE_TRUSTED",
+                            "FILE_SIGNATURE_STATE_OS",
+                            "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+                        ]
+                    }
+                ],
+                "reputation": "REP_WHITE",
+                "username": "NT AUTHORITY\\SYSTEM"
+            },
+            "organization_key": "xxxxxxxx",
+            "report": {
+                "name": "Discovery - System Service Discovery Detected",
+                "id": "CFnKBKLTv6hUkBGFobRdg-565571",
+                "tags": [
+                    "attack",
+                    "attackframework",
+                    "threathunting",
+                    "hunting",
+                    "t1007",
+                    "recon",
+                    "discovery",
+                    "windows"
+                ]
+            },
+            "watchlists": [
+                {
+                    "name": "ATT\u0026CK Framework",
+                    "id": "P5f9AW29TGmTOvBW156Cig"
+                }
+            ],
+            "type": "watchlist.hit",
+            "ioc": {
+                "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true",
+                "id": "565571-0"
+            },
+            "device": {
+                "internal_ip": "10.10.156.12",
+                "external_ip": "67.43.156.12",
+                "os": "WINDOWS"
+            }
+        }
+    },
+    "host": {
+        "hostname": "Carbonblack-win1",
+        "os": {
+            "type": "windows"
+        },
+        "ip": [
+            "10.10.156.12",
+            "67.43.156.12"
+        ],
+        "id": "4467271"
+    },
+    "event": {
+        "kind": "event",
+        "severity": 3,
+        "agent_id_status": "verified",
+        "ingested": "2022-02-17T07:23:31Z",
+        "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc  query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}",
+        "dataset": "carbon_black_cloud.watchlist_hit"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword |
+| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.schema | Schema version. | long |
+| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword |
+| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword |
+| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+
+
+### Asset Vulnerability Summary
+
+This is the `asset_vulnerability_summary` dataset.
+
+An example event for `asset_vulnerability_summary` looks as following:
+
+```json
+{
+    "@timestamp": "2022-04-14T11:47:25.371Z",
+    "agent": {
+        "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8",
+        "hostname": "docker-fleet-agent",
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "carbon_black_cloud": {
+        "asset_vulnerability_summary": {
+            "last_sync": {
+                "timestamp": "2022-01-17T08:33:37.384Z"
+            },
+            "os_info": {
+                "os_arch": "64-bit"
+            },
+            "sync": {
+                "status": "COMPLETED",
+                "type": "SCHEDULED"
+            },
+            "type": "ENDPOINT",
+            "vuln_count": 1770
+        }
+    },
+    "data_stream": {
+        "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-04-14T11:47:25.371Z",
+        "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+        "ingested": "2022-04-14T11:47:26Z",
+        "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}"
+    },
+    "host": {
+        "hostname": "DESKTOP-008",
+        "id": "8",
+        "name": "DESKTOP-008KK",
+        "os": {
+            "name": "Microsoft Windows 10 Education",
+            "type": "windows",
+            "version": "10.0.17763"
+        }
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "hosts": [
+            "DESKTOP-008"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "carbon_black_cloud-asset-vulnerability-summary"
+    ],
+    "vulnerability": {
+        "score": {
+            "base": 10
+        },
+        "severity": "CRITICAL"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date |
+| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
diff --git a/packages/carbon_black_cloud/0.1.1/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/0.1.1/img/carbon_black_cloud-logo.svg
new file mode 100755
index 0000000000..180cc3d212
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/img/carbon_black_cloud-logo.svg
@@ -0,0 +1,91 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN"
+ "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
+ width="1042.000000pt" height="1042.000000pt" viewBox="0 0 1042.000000 1042.000000"
+ preserveAspectRatio="xMidYMid meet">
+<metadata>
+Created by potrace 1.16, written by Peter Selinger 2001-2019
+</metadata>
+<g transform="translate(0.000000,1042.000000) scale(0.100000,-0.100000)"
+fill="#000000" stroke="none">
+<path d="M315 5498 c-31 -17 -45 -39 -45 -73 0 -18 44 -127 105 -260 119 -260
+138 -285 210 -285 72 0 92 27 199 260 55 121 99 205 107 205 11 0 15 -41 19
+-208 l5 -209 28 -24 c34 -29 85 -32 116 -6 32 25 40 78 41 250 0 149 1 154 25
+177 31 32 75 32 112 1 l28 -24 5 -192 c5 -187 6 -192 29 -211 36 -29 87 -25
+122 10 l29 29 0 177 0 177 29 29 c31 31 55 36 94 18 41 -18 47 -49 47 -225 0
+-204 11 -233 93 -234 27 0 45 7 62 25 25 24 25 24 25 240 0 246 -6 270 -81
+325 -72 52 -193 49 -273 -5 l-36 -24 -52 32 c-45 28 -60 32 -122 32 -62 0 -79
+-4 -129 -33 l-58 -33 -32 24 c-87 65 -196 60 -268 -12 -26 -26 -53 -78 -100
+-188 l-63 -152 -77 182 c-45 106 -86 188 -99 199 -25 20 -65 23 -95 6z"/>
+<path d="M1845 5483 c-23 -22 -21 -28 87 -329 l93 -259 33 -3 c18 -2 39 2 47
+8 7 6 46 105 86 221 41 115 75 205 78 198 2 -6 36 -104 76 -218 l72 -206 36
+-3 c28 -3 39 2 50 20 31 47 198 531 193 554 -7 27 -38 39 -65 25 -19 -11 -32
+-43 -122 -303 -24 -71 -46 -128 -49 -128 -3 0 -36 91 -74 203 -66 194 -88 237
+-122 237 -30 0 -52 -43 -119 -238 -38 -111 -72 -199 -76 -194 -5 4 -38 95 -74
+202 -76 224 -103 261 -150 213z"/>
+<path d="M2860 5487 c-80 -19 -100 -32 -100 -68 0 -41 19 -45 104 -24 147 37
+256 -19 256 -131 0 -21 -3 -25 -17 -19 -33 15 -205 18 -260 5 -77 -17 -138
+-76 -148 -142 -10 -69 1 -114 41 -158 79 -87 245 -95 349 -16 l35 27 0 -25 c0
+-53 57 -74 86 -31 13 21 15 53 12 222 -3 176 -6 203 -24 243 -39 82 -94 115
+-209 124 -42 3 -92 0 -125 -7z m197 -308 l63 -11 0 -48 c0 -80 -60 -142 -153
+-157 -116 -18 -208 69 -163 155 33 64 117 85 253 61z"/>
+<path d="M3327 5482 c-15 -16 -17 -52 -17 -295 0 -237 2 -278 16 -291 21 -21
+47 -20 67 2 14 15 17 42 17 154 0 149 12 208 55 264 27 35 77 66 130 78 16 4
+36 12 42 18 20 16 16 66 -6 78 -41 22 -138 -16 -189 -75 l-32 -36 0 44 c0 67
+-47 100 -83 59z"/>
+<path d="M3841 5489 c-53 -16 -109 -56 -141 -101 -83 -114 -79 -302 9 -408 93
+-113 284 -131 409 -39 37 27 43 36 40 63 -2 26 -8 32 -32 34 -18 2 -36 -4 -50
+-17 -56 -53 -159 -66 -234 -30 -47 23 -88 75 -98 127 l-6 32 209 0 c252 0 249
+-1 240 88 -11 107 -65 190 -151 234 -47 24 -145 32 -195 17z m147 -93 c37 -19
+68 -55 87 -98 29 -70 35 -68 -161 -68 l-176 0 6 33 c9 45 55 106 96 128 41 22
+110 25 148 5z"/>
+<path d="M4210 5480 c-31 -31 -27 -93 6 -119 15 -12 37 -21 49 -21 12 0 34 9
+49 21 20 16 26 29 26 60 0 50 -27 79 -75 79 -22 0 -43 -8 -55 -20z"/>
+<path d="M4892 5449 c-109 -54 -166 -147 -167 -269 0 -62 5 -85 28 -132 30
+-62 83 -115 149 -150 35 -19 59 -23 128 -23 72 0 92 4 135 27 28 14 59 36 69
+47 20 22 20 22 -11 53 l-31 31 -48 -31 c-79 -53 -145 -54 -221 -6 -141 92
+-130 299 20 375 71 37 146 25 229 -33 15 -11 23 -8 50 19 39 39 33 49 -55 93
+-51 26 -72 30 -137 30 -66 0 -86 -4 -138 -31z"/>
+<path d="M6160 5180 l0 -300 50 0 c47 0 50 2 50 25 l0 25 42 -27 c35 -24 52
+-28 109 -28 59 0 73 4 110 30 24 17 53 50 66 75 20 39 23 57 21 137 -3 83 -6
+95 -33 135 -67 96 -213 117 -297 41 -17 -15 -18 -11 -18 85 l0 102 -50 0 -50
+0 0 -300z m300 52 c109 -79 59 -275 -70 -275 -80 0 -134 68 -127 161 8 114
+113 175 197 114z"/>
+<path d="M8590 5180 l0 -300 45 0 45 0 0 300 0 300 -45 0 -45 0 0 -300z"/>
+<path d="M9740 5180 l0 -300 45 0 45 0 0 58 c0 53 3 61 33 90 l33 32 67 -90
+67 -90 55 0 c30 0 55 2 55 5 0 3 -40 59 -89 123 l-88 117 95 100 95 100 -59 3
+-59 3 -102 -108 -102 -108 -1 183 0 182 -45 0 -45 0 0 -300z"/>
+<path d="M8010 5175 l0 -295 168 0 c154 0 171 2 212 23 52 26 78 59 86 109 10
+62 -4 106 -46 147 l-40 38 21 19 c71 64 62 177 -20 231 -32 22 -44 23 -207 23
+l-174 0 0 -295z m326 182 c31 -36 30 -67 -2 -98 -23 -22 -36 -24 -130 -27
+l-104 -4 0 82 0 82 106 -4 c102 -3 107 -4 130 -31z m-11 -221 c37 -16 55 -42
+55 -80 0 -69 -35 -86 -175 -86 l-105 0 0 90 0 90 95 0 c60 0 108 -5 130 -14z"/>
+<path d="M5400 5324 c-60 -21 -64 -27 -46 -63 19 -36 21 -36 69 -16 43 18 97
+19 130 4 25 -11 40 -34 52 -76 6 -21 4 -22 -27 -15 -18 4 -62 7 -98 7 -118 0
+-180 -53 -180 -155 0 -47 4 -56 38 -90 60 -60 160 -67 236 -15 l36 24 0 -24
+c0 -23 4 -25 46 -25 l46 0 -4 173 c-3 166 -4 175 -28 210 -37 54 -85 77 -161
+77 -35 -1 -84 -8 -109 -16z m188 -240 c45 -12 21 -89 -38 -119 -98 -51 -206
+30 -135 100 20 21 33 25 87 25 35 0 73 -3 86 -6z"/>
+<path d="M5990 5324 c-19 -8 -45 -25 -57 -36 l-23 -21 0 31 c0 31 -1 32 -45
+32 l-45 0 0 -225 0 -225 45 0 45 0 0 131 c0 102 4 139 17 166 18 40 59 68 109
+78 32 6 34 8 34 45 0 35 -3 40 -22 40 -13 -1 -39 -8 -58 -16z"/>
+<path d="M6826 5325 c-87 -31 -146 -119 -146 -217 0 -79 24 -133 79 -179 100
+-86 236 -77 325 22 165 184 -23 458 -258 374z m144 -87 c94 -49 108 -170 28
+-246 -97 -90 -249 8 -224 143 11 59 82 123 136 125 9 0 36 -10 60 -22z"/>
+<path d="M7400 5329 c-14 -5 -35 -20 -47 -31 l-23 -21 0 26 c0 25 -3 27 -45
+27 l-45 0 0 -225 0 -225 44 0 45 0 3 154 c3 148 4 156 27 180 14 15 42 31 62
+38 32 9 42 8 71 -9 47 -27 57 -66 57 -225 l1 -138 46 0 46 0 -4 173 c-3 191
+-10 216 -70 258 -36 26 -126 36 -168 18z"/>
+<path d="M8866 5320 c-26 -10 -50 -21 -53 -24 -6 -6 26 -66 35 -66 4 0 25 7
+47 15 52 19 115 19 142 0 19 -14 50 -81 41 -90 -2 -2 -21 0 -43 5 -68 16 -128
+12 -175 -12 -164 -83 -89 -294 97 -275 29 3 69 15 88 27 l35 22 0 -21 c0 -18
+6 -21 45 -21 l45 0 0 163 c0 149 -2 167 -22 207 -32 63 -83 90 -168 89 -39 0
+-84 -7 -114 -19z m192 -236 c32 -9 29 -55 -5 -94 -46 -52 -147 -54 -179 -5
+-21 33 -11 70 24 89 27 15 118 21 160 10z"/>
+<path d="M9409 5326 c-114 -40 -177 -159 -149 -277 18 -75 93 -151 169 -169
+79 -19 181 6 221 55 12 14 10 19 -16 40 -36 30 -38 30 -74 4 -81 -61 -210 15
+-210 124 0 93 91 172 170 148 21 -6 43 -18 50 -26 18 -22 33 -19 64 14 l27 28
+-31 26 c-54 46 -148 60 -221 33z"/>
+</g>
+</svg>
diff --git a/packages/carbon_black_cloud/0.1.1/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/0.1.1/img/carbon_black_cloud-screenshot.png
new file mode 100755
index 0000000000..6fda3c108d
Binary files /dev/null and b/packages/carbon_black_cloud/0.1.1/img/carbon_black_cloud-screenshot.png differ
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..129cd1c62a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,42 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+    "timeRestore": false,
+    "title": "[Carbon Black Cloud] Audit Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95",
+      "name": "panel_3",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..e3f216759c
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,97 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+    "timeRestore": false,
+    "title": "[Carbon Black Cloud] Endpoint Event",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7",
+      "name": "panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7",
+      "name": "panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7",
+      "name": "panel_11",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7",
+      "name": "panel_12",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7",
+      "name": "panel_13",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..4a9c10d677
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,147 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":1,\"width\":494}]}}},\"gridData\":{\"h\":15,\"i\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"panelRefName\":\"panel_15\",\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC Field\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":1134}]}}},\"gridData\":{\"h\":15,\"i\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"panelRefName\":\"panel_24\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+    "timeRestore": false,
+    "title": "[Carbon Black Cloud] Alerts",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95",
+      "name": "panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95",
+      "name": "panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95",
+      "name": "panel_11",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95",
+      "name": "panel_12",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95",
+      "name": "panel_13",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95",
+      "name": "panel_14",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95",
+      "name": "panel_15",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95",
+      "name": "panel_16",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95",
+      "name": "panel_17",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95",
+      "name": "panel_18",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95",
+      "name": "panel_19",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95",
+      "name": "panel_20",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95",
+      "name": "panel_21",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95",
+      "name": "panel_22",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95",
+      "name": "panel_23",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95",
+      "name": "panel_24",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..ee0df3955b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,67 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by  Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+    "timeRestore": false,
+    "title": "[Carbon Black Cloud] Asset Vulnerability Summary",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_7",
+      "type": "search"
+    },
+    {
+      "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf",
+      "name": "panel_8",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..94761c84e1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,107 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+    "timeRestore": false,
+    "title": "[Carbon Black Cloud] Watchlist Hit",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "logs-*",
+      "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826",
+      "name": "panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826",
+      "name": "panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826",
+      "name": "panel_11",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..fde5382f93
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,39 @@
+{
+  "attributes": {
+    "columns": [
+      "carbon_black_cloud.watchlist_hit.watchlists.name",
+      "process.command_line",
+      "process.parent.command_line",
+      "process.executable",
+      "process.parent.executable",
+      "carbon_black_cloud.watchlist_hit.ioc.id",
+      "carbon_black_cloud.watchlist_hit.ioc.hit"
+    ],
+    "description": "",
+    "grid": {},
+    "hideChart": false,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "[Carbon Black Cloud] Watchlist Hit Essential Details"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fdc104f3b2
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [
+      "event.id",
+      "client.user.id",
+      "event.reason",
+      "client.ip"
+    ],
+    "description": "",
+    "grid": {},
+    "hideChart": true,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "[Carbon Black Cloud] Audit Essential Details"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..800a5cb006
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,39 @@
+{
+  "attributes": {
+    "columns": [
+      "carbon_black_cloud.endpoint_event.type",
+      "process.command_line",
+      "process.parent.command_line",
+      "dll.path",
+      "carbon_black_cloud.endpoint_event.target_cmdline",
+      "process.executable",
+      "process.parent.executable"
+    ],
+    "description": "",
+    "grid": {},
+    "hideChart": false,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "[Carbon Black Cloud] Endpoint Events Essential Details"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1a37e59347
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,37 @@
+{
+  "attributes": {
+    "columns": [
+      "event.id",
+      "event.reason",
+      "event.url",
+      "carbon_black_cloud.alert.threat_indicators.process_name",
+      "carbon_black_cloud.alert.category"
+    ],
+    "description": "",
+    "grid": {},
+    "hideChart": true,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "[Carbon Black Cloud] Alerts Essential Details"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..c060c3bd41
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [
+      "host.hostname",
+      "vulnerability.severity",
+      "vulnerability.score.base",
+      "carbon_black_cloud.asset_vulnerability_summary.vuln_count"
+    ],
+    "description": "",
+    "grid": {},
+    "hideChart": false,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..bf6bf9170c
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Process Publisher State",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..329118ed72
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fb78529067
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Client IPs",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..edfb4ab922
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..e058315a1e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Actions",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..e9926e3521
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..5c97a8d4eb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Severity",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..8bb3adabfb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..7bec55f465
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Child Process Username",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..e4b7fe64f8
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..6b1cb56ea0
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..c59f3f2623
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..0a01e78828
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Process Publisher Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..682f389163
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..7af6d5ad55
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 IOC Hits",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1c116157a2
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Category",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3ced47d3fe
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Process Publisher State",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..60cf2f819b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..411603d6cc
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Distribution of Asset Vulnerability Summary by Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Distribution of Asset Vulnerability Summary by Type\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..811d8c6112
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..e390c83ecc
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..bdd43d6d65
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Distribution of Asset Vulnerability Summary by OS Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..a8622511b3
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Distribution of Asset Vulnerability Summary by OS Architecture",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.architecture\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Architecture\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..02160d4bea
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Top 10 OS Names",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..6c64141f00
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Top 10 Hosts with Highest Vulnerability Count",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..630d474e6e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..228daf684c
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..1bd12c5d2e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Distribution of Asset Vulnerability Summary by  Severity",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by  Severity\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..0a3d26dad2
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Report Names",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..6e873422cb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Top 10 Hosts with Highest Risk Score",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..48a0ff614a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Process Publisher Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..b549ad14a1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Distribution of Asset Vulnerability Summary by Sync Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..116934a90e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..ebce21d74d
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Distribution of Asset Vulnerability Summary by Sync Status",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..8f11ac69cf
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+    },
+    "title": "Top 10 Hosts with Severity",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Severity\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"vulnerability.severity\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Severity\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..5d57824451
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 IOC Hit",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..dd5f86134d
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..60669ee962
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..19ad6bf381
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..7992c14128
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Devices",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..ebcc102bf4
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Run State",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bf3592d08f
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1025e00226
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..c4ce665f33
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Device Username",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..7db345ec9b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..37864260d1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..cf20544145
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..dd2d0ee97a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Process Usernames",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..bb4fb20b4b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Device Names",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3a76cb6cae
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..29d985b4d8
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..50933d86cc
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bf02f82c2e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Policy Names",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bfebab9f24
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Reason Codes",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..85bf297c56
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..2ad0964cbb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Request URLs",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..cb945df49b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fc1c6812f0
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3c04444ca9
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Device External IP",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..a79db35e93
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..d3f393c0d5
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..84fedf340e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Top 10 Process Username",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1c30c4f320
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..4a17555983
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+    },
+    "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.0",
+  "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.1/manifest.yml b/packages/carbon_black_cloud/0.1.1/manifest.yml
new file mode 100755
index 0000000000..c1aca92364
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.1/manifest.yml
@@ -0,0 +1,136 @@
+format_version: 1.0.0
+name: carbon_black_cloud
+title: Carbon Black Cloud
+version: 0.1.1
+license: basic
+description: This Elastic integration collects logs from Carbon Black Cloud
+type: integration
+categories:
+  - security
+release: beta
+conditions:
+  kibana.version: ^7.17.0 || ^8.0.0
+screenshots:
+  - src: /img/carbon_black_cloud-screenshot.png
+    title: Carbon Black Cloud alert dashboard screenshot
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/carbon_black_cloud-logo.svg
+    title: Carbon Black Cloud logo
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: carbon_black_cloud
+    title: Carbon Black Cloud
+    description: Collect Logs from Carbon Black Cloud
+    inputs:
+      - type: httpjson
+        title: Collect Carbon Black Cloud logs via API
+        description: Collect Carbon Black Cloud logs via API
+        vars:
+          - name: hostname
+            type: text
+            title: Hostname
+            description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname).
+            required: true
+          - name: org_key
+            type: text
+            title: Organization Key
+            description: Organization Key.
+            required: true
+          - name: custom_api_id
+            type: text
+            title: Custom API ID
+            description: API ID with Custom Access Level type.
+            required: true
+          - name: custom_api_secret_key
+            type: password
+            title: Custom API Secret Key
+            description: API Secret Key with Custom Access Level type
+            required: true
+          - name: api_id
+            type: text
+            title: API ID
+            description: API ID with API Access Level type.
+            required: true
+          - name: api_secret_key
+            type: password
+            title: API Secret Key
+            description: API Secret Key with API Access Level type
+            required: true
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            multi: false
+            required: false
+            show_user: false
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            multi: false
+            required: false
+            show_user: false
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
+      - type: aws-s3
+        title: Collect Carbon Black Cloud logs via AWS S3
+        description: Collect Carbon Black Cloud logs via AWS S3
+        vars:
+          - name: bucket_arn
+            type: text
+            title: Bucket ARN
+            multi: false
+            required: true
+            show_user: true
+          - name: access_key_id
+            type: password
+            title: Access Key ID
+            multi: false
+            required: true
+            show_user: true
+          - name: secret_access_key
+            type: password
+            title: Secret Access Key
+            multi: false
+            required: true
+            show_user: true
+          - name: number_of_workers
+            type: integer
+            title: Number of Workers
+            multi: false
+            required: false
+            show_user: false
+            default: 5
+            description: Number of workers that will process the S3 objects listed.
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            multi: false
+            required: false
+            show_user: false
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/checkpoint/1.3.6/changelog.yml b/packages/checkpoint/1.3.6/changelog.yml
new file mode 100755
index 0000000000..c8ab3907d0
--- /dev/null
+++ b/packages/checkpoint/1.3.6/changelog.yml
@@ -0,0 +1,111 @@
+# newer versions go on top
+- version: "1.3.6"
+  changes:
+    - description: Fixed parsing error when logs have trailing spaces
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3035
+- version: "1.3.5"
+  changes:
+    - description: Added link to check point documentation.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2926
+- version: "1.3.4"
+  changes:
+    - description: Change mapping type of checkpoint.source_object to keyword from integer.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2951
+- version: "1.3.3"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.3.2"
+  changes:
+    - description: Fix field mapping conflicts for `checkpoint.icmp_type`, `checkpoint.icmp_code` & `checkpoint.email_recipients_num`
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2895
+- version: "1.3.1"
+  changes:
+    - description: Add Ingest Pipeline script to map IANA Protocol Numbers
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2470
+- version: "1.3.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2387
+- version: "1.2.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2231
+- version: "1.1.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1951
+- version: "1.1.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1803
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1653
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1605
+- version: "0.8.2"
+  changes:
+    - description: Convert to generated ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1470
+- version: '0.8.1'
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1376
+- version: "0.8.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "0.7.0"
+  changes:
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1256
+- version: "0.6.0"
+  changes:
+    - description: update to ECS 1.10.0 and syncing module changes
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1033
+- version: "0.5.2"
+  changes:
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/839
+- version: "0.5.1"
+  changes:
+    - description: Change kibana.version constraint to be more conservative.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/749
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/220
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/log.yml.hbs b/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/log.yml.hbs
new file mode 100755
index 0000000000..24ecbba6d7
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/log.yml.hbs
@@ -0,0 +1,38 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+    target: _temp_
+    fields:
+      internal_zones:
+        {{#each internal_zones as |zone i|}}
+        - {{zone}}
+        {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+    target: _temp_
+    fields:
+      external_zones:
+        {{#each external_zones as |zone i|}}
+        - {{zone}}
+        {{/each}}
+{{/if}}
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..9ccc9d6fc3
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/tcp.yml.hbs
@@ -0,0 +1,34 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+    target: _temp_
+    fields:
+      internal_zones:
+        {{#each internal_zones as |zone i|}}
+        - {{zone}}
+        {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+    target: _temp_
+    fields:
+      external_zones:
+        {{#each external_zones as |zone i|}}
+        - {{zone}}
+        {{/each}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..9ccc9d6fc3
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/agent/stream/udp.yml.hbs
@@ -0,0 +1,34 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+    target: _temp_
+    fields:
+      internal_zones:
+        {{#each internal_zones as |zone i|}}
+        - {{zone}}
+        {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+    target: _temp_
+    fields:
+      external_zones:
+        {{#each external_zones as |zone i|}}
+        - {{zone}}
+        {{/each}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/1.3.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..0329297981
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,795 @@
+---
+description: Pipeline for parsing checkpoint firewall logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - grok:
+      field: event.original
+      patterns:
+        - '%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-)
+          +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app})
+          +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid})
+          +\[%{GREEDYDATA:syslog5424_sd}\]'
+  - kv:
+      field: syslog5424_sd
+      field_split: "; "
+      value_split: ":"
+      trim_key: " "
+      trim_value: " "
+      prefix: checkpoint.
+      strip_brackets: true
+      ignore_failure: true
+      exclude_keys:
+        - flags
+        - layer_uuid
+        - originsicname
+        - __policy_id_tag
+        - version
+        - rounded_bytes
+        - db_tag
+        - update_service
+  - remove:
+      field:
+        - syslog5424_sd
+        - syslog5424_app
+        - syslog5424_host
+        - syslog5424_msgid
+        - syslog5424_pri
+        - syslog5424_proc
+        - syslog5424_ver
+        - host
+      ignore_missing: true
+  - rename:
+      field: "@timestamp"
+      target_field: "event.created"
+      ignore_missing: true
+  - date:
+      field: "syslog5424_ts"
+      formats: ["ISO8601", "UNIX"]
+      if: "ctx.checkpoint?.time == null"
+  - append:
+      field: event.category
+      value: network
+      if: ctx.checkpoint?.operation != 'Log In'
+  - set:
+      field: observer.vendor
+      value: Checkpoint
+  - set:
+      field: observer.type
+      value: firewall
+      if: ctx.checkpoint?.type == null
+  - set:
+      field: observer.product
+      value: "{{checkpoint.product}}"
+      ignore_empty_value: true
+  - rename:
+      field: checkpoint.src
+      target_field: source.ip
+      ignore_missing: true
+  - rename:
+      field: checkpoint.client_ip
+      target_field: source.ip
+      ignore_missing: true
+      if: ctx.source?.ip == null
+  - rename:
+      field: checkpoint.xlatesrc
+      target_field: source.nat.ip
+      if: "ctx.checkpoint?.xlatesrc != '0.0.0.0'"
+      ignore_missing: true
+  - rename:
+      field: checkpoint.dst
+      target_field: destination.ip
+      ignore_missing: true
+  - rename:
+      field: checkpoint.xlatedst
+      target_field: destination.nat.ip
+      if: "ctx.checkpoint?.xlatedst != '0.0.0.0'"
+      ignore_missing: true
+  - rename:
+      field: checkpoint.uid
+      target_field: source.user.id
+      ignore_missing: true
+  - rename:
+      field: checkpoint.administrator
+      target_field: source.user.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.source_user_name
+      target_field: source.user.name
+      if: ctx.source?.user?.name == null
+      ignore_missing: true
+  - convert:
+      field: checkpoint.client_outbound_packets
+      target_field: source.packets
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: checkpoint.server_outbound_packets
+      target_field: destination.packets
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: checkpoint.client_outbound_bytes
+      target_field: source.bytes
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: checkpoint.sent_byte
+      target_field: source.bytes
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+      if: ctx.source?.bytes == null
+  - convert:
+      field: checkpoint.server_outbound_bytes
+      target_field: destination.bytes
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: checkpoint.received_bytes
+      target_field: destination.bytes
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+      if: ctx.destination?.bytes == null
+  - convert:
+      field: checkpoint.service
+      target_field: destination.port
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: checkpoint.xlatedport
+      target_field: destination.nat.port
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+      if: "ctx.checkpoint?.xlatedport != '0'"
+  - convert:
+      field: checkpoint.s_port
+      target_field: source.port
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: checkpoint.xlatesport
+      target_field: source.nat.port
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+      if: "ctx.checkpoint?.xlatesport != '0'"
+  - rename:
+      field: checkpoint.mac_source_address
+      target_field: source.mac
+      ignore_missing: true
+  - rename:
+      field: checkpoint.from
+      target_field: source.user.email
+      ignore_missing: true
+  - rename:
+      field: checkpoint.src_machine_name
+      target_field: source.domain
+      ignore_missing: true
+  - rename:
+      field: checkpoint.destination_dns_hostname
+      target_field: destination.domain
+      ignore_missing: true
+  - rename:
+      field: checkpoint.dst_machine_name
+      target_field: destination.domain
+      if: ctx.server?.domain == null
+      ignore_missing: true
+  - rename:
+      field: checkpoint.src_user_group
+      target_field: source.user.group.name
+      ignore_missing: true
+  - append:
+      field: event.category
+      value: authentication
+      if: ctx.checkpoint?.operation == 'Log In'
+  - set:
+      field: event.kind
+      value: alert
+      if: "['Prevent', 'Detect', 'Quarantine'].contains(ctx.checkpoint?.rule_action)"
+  - set:
+      field: event.kind
+      value: event
+      if: ctx.event?.kind == null
+  - set:
+      field: event.outcome
+      value: success
+      if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)"
+  - append:
+      field: event.type
+      value:
+        - allowed
+        - connection
+      if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)"
+  - set:
+      field: event.outcome
+      value: success
+      if: ctx.checkpoint?.audit_status == 'Success'
+  - set:
+      field: event.outcome
+      value: failure
+      if: ctx.checkpoint?.audit_status == 'Failure'
+  - set:
+      field: event.outcome
+      value: success
+      if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+  - append:
+      field: event.type
+      value:
+        - connection
+        - denied
+      if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+  - append:
+      field: event.category
+      value: malware
+      if: ctx.checkpoint?.malware_action != null
+  - append:
+      field: event.category
+      value: intrusion_detection
+      if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+  - append:
+      field: related.ip
+      value: "{{source.ip}}"
+      if: ctx.source?.ip != null
+  - append:
+      field: related.ip
+      value: "{{source.nat.ip}}"
+      if: ctx.source?.nat?.ip != null
+  - append:
+      field: related.ip
+      value: "{{destination.ip}}"
+      if: ctx.destination?.ip != null
+  - append:
+      field: related.ip
+      value: "{{destination.nat.ip}}"
+      if: ctx.destination?.nat?.ip != null
+  - append:
+      field: related.hash
+      value: "{{checkpoint.file_md5}}"
+      if: ctx.checkpoint?.file_md5 != null
+  - append:
+      field: related.hash
+      value: "{{checkpoint.file_sha1}}"
+      if: ctx.checkpoint?.file_sha1 != null
+  - append:
+      field: related.hash
+      value: "{{checkpoint.file_sha256}}"
+      if: ctx.checkpoint?.file_sha256 != null
+  - rename:
+      field: checkpoint.to
+      target_field: destination.user.email
+      ignore_missing: true
+  - rename:
+      field: checkpoint.usercheck_incident_uid
+      target_field: destination.user.id
+      ignore_missing: true
+  - rename:
+      field: checkpoint.service_name
+      target_field: destination.service.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.mac_destination_address
+      target_field: destination.mac
+      ignore_missing: true
+  - rename:
+      field: checkpoint.dns_type
+      target_field: dns.question.type
+      ignore_missing: true
+  - rename:
+      field: checkpoint.domain_name
+      target_field: dns.question.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.dns_message_type
+      target_field: dns.type
+      ignore_missing: true
+  - rename:
+      field: checkpoint.tid
+      target_field: dns.id
+      ignore_missing: true
+  - rename:
+      field: checkpoint.loguid
+      target_field: event.id
+      ignore_missing: true
+  - convert:
+      field: checkpoint.sequencenum
+      target_field: event.sequence
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: checkpoint.severity
+      target_field: event.severity
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: checkpoint.action
+      target_field: event.action
+      ignore_missing: true
+  - rename:
+      field: checkpoint.packet_capture
+      target_field: event.url
+      ignore_missing: true
+  - rename:
+      field: checkpoint.start_time
+      target_field: event.start
+      ignore_missing: true
+  - rename:
+      field: checkpoint.first_detection
+      target_field: event.start
+      ignore_missing: true
+      if: ctx.event?.start == null
+  - rename:
+      field: checkpoint.last_detection
+      target_field: event.end
+      ignore_missing: true
+  - rename:
+      field: checkpoint.app_risk
+      target_field: event.risk_score
+      ignore_missing: true
+  - rename:
+      field: checkpoint.file_id
+      target_field: file.inode
+      ignore_missing: true
+  - rename:
+      field: checkpoint.file_type
+      target_field: file.type
+      ignore_missing: true
+  - rename:
+      field: checkpoint.file_name
+      target_field: file.name
+      ignore_missing: true
+  - convert:
+      field: checkpoint.file_size
+      target_field: file.size
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: checkpoint.file_md5
+      target_field: file.hash.md5
+      ignore_missing: true
+  - rename:
+      field: checkpoint.file_sha1
+      target_field: file.hash.sha1
+      ignore_missing: true
+  - rename:
+      field: checkpoint.file_sha256
+      target_field: file.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: checkpoint.dlp_file_name
+      target_field: file.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.user_group
+      target_field: group.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.os_version
+      target_field: host.os.version
+      ignore_missing: true
+  - rename:
+      field: checkpoint.os_name
+      target_field: host.os.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.method
+      target_field: http.request.method
+      ignore_missing: true
+  - rename:
+      field: checkpoint.referrer
+      target_field: http.request.referrer
+      ignore_missing: true
+  - rename:
+      field: checkpoint.service_id
+      target_field: network.application
+      ignore_missing: true
+  - rename:
+      field: checkpoint.ifdir
+      target_field: network.direction
+      ignore_missing: true
+  - rename:
+      field: checkpoint.bytes
+      target_field: network.bytes
+      ignore_missing: true
+  - rename:
+      field: checkpoint.proto
+      target_field: network.iana_number
+      ignore_missing: true
+  - script:
+      lang: painless
+      ignore_failure: true
+      if: ctx?.network?.iana_number != null
+      source: |
+        def iana_number = ctx.network.iana_number;
+        if (iana_number == '0') {
+            ctx.network.transport = 'hopopt';
+        } else if (iana_number == '1') {
+            ctx.network.transport = 'icmp';
+        } else if (iana_number == '2') {
+            ctx.network.transport = 'igmp';
+        } else if (iana_number == '6') {
+            ctx.network.transport = 'tcp';
+        } else if (iana_number == '8') {
+            ctx.network.transport = 'egp';
+        } else if (iana_number == '17') {
+            ctx.network.transport = 'udp';
+        } else if (iana_number == '47') {
+            ctx.network.transport = 'gre';
+        } else if (iana_number == '50') {
+            ctx.network.transport = 'esp';
+        } else if (iana_number == '58') {
+            ctx.network.transport = 'ipv6-icmp';
+        } else if (iana_number == '112') {
+            ctx.network.transport = 'vrrp';
+        } else if (iana_number == '132') {
+            ctx.network.transport = 'sctp';
+        }
+  - rename:
+      field: checkpoint.packets
+      target_field: network.packets
+      ignore_missing: true
+  - rename:
+      field: checkpoint.layer_name
+      target_field: network.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.app_name
+      target_field: network.application
+      ignore_missing: true
+  - rename:
+      field: checkpoint.client_inbound_interface
+      target_field: observer.ingress.interface.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.client_outbound_interface
+      target_field: observer.egress.interface.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.ifname
+      target_field: observer.ingress.interface.name
+      ignore_missing: true
+      if: ctx.network?.direction == 'inbound'
+  - rename:
+      field: checkpoint.ifname
+      target_field: observer.egress.interface.name
+      ignore_missing: true
+      if: ctx.network?.direction == 'outbound'
+  - rename:
+      field: checkpoint.type
+      target_field: observer.type
+      ignore_missing: true
+  - rename:
+      field: checkpoint.origin
+      target_field: observer.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.origin_ip
+      target_field: observer.ip
+      ignore_missing: true
+  - rename:
+      field: checkpoint.endpoint_ip
+      target_field: observer.ip
+      ignore_missing: true
+      if: ctx.observer?.ip == null
+  - rename:
+      field: checkpoint.outzone
+      target_field: observer.egress.zone
+      ignore_missing: true
+  - rename:
+      field: checkpoint.inzone
+      target_field: observer.ingress.zone
+      ignore_missing: true
+  - rename:
+      field: checkpoint.security_outzone
+      target_field: observer.egress.zone
+      ignore_missing: true
+      if: ctx.observer?.egress?.zone == null
+  - rename:
+      field: checkpoint.security_inzone
+      target_field: observer.ingress.zone
+      ignore_missing: true
+      if: ctx.observer?.ingress?.zone == null
+  - rename:
+      field: checkpoint.update_version
+      target_field: observer.version
+      ignore_missing: true
+  - rename:
+      field: checkpoint.process_md5
+      target_field: process.hash.md5
+      ignore_missing: true
+  - rename:
+      field: checkpoint.process_name
+      target_field: process.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.parent_process_md5
+      target_field: process.parent.hash.md5
+      ignore_missing: true
+  - rename:
+      field: checkpoint.parent_process_name
+      target_field: process.parent.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.matched_category
+      target_field: rule.category
+      ignore_missing: true
+  - rename:
+      field: checkpoint.categories
+      target_field: rule.category
+      ignore_missing: true
+      if: ctx.rule?.category == null
+  - rename:
+      field: checkpoint.malware_action
+      target_field: rule.description
+      ignore_missing: true
+  - rename:
+      field: checkpoint.malware_rule_id
+      target_field: rule.id
+      ignore_missing: true
+  - rename:
+      field: checkpoint.app_rule_id
+      target_field: rule.id
+      ignore_missing: true
+      if: ctx.rule?.id == null
+  - rename:
+      field: checkpoint.objectname
+      target_field: rule.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.rule_name
+      target_field: rule.name
+      ignore_missing: true
+      if: ctx.rule?.name == null
+  - rename:
+      field: checkpoint.malware_rule_name
+      target_field: rule.name
+      ignore_missing: true
+      if: ctx.rule?.name == null
+  - rename:
+      field: checkpoint.app_rule_name
+      target_field: rule.name
+      ignore_missing: true
+      if: ctx.rule?.name == null
+  - rename:
+      field: checkpoint.dlp_rule_name
+      target_field: rule.name
+      ignore_missing: true
+      if: ctx.rule?.name == null
+  - rename:
+      field: checkpoint.smartdefence_profile
+      target_field: rule.ruleset
+      ignore_missing: true
+  - rename:
+      field: checkpoint.policy
+      target_field: rule.ruleset
+      ignore_missing: true
+      if: ctx.rule?.ruleset == null
+  - rename:
+      field: checkpoint.rule_uid
+      target_field: rule.uuid
+      ignore_missing: true
+  - rename:
+      field: checkpoint.dlp_rule_uid
+      target_field: rule.uuid
+      ignore_missing: true
+      if: ctx.rule?.uuid == null
+  - rename:
+      field: checkpoint.url
+      target_field: url.original
+      ignore_missing: true
+  - rename:
+      field: checkpoint.resource
+      target_field: url.original
+      ignore_missing: true
+      if: ctx.url?.original == null
+  - rename:
+      field: checkpoint.http_host
+      target_field: url.domain
+      ignore_missing: true
+  - rename:
+      field: checkpoint.web_client_type
+      target_field: user_agent.name
+      ignore_missing: true
+  - rename:
+      field: checkpoint.user_agent
+      target_field: user_agent.original
+      ignore_missing: true
+  - rename:
+      field: checkpoint.industry_reference
+      target_field: vulnerability.id
+      ignore_missing: true
+  - date:
+      field: "checkpoint.time"
+      formats: ["ISO8601", "UNIX"]
+      if: "ctx.checkpoint?.time != null"
+  - rename:
+      field: checkpoint.message
+      target_field: message
+      ignore_missing: true
+  - rename:
+      field: checkpoint.reason
+      target_field: message
+      ignore_missing: true
+      if: ctx.message == null
+  - rename:
+      field: checkpoint.subject
+      target_field: message
+      ignore_missing: true
+      if: ctx.message == null
+  - gsub:
+      field: checkpoint.sys_message
+      pattern: ^:"
+      replacement: ""
+      if: ctx.checkpoint?.sys_message != null
+  - append:
+      field: related.user
+      value: "{{source.user.name}}"
+      if: ctx.source?.user?.name != null
+  - append:
+      field: related.user
+      value: "{{destination.user.name}}"
+      if: ctx.destination?.user?.name != null
+  - script:
+      lang: painless
+      source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes"
+      if: ctx?.source?.bytes != null && ctx?.destination?.bytes != null && ctx?.network?.bytes == null
+      ignore_failure: true
+  - script:
+      lang: painless
+      source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets"
+      if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null
+      ignore_failure: true
+  - rename:
+      field: checkpoint.action_reason
+      target_field: checkpoint.action_reason_msg
+      if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ")
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+      if: ctx.source?.geo == null
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+      if: ctx.destination?.geo == null
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+  # Handle zone-based network directionality
+  - set:
+      field: network.direction
+      value: inbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+  - set:
+      field: network.direction
+      value: outbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: internal
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: external
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: unknown
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        (
+          (
+            !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+          ) ||
+          (
+            !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+          )
+        )
+  - remove:
+      field:
+        - checkpoint.client_outbound_packets
+        - checkpoint.server_outbound_packets
+        - checkpoint.client_outbound_bytes
+        - checkpoint.sent_byte
+        - checkpoint.server_outbound_bytes
+        - checkpoint.received_bytes
+        - checkpoint.service
+        - checkpoint.xlatedport
+        - checkpoint.s_port
+        - checkpoint.xlatesport
+        - checkpoint.sequencenum
+        - checkpoint.file_size
+        - checkpoint.product
+        - checkpoint.severity
+        - checkpoint.xlatesrc
+        - checkpoint.xlatedst
+        - checkpoint.uid
+        - checkpoint.time
+        - syslog5424_ts
+        - _temp_
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/fields/agent.yml b/packages/checkpoint/1.3.6/data_stream/firewall/fields/agent.yml
new file mode 100755
index 0000000000..79a7a39864
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/fields/agent.yml
@@ -0,0 +1,180 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on."
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime."
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes."
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider."
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine."
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`."
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use."
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment."
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/fields/base-fields.yml b/packages/checkpoint/1.3.6/data_stream/firewall/fields/base-fields.yml
new file mode 100755
index 0000000000..6bdf832a14
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: checkpoint
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: checkpoint.firewall
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/fields/beats.yml b/packages/checkpoint/1.3.6/data_stream/firewall/fields/beats.yml
new file mode 100755
index 0000000000..e272492dea
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/fields/beats.yml
@@ -0,0 +1,15 @@
+- description: Type of Filebeat input.
+  name: input.type
+  type: keyword
+- description: Flags for the log file.
+  name: log.flags
+  type: keyword
+- description: Offset of the entry in the log file.
+  name: log.offset
+  type: long
+- description: Name of the service data is collected from.
+  name: destination.service.name
+  type: keyword
+- description: Source address of logs received over the network.
+  name: log.source.address
+  type: keyword
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/1.3.6/data_stream/firewall/fields/ecs.yml
new file mode 100755
index 0000000000..2ab1a56523
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/fields/ecs.yml
@@ -0,0 +1,493 @@
+- description: Unique container id.
+  name: container.id
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: |-
+    The domain name of the destination system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: destination.domain
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: destination.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    MAC address of the destination.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: destination.mac
+  type: keyword
+- description: |-
+    Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.ip
+  type: ip
+- description: |-
+    Port the source session is translated to by NAT Device.
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.port
+  type: long
+- description: Packets sent from the destination to the source.
+  name: destination.packets
+  type: long
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: User email address.
+  name: destination.user.email
+  type: keyword
+- description: Unique identifier of the user.
+  name: destination.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.user.name
+  type: keyword
+- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+  name: dns.id
+  type: keyword
+- description: |-
+    The name being queried.
+    If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+  name: dns.question.name
+  type: keyword
+- description: The type of record being queried.
+  name: dns.question.type
+  type: keyword
+- description: |-
+    The type of DNS event captured, query or answer.
+    If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
+    If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+  name: dns.type
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: event.end contains the date when the event ended or when the activity was last observed.
+  name: event.end
+  type: date
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+  name: event.risk_score
+  type: float
+- description: |-
+    Sequence number of the event.
+    The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+  name: event.sequence
+  type: long
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+  name: event.start
+  type: date
+- description: |-
+    This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+  name: event.timezone
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    URL linking to an external system to continue investigation of this event.
+    This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+  name: event.url
+  type: keyword
+- description: MD5 hash.
+  name: file.hash.md5
+  type: keyword
+- description: SHA1 hash.
+  name: file.hash.sha1
+  type: keyword
+- description: SHA256 hash.
+  name: file.hash.sha256
+  type: keyword
+- description: Inode representing the file in the filesystem.
+  name: file.inode
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: |-
+    File size in bytes.
+    Only relevant when `file.type` is "file".
+  name: file.size
+  type: long
+- description: File type (file, dir, or symlink).
+  name: file.type
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: host.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: host.os.version
+  type: keyword
+- description: |-
+    HTTP request method.
+    The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+  name: http.request.method
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+    For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+    The field value must be normalized to lowercase for querying.
+  name: network.application
+  type: keyword
+- description: |-
+    Total bytes transferred in both directions.
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+  name: network.bytes
+  type: long
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+  name: network.iana_number
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: Name given by operators to sections of their network.
+  name: network.name
+  type: keyword
+- description: |-
+    Total packets transferred in both directions.
+    If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+  name: network.packets
+  type: long
+- description: Interface name as reported by the system.
+  name: observer.egress.interface.name
+  type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+  name: observer.egress.zone
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.ingress.interface.name
+  type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+  name: observer.ingress.zone
+  type: keyword
+- description: IP addresses of the observer.
+  name: observer.ip
+  type: ip
+- description: |-
+    Custom name of the observer.
+    This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+    If no custom name is needed, the field can be left empty.
+  name: observer.name
+  type: keyword
+- description: The product name of the observer.
+  name: observer.product
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: Observer version.
+  name: observer.version
+  type: keyword
+- description: MD5 hash.
+  name: process.hash.md5
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: MD5 hash.
+  name: process.parent.hash.md5
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.name
+  type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: A categorization value keyword used by the entity using the rule for detection of this event.
+  name: rule.category
+  type: keyword
+- description: The description of the rule generating the event.
+  name: rule.description
+  type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+  name: rule.id
+  type: keyword
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+  name: rule.ruleset
+  type: keyword
+- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+  name: rule.uuid
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    MAC address of the source.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: source.mac
+  type: keyword
+- description: |-
+    Translated ip of source based NAT sessions (e.g. internal client to internet)
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: source.nat.ip
+  type: ip
+- description: |-
+    Translated port of source based NAT sessions. (e.g. internal client to internet)
+    Typically used with load balancers, firewalls, or routers.
+  name: source.nat.port
+  type: long
+- description: Packets sent from the source to the destination.
+  name: source.packets
+  type: long
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: User email address.
+  name: source.user.email
+  type: keyword
+- description: Name of the group.
+  name: source.user.group.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: source.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+  name: vulnerability.id
+  type: keyword
+- description: |-
+    Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+    If the event wasn't read from a log file, do not populate this field.
+  name: log.file.path
+  type: keyword
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/fields/fields.yml b/packages/checkpoint/1.3.6/data_stream/firewall/fields/fields.yml
new file mode 100755
index 0000000000..a389420a0c
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/fields/fields.yml
@@ -0,0 +1,1626 @@
+- name: checkpoint
+  type: group
+  release: beta
+  fields:
+    - name: action_reason
+      type: integer
+      description: |
+        Connection drop reason.
+    - name: action_reason_msg
+      type: keyword
+      overwrite: true
+      description: |
+        Connection drop reason message.
+    - name: additional_info
+      type: keyword
+      description: |
+        ID of original file/mail which are sent by admin.
+    - name: additional_ip
+      type: keyword
+      description: |
+        DNS host name.
+    - name: additional_rdata
+      type: keyword
+      description: |
+        List of additional resource records.
+    - name: alert
+      type: keyword
+      description: |
+        Alert level of matched rule (for connection logs).
+    - name: allocated_ports
+      type: integer
+      description: |
+        Amount of allocated ports.
+    - name: analyzed_on
+      type: keyword
+      description: |
+        Check Point ThreatCloud / emulator name.
+    - name: answer_rdata
+      type: keyword
+      description: |
+        List of answer resource records to the questioned domains.
+    - name: anti_virus_type
+      type: keyword
+      description: |
+        Anti virus type.
+    - name: app_desc
+      type: keyword
+      description: |
+        Application description.
+    - name: app_id
+      type: integer
+      description: |
+        Application ID.
+    - name: app_package
+      type: keyword
+      description: |
+        Unique identifier of the application on the protected mobile device.
+    - name: app_properties
+      type: keyword
+      description: |
+        List of all found categories.
+    - name: app_repackaged
+      type: keyword
+      description: |
+        Indicates whether the original application was repackage not by the official developer.
+    - name: app_sid_id
+      type: keyword
+      description: |
+        Unique SHA identifier of a mobile application.
+    - name: app_sig_id
+      type: keyword
+      description: |
+        IOC indicator description.
+    - name: app_version
+      type: keyword
+      description: |
+        Version of the application downloaded on the protected mobile device.
+    - name: appi_name
+      type: keyword
+      description: |
+        Name of application downloaded on the protected mobile device.
+    - name: arrival_time
+      type: keyword
+      description: |
+        Email arrival timestamp.
+    - name: attachments_num
+      type: integer
+      description: |
+        Number of attachments in the mail.
+    - name: attack_status
+      type: keyword
+      description: |
+        In case of a malicious event on an endpoint computer, the status of the attack.
+    - name: audit_status
+      type: keyword
+      description: |
+        Audit Status. Can be Success or Failure.
+    - name: auth_method
+      type: keyword
+      description: |
+        Password authentication protocol used (PAP or EAP).
+    - name: authority_rdata
+      type: keyword
+      description: |
+        List of authoritative servers.
+    - name: authorization
+      type: keyword
+      description: |
+        Authorization HTTP header value.
+    - name: bcc
+      type: keyword
+      description: |
+        List of BCC addresses.
+    - name: blade_name
+      type: keyword
+      description: |
+        Blade name.
+    - name: broker_publisher
+      type: ip
+      description: |
+        IP address of the broker publisher who shared the session information.
+    - name: browse_time
+      type: keyword
+      description: |
+        Application session browse time.
+    - name: c_bytes
+      type: integer
+      description: |
+        Boolean value indicates whether bytes sent from the client side are used.
+    - name: calc_desc
+      type: keyword
+      description: |
+        Log description.
+    - name: capacity
+      type: integer
+      description: |
+        Capacity of the ports.
+    - name: capture_uuid
+      type: keyword
+      description: |
+        UUID generated for the capture. Used when enabling the capture when logging.
+    - name: cc
+      type: keyword
+      description: |
+        The Carbon Copy address of the email.
+    - name: certificate_resource
+      type: keyword
+      description: |
+        HTTPS resource Possible values: SNI or domain name (DN).
+    - name: certificate_validation
+      type: keyword
+      description: |
+        Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.
+    - name: cgnet
+      type: keyword
+      description: |
+        Describes NAT allocation for specific subscriber.
+    - name: chunk_type
+      type: keyword
+      description: |
+        Chunck of the sctp stream.
+    - name: client_name
+      type: keyword
+      description: |
+        Client Application or Software Blade that detected the event.
+    - name: client_type
+      type: keyword
+      description: |
+        Endpoint Connect.
+    - name: client_type_os
+      type: keyword
+      description: |
+        Client OS detected in the HTTP request.
+    - name: client_version
+      type: keyword
+      description: |
+        Build version of SandBlast Agent client installed on the computer.
+    - name: cluster_info
+      type: keyword
+      description: |
+        Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.
+    - name: comment
+      type: keyword
+    - name: community
+      type: keyword
+      description: |
+        Community name for the IPSec key and the use of the IKEv.
+    - name: confidence_level
+      type: integer
+      description: |
+        Confidence level determined by ThreatCloud.
+    - name: conn_direction
+      type: keyword
+      description: Connection direction
+    - name: connection_uid
+      type: keyword
+      description: |
+        Calculation of md5 of the IP and user name as UID.
+    - name: connectivity_level
+      type: keyword
+      description: |
+        Log for a new connection in wire mode.
+    - name: conns_amount
+      type: integer
+      description: |
+        Connections amount of aggregated log info.
+    - name: content_disposition
+      type: keyword
+      description: |
+        Indicates how the content is expected to be displayed inline in the browser.
+    - name: content_length
+      type: keyword
+      description: |
+        Indicates the size of the entity-body of the HTTP header.
+    - name: content_risk
+      type: integer
+      description: |
+        File risk.
+    - name: content_type
+      type: keyword
+      description: |
+        Mail content type. Possible values: application/msword, text/html, image/gif etc.
+    - name: context_num
+      type: integer
+      description: |
+        Serial number of the log for a specific connection.
+    - name: cookieI
+      type: keyword
+      description: |
+        Initiator cookie.
+    - name: cookieR
+      type: keyword
+      description: |
+        Responder cookie.
+    - name: cp_message
+      type: integer
+      description: |
+        Used to log a general message.
+    - name: cvpn_category
+      type: keyword
+      description: |
+        Mobile Access application type.
+    - name: cvpn_resource
+      type: keyword
+      description: |
+        Mobile Access application.
+    - name: data_type_name
+      type: keyword
+      description: |
+        Data type in rulebase that was matched.
+    - name: db_ver
+      type: keyword
+      description: Database version
+    - name: dce-rpc_interface_uuid
+      type: keyword
+      description: |
+        Log for new RPC state - UUID values
+    - name: delivery_time
+      type: keyword
+      description: |
+        Timestamp of when email was delivered (MTA finished handling the email.
+    - name: desc
+      type: keyword
+      description: |
+        Override application description.
+    - name: description
+      type: keyword
+      description: |
+        Additional explanation how the security gateway enforced the connection.
+    - name: destination_object
+      type: keyword
+      description: |
+        Matched object name on destination column.
+    - name: detected_on
+      type: keyword
+      description: |
+        System and applications version the file was emulated on.
+    - name: developer_certificate_name
+      type: keyword
+      description: |
+        Name of the developer's certificate that was used to sign the mobile application.
+    - name: diameter_app_ID
+      type: integer
+      description: |
+        The ID of diameter application.
+    - name: diameter_cmd_code
+      type: integer
+      description: |
+        Diameter not allowed application command id.
+    - name: diameter_msg_type
+      type: keyword
+      description: |
+        Diameter message type.
+    - name: dlp_action_reason
+      type: keyword
+      description: |
+        Action chosen reason.
+    - name: dlp_additional_action
+      type: keyword
+      description: |
+        Watermark/None.
+    - name: dlp_categories
+      type: keyword
+      description: |
+        Data type category.
+    - name: dlp_data_type_name
+      type: keyword
+      description: |
+        Matched data type.
+    - name: dlp_data_type_uid
+      type: keyword
+      description: |
+        Unique ID of the matched data type.
+    - name: dlp_fingerprint_files_number
+      type: integer
+      description: |
+        Number of successfully scanned files in repository.
+    - name: dlp_fingerprint_long_status
+      type: keyword
+      description: |
+        Scan status - long format.
+    - name: dlp_fingerprint_short_status
+      type: keyword
+      description: |
+        Scan status - short format.
+    - name: dlp_incident_uid
+      type: keyword
+      description: |
+        Unique ID of the matched rule.
+    - name: dlp_recipients
+      type: keyword
+      description: |
+        Mail recipients.
+    - name: dlp_related_incident_uid
+      type: keyword
+      description: |
+        Other ID related to this one.
+    - name: dlp_relevant_data_types
+      type: keyword
+      description: |
+        In case of Compound/Group: the inner data types that were matched.
+    - name: dlp_repository_directories_number
+      type: integer
+      description: |
+        Number of directories in repository.
+    - name: dlp_repository_files_number
+      type: integer
+      description: |
+        Number of files in repository.
+    - name: dlp_repository_id
+      type: keyword
+      description: |
+        ID of scanned repository.
+    - name: dlp_repository_not_scanned_directories_percentage
+      type: integer
+      description: |
+        Percentage of directories the Security Gateway was unable to read.
+    - name: dlp_repository_reached_directories_number
+      type: integer
+      description: |
+        Number of scanned directories in repository.
+    - name: dlp_repository_root_path
+      type: keyword
+      description: |
+        Repository path.
+    - name: dlp_repository_scan_progress
+      type: integer
+      description: |
+        Scan percentage.
+    - name: dlp_repository_scanned_directories_number
+      type: integer
+      description: |
+        Amount of directories scanned.
+    - name: dlp_repository_scanned_files_number
+      type: integer
+      description: |
+        Number of scanned files in repository.
+    - name: dlp_repository_scanned_total_size
+      type: integer
+      description: |
+        Size scanned.
+    - name: dlp_repository_skipped_files_number
+      type: integer
+      description: |
+        Skipped number of files because of configuration.
+    - name: dlp_repository_total_size
+      type: integer
+      description: |
+        Repository size.
+    - name: dlp_repository_unreachable_directories_number
+      type: integer
+      description: |
+        Number of directories the Security Gateway was unable to read.
+    - name: dlp_rule_name
+      type: keyword
+      description: |
+        Matched rule name.
+    - name: dlp_subject
+      type: keyword
+      description: |
+        Mail subject.
+    - name: dlp_template_score
+      type: keyword
+      description: |
+        Template data type match score.
+    - name: dlp_transint
+      type: keyword
+      description: |
+        HTTP/SMTP/FTP.
+    - name: dlp_violation_description
+      type: keyword
+      description: |
+        Violation descriptions described in the rulebase.
+    - name: dlp_watermark_profile
+      type: keyword
+      description: |
+        Watermark which was applied.
+    - name: dlp_word_list
+      type: keyword
+      description: |
+        Phrases matched by data type.
+    - name: dns_query
+      type: keyword
+      description: |
+        DNS query.
+    - name: drop_reason
+      type: keyword
+      description: |
+        Drop reason description.
+    - name: dropped_file_hash
+      type: keyword
+      description: |
+        List of file hashes dropped from the original file.
+    - name: dropped_file_name
+      type: keyword
+      description: |
+        List of names dropped from the original file.
+    - name: dropped_file_type
+      type: keyword
+      description: |
+        List of file types dropped from the original file.
+    - name: dropped_file_verdict
+      type: keyword
+      description: |
+        List of file verdics dropped from the original file.
+    - name: dropped_incoming
+      type: integer
+      description: |
+        Number of incoming bytes dropped when using UP-limit feature.
+    - name: dropped_outgoing
+      type: integer
+      description: |
+        Number of outgoing bytes dropped when using UP-limit feature.
+    - name: dropped_total
+      type: integer
+      description: |
+        Amount of dropped packets (both incoming and outgoing).
+    - name: drops_amount
+      type: integer
+      description: |
+        Amount of multicast packets dropped.
+    - name: dst_country
+      type: keyword
+      description: |
+        Destination country.
+    - name: dst_phone_number
+      type: keyword
+      description: |
+        Destination IP-Phone.
+    - name: dst_user_name
+      type: keyword
+      description: |
+        Connected user name on the destination IP.
+    - name: dstkeyid
+      type: keyword
+      description: |
+        Responder Spi ID.
+    - name: duplicate
+      type: keyword
+      description: |
+        Log marked as duplicated, when mail is split and the Security Gateway sees it twice.
+    - name: duration
+      type: keyword
+      description: "Scan duration.      \n"
+    - name: elapsed
+      type: keyword
+      description: |
+        Time passed since start time.
+    - name: email_content
+      type: keyword
+      description: |
+        Mail contents. Possible options: attachments/links & attachments/links/text only.
+    - name: email_control
+      type: keyword
+      description: |
+        Engine name.
+    - name: email_control_analysis
+      type: keyword
+      description: |
+        Message classification, received from spam vendor engine.
+    - name: email_headers
+      type: keyword
+      description: |
+        String containing all the email headers.
+    - name: email_id
+      type: keyword
+      description: |
+        Email number in smtp connection.
+    - name: email_message_id
+      type: keyword
+      description: |
+        Email session id (uniqe ID of the mail).
+    - name: email_queue_id
+      type: keyword
+      description: |
+        Postfix email queue id.
+    - name: email_queue_name
+      type: keyword
+      description: |
+        Postfix email queue name.
+    - name: email_recipients_num
+      type: long
+      description: |
+        Amount of recipients whom the mail was sent to.
+    - name: email_session_id
+      type: keyword
+      description: |
+        Connection uuid.
+    - name: email_spam_category
+      type: keyword
+      description: |
+        Email categories. Possible values: spam/not spam/phishing.
+    - name: email_status
+      type: keyword
+      description: |
+        Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended
+    - name: email_subject
+      type: keyword
+      description: |
+        Original email subject.
+    - name: emulated_on
+      type: keyword
+      description: |
+        Images the files were emulated on.
+    - name: encryption_failure
+      type: keyword
+      description: |
+        Message indicating why the encryption failed.
+    - name: end_time
+      type: keyword
+      description: |
+        TCP connection end time.
+    - name: end_user_firewall_type
+      type: keyword
+      description: |
+        End user firewall type.
+    - name: esod_access_status
+      type: keyword
+      description: |
+        Access denied.
+    - name: esod_associated_policies
+      type: keyword
+      description: |
+        Associated policies.
+    - name: esod_noncompliance_reason
+      type: keyword
+      description: |
+        Non-compliance reason.
+    - name: esod_rule_action
+      type: keyword
+      description: |
+        Unknown rule action.
+    - name: esod_rule_name
+      type: keyword
+      description: |
+        Unknown rule name.
+    - name: esod_rule_type
+      type: keyword
+      description: |
+        Unknown rule type.
+    - name: esod_scan_status
+      type: keyword
+      description: |
+        Scan failed.
+    - name: event_count
+      type: long
+      description: |
+        Number of events associated with the log.
+    - name: expire_time
+      type: keyword
+      description: |
+        Connection closing time.
+    - name: extension_version
+      type: keyword
+      description: |
+        Build version of the SandBlast Agent browser extension.
+    - name: extracted_file_hash
+      type: keyword
+      description: |
+        Archive hash in case of extracted files.
+    - name: extracted_file_names
+      type: keyword
+      description: |
+        Names of extracted files in case of an archive.
+    - name: extracted_file_type
+      type: keyword
+      description: |
+        Types of extracted files in case of an archive.
+    - name: extracted_file_uid
+      type: keyword
+      description: |
+        UID of extracted files in case of an archive.
+    - name: extracted_file_verdict
+      type: keyword
+      description: |
+        Verdict of extracted files in case of an archive.
+    - name: failure_impact
+      type: keyword
+      description: |
+        The impact of update service failure.
+    - name: failure_reason
+      type: keyword
+      description: |
+        MTA failure description.
+    - name: file_direction
+      type: keyword
+      description: |
+        File direction. Possible options: upload/download.
+    - name: file_name
+      type: keyword
+      description: |
+        Malicious file name.
+    - name: files_names
+      type: keyword
+      description: |
+        List of files requested by FTP.
+    - name: first_hit_time
+      type: integer
+      description: |
+        First hit time in current interval.
+    - name: fs-proto
+      type: keyword
+      description: |
+        The file share protocol used in mobile acess file share application.
+    - name: ftp_user
+      type: keyword
+      description: |
+        FTP username.
+    - name: fw_message
+      type: keyword
+      description: |
+        Used for various firewall errors.
+    - name: fw_subproduct
+      type: keyword
+      description: |
+        Can be vpn/non vpn.
+    - name: hide_ip
+      type: ip
+      description: |
+        Source IP which will be used after CGNAT.
+    - name: hit
+      type: integer
+      description: |
+        Number of hits on a rule.
+    - name: host_time
+      type: keyword
+      description: |
+        Local time on the endpoint computer.
+    - name: http_host
+      type: keyword
+      description: |
+        Domain name of the server that the HTTP request is sent to.
+    - name: http_location
+      type: keyword
+      description: |
+        Response header, indicates the URL to redirect a page to.
+    - name: http_server
+      type: keyword
+      description: |
+        Server HTTP header value, contains information about the software used by the origin server, which handles the request.
+    - name: https_inspection_action
+      type: keyword
+      description: |
+        HTTPS inspection action (Inspect/Bypass/Error).
+    - name: https_inspection_rule_id
+      type: keyword
+      description: |
+        ID of the matched rule.
+    - name: https_inspection_rule_name
+      type: keyword
+      description: |
+        Name of the matched rule.
+    - name: https_validation
+      type: keyword
+      description: |
+        Precise error, describing HTTPS inspection failure.
+    - name: icap_more_info
+      type: integer
+      description: |
+        Free text for verdict.
+    - name: icap_server_name
+      type: keyword
+      description: |
+        Server name.
+    - name: icap_server_service
+      type: keyword
+      description: |
+        Service name, as given in the ICAP URI
+    - name: icap_service_id
+      type: integer
+      description: |
+        Service ID, can work with multiple servers, treated as services.
+    - name: icmp
+      type: keyword
+      description: |
+        Number of packets, received by the client.
+    - name: icmp_code
+      type: long
+      description: |
+        In case a connection is ICMP, code info will be added to the log.
+    - name: icmp_type
+      type: long
+      description: |
+        In case a connection is ICMP, type info will be added to the log.
+    - name: id
+      type: integer
+      description: |
+        Override application ID.
+    - name: ike
+      type: keyword
+      description: |
+        IKEMode (PHASE1, PHASE2, etc..).
+    - name: ike_ids
+      type: keyword
+      description: |
+        All QM ids.
+    - name: impacted_files
+      type: keyword
+      description: |
+        In case of an infection on an endpoint computer, the list of files that the malware impacted.
+    - name: incident_extension
+      type: keyword
+      description: |
+        Matched data type.
+    - name: indicator_description
+      type: keyword
+      description: |
+        IOC indicator description.
+    - name: indicator_name
+      type: keyword
+      description: |
+        IOC indicator name.
+    - name: indicator_reference
+      type: keyword
+      description: |
+        IOC indicator reference.
+    - name: indicator_uuid
+      type: keyword
+      description: |
+        IOC indicator uuid.
+    - name: info
+      type: keyword
+      description: |
+        Special log message.
+    - name: information
+      type: keyword
+      description: |
+        Policy installation status for a specific blade.
+    - name: inspection_category
+      type: keyword
+      description: |
+        Inspection category: protocol anomaly, signature etc.
+    - name: inspection_item
+      type: keyword
+      description: |
+        Blade element performed inspection.
+    - name: inspection_profile
+      type: keyword
+      description: |
+        Profile which the activated protection belongs to.
+    - name: inspection_settings_log
+      type: keyword
+      description: |
+        Indicats that the log was released by inspection settings.
+    - name: installed_products
+      type: keyword
+      description: |
+        List of installed Endpoint Software Blades.
+    - name: int_end
+      type: integer
+      description: |
+        Subscriber end int which will be used for NAT.
+    - name: int_start
+      type: integer
+      description: |
+        Subscriber start int which will be used for NAT.
+    - name: interface_name
+      type: keyword
+      description: |
+        Designated interface for mirror And decrypt.
+    - name: internal_error
+      type: keyword
+      description: |
+        Internal error, for troubleshooting
+    - name: invalid_file_size
+      type: integer
+      description: |
+        File_size field is valid only if this field is set to 0.
+    - name: ip_option
+      type: integer
+      description: |
+        IP option that was dropped.
+    - name: isp_link
+      type: keyword
+      description: |
+        Name of ISP link.
+    - name: last_hit_time
+      type: integer
+      description: |
+        Last hit time in current interval.
+    - name: last_rematch_time
+      type: keyword
+      description: |
+        Connection rematched time.
+    - name: layer_name
+      type: keyword
+      description: |
+        Layer name.
+    - name: layer_uuid
+      type: keyword
+      description: |
+        Layer UUID.
+    - name: limit_applied
+      type: integer
+      description: |
+        Indicates whether the session was actually date limited.
+    - name: limit_requested
+      type: integer
+      description: |
+        Indicates whether data limit was requested for the session.
+    - name: link_probing_status_update
+      type: keyword
+      description: |
+        IP address response status.
+    - name: links_num
+      type: integer
+      description: |
+        Number of links in the mail.
+    - name: log_delay
+      type: integer
+      description: |
+        Time left before deleting template.
+    - name: log_id
+      type: integer
+      description: |
+        Unique identity for logs.
+    - name: logid
+      type: keyword
+      description: |
+        System messages
+    - name: long_desc
+      type: keyword
+      description: |
+        More information on the process (usually describing error reason in failure).
+    - name: machine
+      type: keyword
+      description: |
+        L2TP machine which triggered the log and the log refers to it.
+    - name: malware_family
+      type: keyword
+      description: |
+        Additional information on protection.
+    - name: match_fk
+      type: integer
+      description: |
+        Rule number.
+    - name: match_id
+      type: integer
+      description: |
+        Private key of the rule
+    - name: matched_file
+      type: keyword
+      description: |
+        Unique ID of the matched data type.
+    - name: matched_file_percentage
+      type: integer
+      description: |
+        Fingerprint: match percentage of the traffic.
+    - name: matched_file_text_segments
+      type: integer
+      description: |
+        Fingerprint: number of text segments matched by this traffic.
+    - name: media_type
+      type: keyword
+      description: |
+        Media used (audio, video, etc.)
+    - name: message
+      type: keyword
+      description: |
+        ISP link has failed.
+    - name: message_info
+      type: keyword
+      description: |
+        Used for information messages, for example:NAT connection has ended.
+    - name: message_size
+      type: integer
+      description: |
+        Mail/post size.
+    - name: method
+      type: keyword
+      description: |
+        HTTP method.
+    - name: methods
+      type: keyword
+      description: |
+        IPSEc methods.
+    - name: mime_from
+      type: keyword
+      description: |
+        Sender's address.
+    - name: mime_to
+      type: keyword
+      description: |
+        List of receiver address.
+    - name: mirror_and_decrypt_type
+      type: keyword
+      description: |
+        Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).
+    - name: mitre_collection
+      type: keyword
+      description: |
+        The adversary is trying to collect data of interest to achieve his goal.
+    - name: mitre_command_and_control
+      type: keyword
+      description: |
+        The adversary is trying to communicate with compromised systems in order to control them.
+    - name: mitre_credential_access
+      type: keyword
+      description: |
+        The adversary is trying to steal account names and passwords.
+    - name: mitre_defense_evasion
+      type: keyword
+      description: |
+        The adversary is trying to avoid being detected.
+    - name: mitre_discovery
+      type: keyword
+      description: |
+        The adversary is trying to expose information about your environment.
+    - name: mitre_execution
+      type: keyword
+      description: |
+        The adversary is trying to run malicious code.
+    - name: mitre_exfiltration
+      type: keyword
+      description: |
+        The adversary is trying to steal data.
+    - name: mitre_impact
+      type: keyword
+      description: |
+        The adversary is trying to manipulate, interrupt, or destroy your systems and data.
+    - name: mitre_initial_access
+      type: keyword
+      description: |
+        The adversary is trying to break into your network.
+    - name: mitre_lateral_movement
+      type: keyword
+      description: |
+        The adversary is trying to explore your environment.
+    - name: mitre_persistence
+      type: keyword
+      description: |
+        The adversary is trying to maintain his foothold.
+    - name: mitre_privilege_escalation
+      type: keyword
+      description: |
+        The adversary is trying to gain higher-level permissions.
+    - name: monitor_reason
+      type: keyword
+      description: |
+        Aggregated logs of monitored packets.
+    - name: msgid
+      type: keyword
+      description: |
+        Message ID.
+    - name: name
+      type: keyword
+      description: |
+        Application name.
+    - name: nat46
+      type: keyword
+      description: |
+        NAT 46 status, in most cases "enabled".
+    - name: nat_addtnl_rulenum
+      type: integer
+      description: |
+        When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.
+    - name: nat_exhausted_pool
+      type: keyword
+      description: |
+        4-tuple of an exhausted pool.
+    - name: nat_rulenum
+      type: integer
+      description: |
+        NAT rulebase first matched rule.
+    - name: needs_browse_time
+      type: integer
+      description: |
+        Browse time required for the connection.
+    - name: next_hop_ip
+      type: keyword
+      description: |
+        Next hop IP address.
+    - name: next_scheduled_scan_date
+      type: keyword
+      description: |
+        Next scan scheduled time according to time object.
+    - name: number_of_errors
+      type: integer
+      description: |
+        Number of files that were not  scanned due to an error.
+    - name: objecttable
+      type: keyword
+      description: |
+        Table of affected objects.
+    - name: objecttype
+      type: keyword
+      description: |
+        The type of the affected object.
+    - name: observable_comment
+      type: keyword
+      description: |
+        IOC observable signature description.
+    - name: observable_id
+      type: keyword
+      description: |
+        IOC observable signature id.
+    - name: observable_name
+      type: keyword
+      description: |
+        IOC observable signature name.
+    - name: operation
+      type: keyword
+      description: |
+        Operation made by Threat Extraction.
+    - name: operation_number
+      type: keyword
+      description: |
+        The operation nuber.
+    - name: origin_sic_name
+      type: keyword
+      description: |
+        Machine SIC.
+    - name: original_queue_id
+      type: keyword
+      description: |
+        Original postfix email queue id.
+    - name: outgoing_url
+      type: keyword
+      description: |
+        URL related to this log (for HTTP).
+    - name: packet_amount
+      type: integer
+      description: |
+        Amount of packets dropped.
+    - name: packet_capture_unique_id
+      type: keyword
+      description: |
+        Identifier of the packet capture files.
+    - name: parent_file_hash
+      type: keyword
+      description: |
+        Archive's hash in case of extracted files.
+    - name: parent_file_name
+      type: keyword
+      description: |
+        Archive's name in case of extracted files.
+    - name: parent_file_uid
+      type: keyword
+      description: |
+        Archive's UID in case of extracted files.
+    - name: parent_process_username
+      type: keyword
+      description: |
+        Owner username of the parent process of the process that triggered the attack.
+    - name: parent_rule
+      type: integer
+      description: |
+        Parent rule number, in case of inline layer.
+    - name: peer_gateway
+      type: ip
+      description: |
+        Main IP of the peer Security Gateway.
+    - name: peer_ip
+      type: keyword
+      description: |
+        IP address which the client connects to.
+    - name: peer_ip_probing_status_update
+      type: keyword
+      description: |
+        IP address response status.
+    - name: performance_impact
+      type: integer
+      description: |
+        Protection performance impact.
+    - name: policy_mgmt
+      type: keyword
+      description: |
+        Name of the Management Server that manages this Security Gateway.
+    - name: policy_name
+      type: keyword
+      description: |
+        Name of the last policy that this Security Gateway fetched.
+    - name: ports_usage
+      type: integer
+      description: |
+        Percentage of allocated ports.
+    - name: ppp
+      type: keyword
+      description: |
+        Authentication status.
+    - name: precise_error
+      type: keyword
+      description: |
+        HTTP parser error.
+    - name: process_username
+      type: keyword
+      description: |
+        Owner username of the process that triggered the attack.
+    - name: properties
+      type: keyword
+      description: |
+        Application categories.
+    - name: protection_id
+      type: keyword
+      description: |
+        Protection malware id.
+    - name: protection_name
+      type: keyword
+      description: |
+        Specific signature name of the attack.
+    - name: protection_type
+      type: keyword
+      description: |
+        Type of protection used to detect the attack.
+    - name: protocol
+      type: keyword
+      description: |
+        Protocol detected on the connection.
+    - name: proxy_machine_name
+      type: integer
+      description: |
+        Machine name connected to proxy IP.
+    - name: proxy_src_ip
+      type: ip
+      description: |
+        Sender source IP (even when using proxy).
+    - name: proxy_user_dn
+      type: keyword
+      description: |
+        User distinguished name connected to proxy IP.
+    - name: proxy_user_name
+      type: keyword
+      description: |
+        User name connected to proxy IP.
+    - name: query
+      type: keyword
+      description: |
+        DNS query.
+    - name: question_rdata
+      type: keyword
+      description: |
+        List of question records domains.
+    - name: referrer
+      type: keyword
+      description: |
+        Referrer HTTP request header, previous web page address.
+    - name: referrer_parent_uid
+      type: keyword
+      description: |
+        Log UUID of the referring application.
+    - name: referrer_self_uid
+      type: keyword
+      description: |
+        UUID of the current log.
+    - name: registered_ip-phones
+      type: keyword
+      description: |
+        Registered IP-Phones.
+    - name: reject_category
+      type: keyword
+      description: |
+        Authentication failure reason.
+    - name: reject_id
+      type: keyword
+      description: |
+        A reject ID that corresponds to the one presented in the Mobile Access error page.
+    - name: rematch_info
+      type: keyword
+      description: |
+        Information sent when old connections cannot be matched during policy installation.
+    - name: remediated_files
+      type: keyword
+      description: |
+        In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.
+    - name: reply_status
+      type: integer
+      description: |
+        ICAP reply status code, e.g. 200 or 204.
+    - name: risk
+      type: keyword
+      description: |
+        Risk level we got from the engine.
+    - name: rpc_prog
+      type: integer
+      description: |
+        Log for new RPC state - prog values.
+    - name: rule
+      type: integer
+      description: |
+        Matched rule number.
+    - name: rule_action
+      type: keyword
+      description: |
+        Action of the matched rule in the access policy.
+    - name: rulebase_id
+      type: integer
+      description: |
+        Layer number.
+    - name: scan_direction
+      type: keyword
+      description: |
+        Scan direction.
+    - name: scan_hosts_day
+      type: integer
+      description: |
+        Number of unique hosts during the last day.
+    - name: scan_hosts_hour
+      type: integer
+      description: |
+        Number of unique hosts during the last hour.
+    - name: scan_hosts_week
+      type: integer
+      description: |
+        Number of unique hosts during the last week.
+    - name: scan_id
+      type: keyword
+      description: |
+        Sequential number of scan.
+    - name: scan_mail
+      type: integer
+      description: |
+        Number of emails that were scanned by "AB malicious activity" engine.
+    - name: scan_results
+      type: keyword
+      description: |
+        "Infected"/description of a failure.
+    - name: scheme
+      type: keyword
+      description: |
+        Describes the scheme used for the log.
+    - name: scope
+      type: keyword
+      description: |
+        IP related to the attack.
+    - name: scrub_activity
+      type: keyword
+      description: |
+        The result of the extraction
+    - name: scrub_download_time
+      type: keyword
+      description: |
+        File download time from resource.
+    - name: scrub_time
+      type: keyword
+      description: |
+        Extraction process duration.
+    - name: scrub_total_time
+      type: keyword
+      description: |
+        Threat extraction total file handling time.
+    - name: scrubbed_content
+      type: keyword
+      description: |
+        Active content that was found.
+    - name: sctp_association_state
+      type: keyword
+      description: |
+        The bad state you were trying to update to.
+    - name: sctp_error
+      type: keyword
+      description: |
+        Error information, what caused sctp to fail on out_of_state.
+    - name: scv_message_info
+      type: keyword
+      description: |
+        Drop reason.
+    - name: scv_user
+      type: keyword
+      description: |
+        Username whose packets are dropped on SCV.
+    - name: securexl_message
+      type: keyword
+      description: |
+        Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.
+    - name: session_id
+      type: keyword
+      description: |
+        Log uuid.
+    - name: session_uid
+      type: keyword
+      description: |
+        HTTP session-id.
+    - name: short_desc
+      type: keyword
+      description: |
+        Short description of the process that was executed.
+    - name: sig_id
+      type: keyword
+      description: |
+        Application's signature ID which how it was detected by.
+    - name: similar_communication
+      type: keyword
+      description: |
+        Network action found similar to the malicious file.
+    - name: similar_hashes
+      type: keyword
+      description: |
+        Hashes found similar to the malicious file.
+    - name: similar_strings
+      type: keyword
+      description: |
+        Strings found similar to the malicious file.
+    - name: similiar_iocs
+      type: keyword
+      description: |
+        Other IoCs similar to the ones found, related to the malicious file.
+    - name: sip_reason
+      type: keyword
+      description: |
+        Explains why 'source_ip' isn't allowed to redirect (handover).
+    - name: site_name
+      type: keyword
+      description: |
+        Site name.
+    - name: source_interface
+      type: keyword
+      description: |
+        External Interface name for source interface or Null if not found.
+    - name: source_object
+      type: keyword
+      description: |
+        Matched object name on source column.
+    - name: source_os
+      type: keyword
+      description: |
+        OS which generated the attack.
+    - name: special_properties
+      type: integer
+      description: |
+        If this field is set to '1' the log will not be shown (in use for monitoring scan progress).
+    - name: specific_data_type_name
+      type: keyword
+      description: |
+        Compound/Group scenario, data type that was matched.
+    - name: speed
+      type: integer
+      description: |
+        Current scan speed.
+    - name: spyware_name
+      type: keyword
+      description: |
+        Spyware name.
+    - name: spyware_type
+      type: keyword
+      description: |
+        Spyware type.
+    - name: src_country
+      type: keyword
+      description: |
+        Country name, derived from connection source IP address.
+    - name: src_phone_number
+      type: keyword
+      description: |
+        Source IP-Phone.
+    - name: src_user_dn
+      type: keyword
+      description: |
+        User distinguished name connected to source IP.
+    - name: src_user_name
+      type: keyword
+      description: |
+        User name connected to source IP
+    - name: srckeyid
+      type: keyword
+      description: |
+        Initiator Spi ID.
+    - name: status
+      type: keyword
+      description: |
+        Ok/Warning/Error.
+    - name: status_update
+      type: keyword
+      description: |
+        Last time log was updated.
+    - name: sub_policy_name
+      type: keyword
+      description: |
+        Layer name.
+    - name: sub_policy_uid
+      type: keyword
+      description: |
+        Layer uid.
+    - name: subscriber
+      type: ip
+      description: |
+        Source IP before CGNAT.
+    - name: summary
+      type: keyword
+      description: |
+        Summary message of a non-compliant DNS traffic drops or detects.
+    - name: suppressed_logs
+      type: integer
+      description: |
+        Aggregated connections for five minutes on the same source, destination and port.
+    - name: sync
+      type: keyword
+      description: |
+        Sync status and the reason (stable, at risk).
+    - name: sys_message
+      type: keyword
+      description: |
+        System messages
+    - name: tcp_end_reason
+      type: keyword
+      description: |
+        Reason for TCP connection closure.
+    - name: tcp_flags
+      type: keyword
+      description: |
+        TCP packet flags (SYN, ACK, etc.,).
+    - name: tcp_packet_out_of_state
+      type: keyword
+      description: |
+        State violation.
+    - name: tcp_state
+      type: keyword
+      description: |
+        Log reinting a tcp state change.
+    - name: te_verdict_determined_by
+      type: keyword
+      description: |
+        Emulators determined file verdict.
+    - name: ticket_id
+      type: keyword
+      description: |
+        Unique ID per file.
+    - name: tls_server_host_name
+      type: keyword
+      description: |
+        SNI/CN from encrypted TLS connection used by URLF for categorization.
+    - name: top_archive_file_name
+      type: keyword
+      description: |
+        In case of archive file: the file that was sent/received.
+    - name: total_attachments
+      type: integer
+      description: |
+        The number of attachments in an email.
+    - name: triggered_by
+      type: keyword
+      description: |
+        The name of the mechanism that triggered the Software Blade to enforce a protection.
+    - name: trusted_domain
+      type: keyword
+      description: In case of phishing event, the domain, which the attacker was impersonating.
+    - name: unique_detected_day
+      type: integer
+      description: |
+        Detected virus for a specific host during the last day.
+    - name: unique_detected_hour
+      type: integer
+      description: |
+        Detected virus for a specific host during the last hour.
+    - name: unique_detected_week
+      type: integer
+      description: |
+        Detected virus for a specific host during the last week.
+    - name: update_status
+      type: keyword
+      description: Status of database update
+    - name: url
+      type: keyword
+      description: |
+        Translated URL.
+    - name: user
+      type: keyword
+      description: |
+        Source user name.
+    - name: user_agent
+      type: keyword
+      description: |
+        String identifying requesting software user agent.
+    - name: vendor_list
+      type: keyword
+      description: |
+        The vendor name that provided the verdict for a malicious URL.
+    - name: verdict
+      type: keyword
+      description: |
+        TE engine verdict Possible values: Malicious/Benign/Error.
+    - name: via
+      type: keyword
+      description: |
+        Via header is added by proxies for tracking purposes to avoid sending reqests in loop.
+    - name: voip_attach_action_info
+      type: keyword
+      description: |
+        Attachment action Info.
+    - name: voip_attach_sz
+      type: integer
+      description: |
+        Attachment size.
+    - name: voip_call_dir
+      type: keyword
+      description: |
+        Call direction: in/out.
+    - name: voip_call_id
+      type: keyword
+      description: |
+        Call-ID.
+    - name: voip_call_state
+      type: keyword
+      description: |
+        Call state. Possible values: in/out.
+    - name: voip_call_term_time
+      type: keyword
+      description: |
+        Call termination time stamp.
+    - name: voip_config
+      type: keyword
+      description: |
+        Configuration.
+    - name: voip_duration
+      type: keyword
+      description: |
+        Call duration (seconds).
+    - name: voip_est_codec
+      type: keyword
+      description: |
+        Estimated codec.
+    - name: voip_exp
+      type: integer
+      description: |
+        Expiration.
+    - name: voip_from_user_type
+      type: keyword
+      description: |
+        Source IP-Phone type.
+    - name: voip_log_type
+      type: keyword
+      description: |
+        VoIP log types. Possible values: reject, call, registration.
+    - name: voip_media_codec
+      type: keyword
+      description: |
+        Estimated codec.
+    - name: voip_media_ipp
+      type: keyword
+      description: |
+        Media IP protocol.
+    - name: voip_media_port
+      type: keyword
+      description: |
+        Media int.
+    - name: voip_method
+      type: keyword
+      description: |
+        Registration request.
+    - name: voip_reason_info
+      type: keyword
+      description: |
+        Information.
+    - name: voip_reg_int
+      type: integer
+      description: |
+        Registration port.
+    - name: voip_reg_ipp
+      type: integer
+      description: |
+        Registration IP protocol.
+    - name: voip_reg_period
+      type: integer
+      description: |
+        Registration period.
+    - name: voip_reg_server
+      type: ip
+      description: |
+        Registrar server IP address.
+    - name: voip_reg_user_type
+      type: keyword
+      description: |
+        Registered IP-Phone type.
+    - name: voip_reject_reason
+      type: keyword
+      description: |
+        Reject reason.
+    - name: voip_to_user_type
+      type: keyword
+      description: |
+        Destination IP-Phone type.
+    - name: vpn_feature_name
+      type: keyword
+      description: |
+        L2TP /IKE / Link Selection.
+    - name: watermark
+      type: keyword
+      description: |
+        Reports whether watermark is added to the cleaned file.
+    - name: web_server_type
+      type: keyword
+      description: |
+        Web server detected in the HTTP response.
+    - name: word_list
+      type: keyword
+      description: |
+        Words matched by data type.
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/manifest.yml b/packages/checkpoint/1.3.6/data_stream/firewall/manifest.yml
new file mode 100755
index 0000000000..48cc36a98f
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/manifest.yml
@@ -0,0 +1,93 @@
+type: logs
+title: Check Point firewall logs
+streams:
+  - input: udp
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: udp.yml.hbs
+    title: Check Point firewall logs (syslog over UDP)
+    description: Collect Check Point firewall logs using udp input
+  - input: tcp
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: tcp.yml.hbs
+    title: Check Point firewall logs (syslog over TCP)
+    description: Collect Check Point firewall logs using tcp input
+  - input: logfile
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: log.yml.hbs
+    title: Check Point firewall logs (log)
+    description: Collect Check Point firewall logs using log input
diff --git a/packages/checkpoint/1.3.6/data_stream/firewall/sample_event.json b/packages/checkpoint/1.3.6/data_stream/firewall/sample_event.json
new file mode 100755
index 0000000000..bf273392bc
--- /dev/null
+++ b/packages/checkpoint/1.3.6/data_stream/firewall/sample_event.json
@@ -0,0 +1,64 @@
+{
+    "@timestamp": "2020-03-29T13:19:20.000Z",
+    "agent": {
+        "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5",
+        "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "checkpoint": {
+        "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"
+    },
+    "data_stream": {
+        "dataset": "checkpoint.firewall",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": [
+            "network"
+        ],
+        "created": "2021-12-25T09:18:51.178Z",
+        "dataset": "checkpoint.firewall",
+        "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}",
+        "ingested": "2021-12-25T09:18:52Z",
+        "kind": "event",
+        "sequence": 1,
+        "timezone": "+00:00"
+    },
+    "input": {
+        "type": "udp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.32.7:52492"
+        }
+    },
+    "network": {
+        "direction": "inbound"
+    },
+    "observer": {
+        "ingress": {
+            "interface": {
+                "name": "daemon"
+            }
+        },
+        "name": "192.168.1.100",
+        "product": "System Monitor",
+        "type": "firewall",
+        "vendor": "Checkpoint"
+    },
+    "tags": [
+        "forwarded"
+    ]
+}
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.6/docs/README.md b/packages/checkpoint/1.3.6/docs/README.md
new file mode 100755
index 0000000000..883b9f0073
--- /dev/null
+++ b/packages/checkpoint/1.3.6/docs/README.md
@@ -0,0 +1,662 @@
+# Check Point Integration
+
+This integration is for [Check Point](https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.8%20) products. It includes the
+following datasets for receiving logs:
+
+- `firewall` dataset: consists of log entries from the [Log Exporter](
+  https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323)
+  in the Syslog format.
+ 
+## Compatibility
+
+This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.
+
+## Logs
+
+### Firewall
+
+Consists of log entries from the Log Exporter in the Syslog format.
+
+An example event for `firewall` looks as following:
+
+```json
+{
+    "@timestamp": "2020-03-29T13:19:20.000Z",
+    "agent": {
+        "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5",
+        "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "checkpoint": {
+        "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"
+    },
+    "data_stream": {
+        "dataset": "checkpoint.firewall",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": [
+            "network"
+        ],
+        "created": "2021-12-25T09:18:51.178Z",
+        "dataset": "checkpoint.firewall",
+        "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}",
+        "ingested": "2021-12-25T09:18:52Z",
+        "kind": "event",
+        "sequence": 1,
+        "timezone": "+00:00"
+    },
+    "input": {
+        "type": "udp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.32.7:52492"
+        }
+    },
+    "network": {
+        "direction": "inbound"
+    },
+    "observer": {
+        "ingress": {
+            "interface": {
+                "name": "daemon"
+            }
+        },
+        "name": "192.168.1.100",
+        "product": "System Monitor",
+        "type": "firewall",
+        "vendor": "Checkpoint"
+    },
+    "tags": [
+        "forwarded"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| checkpoint.action_reason | Connection drop reason. | integer |
+| checkpoint.action_reason_msg | Connection drop reason message. | keyword |
+| checkpoint.additional_info | ID of original file/mail which are sent by admin. | keyword |
+| checkpoint.additional_ip | DNS host name. | keyword |
+| checkpoint.additional_rdata | List of additional resource records. | keyword |
+| checkpoint.alert | Alert level of matched rule (for connection logs). | keyword |
+| checkpoint.allocated_ports | Amount of allocated ports. | integer |
+| checkpoint.analyzed_on | Check Point ThreatCloud / emulator name. | keyword |
+| checkpoint.answer_rdata | List of answer resource records to the questioned domains. | keyword |
+| checkpoint.anti_virus_type | Anti virus type. | keyword |
+| checkpoint.app_desc | Application description. | keyword |
+| checkpoint.app_id | Application ID. | integer |
+| checkpoint.app_package | Unique identifier of the application on the protected mobile device. | keyword |
+| checkpoint.app_properties | List of all found categories. | keyword |
+| checkpoint.app_repackaged | Indicates whether the original application was repackage not by the official developer. | keyword |
+| checkpoint.app_sid_id | Unique SHA identifier of a mobile application. | keyword |
+| checkpoint.app_sig_id | IOC indicator description. | keyword |
+| checkpoint.app_version | Version of the application downloaded on the protected mobile device. | keyword |
+| checkpoint.appi_name | Name of application downloaded on the protected mobile device. | keyword |
+| checkpoint.arrival_time | Email arrival timestamp. | keyword |
+| checkpoint.attachments_num | Number of attachments in the mail. | integer |
+| checkpoint.attack_status | In case of a malicious event on an endpoint computer, the status of the attack. | keyword |
+| checkpoint.audit_status | Audit Status. Can be Success or Failure. | keyword |
+| checkpoint.auth_method | Password authentication protocol used (PAP or EAP). | keyword |
+| checkpoint.authority_rdata | List of authoritative servers. | keyword |
+| checkpoint.authorization | Authorization HTTP header value. | keyword |
+| checkpoint.bcc | List of BCC addresses. | keyword |
+| checkpoint.blade_name | Blade name. | keyword |
+| checkpoint.broker_publisher | IP address of the broker publisher who shared the session information. | ip |
+| checkpoint.browse_time | Application session browse time. | keyword |
+| checkpoint.c_bytes | Boolean value indicates whether bytes sent from the client side are used. | integer |
+| checkpoint.calc_desc | Log description. | keyword |
+| checkpoint.capacity | Capacity of the ports. | integer |
+| checkpoint.capture_uuid | UUID generated for the capture. Used when enabling the capture when logging. | keyword |
+| checkpoint.cc | The Carbon Copy address of the email. | keyword |
+| checkpoint.certificate_resource | HTTPS resource Possible values: SNI or domain name (DN). | keyword |
+| checkpoint.certificate_validation | Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. | keyword |
+| checkpoint.cgnet | Describes NAT allocation for specific subscriber. | keyword |
+| checkpoint.chunk_type | Chunck of the sctp stream. | keyword |
+| checkpoint.client_name | Client Application or Software Blade that detected the event. | keyword |
+| checkpoint.client_type | Endpoint Connect. | keyword |
+| checkpoint.client_type_os | Client OS detected in the HTTP request. | keyword |
+| checkpoint.client_version | Build version of SandBlast Agent client installed on the computer. | keyword |
+| checkpoint.cluster_info | Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. | keyword |
+| checkpoint.comment |  | keyword |
+| checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword |
+| checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer |
+| checkpoint.conn_direction | Connection direction | keyword |
+| checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword |
+| checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword |
+| checkpoint.conns_amount | Connections amount of aggregated log info. | integer |
+| checkpoint.content_disposition | Indicates how the content is expected to be displayed inline in the browser. | keyword |
+| checkpoint.content_length | Indicates the size of the entity-body of the HTTP header. | keyword |
+| checkpoint.content_risk | File risk. | integer |
+| checkpoint.content_type | Mail content type. Possible values: application/msword, text/html, image/gif etc. | keyword |
+| checkpoint.context_num | Serial number of the log for a specific connection. | integer |
+| checkpoint.cookieI | Initiator cookie. | keyword |
+| checkpoint.cookieR | Responder cookie. | keyword |
+| checkpoint.cp_message | Used to log a general message. | integer |
+| checkpoint.cvpn_category | Mobile Access application type. | keyword |
+| checkpoint.cvpn_resource | Mobile Access application. | keyword |
+| checkpoint.data_type_name | Data type in rulebase that was matched. | keyword |
+| checkpoint.db_ver | Database version | keyword |
+| checkpoint.dce-rpc_interface_uuid | Log for new RPC state - UUID values | keyword |
+| checkpoint.delivery_time | Timestamp of when email was delivered (MTA finished handling the email. | keyword |
+| checkpoint.desc | Override application description. | keyword |
+| checkpoint.description | Additional explanation how the security gateway enforced the connection. | keyword |
+| checkpoint.destination_object | Matched object name on destination column. | keyword |
+| checkpoint.detected_on | System and applications version the file was emulated on. | keyword |
+| checkpoint.developer_certificate_name | Name of the developer's certificate that was used to sign the mobile application. | keyword |
+| checkpoint.diameter_app_ID | The ID of diameter application. | integer |
+| checkpoint.diameter_cmd_code | Diameter not allowed application command id. | integer |
+| checkpoint.diameter_msg_type | Diameter message type. | keyword |
+| checkpoint.dlp_action_reason | Action chosen reason. | keyword |
+| checkpoint.dlp_additional_action | Watermark/None. | keyword |
+| checkpoint.dlp_categories | Data type category. | keyword |
+| checkpoint.dlp_data_type_name | Matched data type. | keyword |
+| checkpoint.dlp_data_type_uid | Unique ID of the matched data type. | keyword |
+| checkpoint.dlp_fingerprint_files_number | Number of successfully scanned files in repository. | integer |
+| checkpoint.dlp_fingerprint_long_status | Scan status - long format. | keyword |
+| checkpoint.dlp_fingerprint_short_status | Scan status - short format. | keyword |
+| checkpoint.dlp_incident_uid | Unique ID of the matched rule. | keyword |
+| checkpoint.dlp_recipients | Mail recipients. | keyword |
+| checkpoint.dlp_related_incident_uid | Other ID related to this one. | keyword |
+| checkpoint.dlp_relevant_data_types | In case of Compound/Group: the inner data types that were matched. | keyword |
+| checkpoint.dlp_repository_directories_number | Number of directories in repository. | integer |
+| checkpoint.dlp_repository_files_number | Number of files in repository. | integer |
+| checkpoint.dlp_repository_id | ID of scanned repository. | keyword |
+| checkpoint.dlp_repository_not_scanned_directories_percentage | Percentage of directories the Security Gateway was unable to read. | integer |
+| checkpoint.dlp_repository_reached_directories_number | Number of scanned directories in repository. | integer |
+| checkpoint.dlp_repository_root_path | Repository path. | keyword |
+| checkpoint.dlp_repository_scan_progress | Scan percentage. | integer |
+| checkpoint.dlp_repository_scanned_directories_number | Amount of directories scanned. | integer |
+| checkpoint.dlp_repository_scanned_files_number | Number of scanned files in repository. | integer |
+| checkpoint.dlp_repository_scanned_total_size | Size scanned. | integer |
+| checkpoint.dlp_repository_skipped_files_number | Skipped number of files because of configuration. | integer |
+| checkpoint.dlp_repository_total_size | Repository size. | integer |
+| checkpoint.dlp_repository_unreachable_directories_number | Number of directories the Security Gateway was unable to read. | integer |
+| checkpoint.dlp_rule_name | Matched rule name. | keyword |
+| checkpoint.dlp_subject | Mail subject. | keyword |
+| checkpoint.dlp_template_score | Template data type match score. | keyword |
+| checkpoint.dlp_transint | HTTP/SMTP/FTP. | keyword |
+| checkpoint.dlp_violation_description | Violation descriptions described in the rulebase. | keyword |
+| checkpoint.dlp_watermark_profile | Watermark which was applied. | keyword |
+| checkpoint.dlp_word_list | Phrases matched by data type. | keyword |
+| checkpoint.dns_query | DNS query. | keyword |
+| checkpoint.drop_reason | Drop reason description. | keyword |
+| checkpoint.dropped_file_hash | List of file hashes dropped from the original file. | keyword |
+| checkpoint.dropped_file_name | List of names dropped from the original file. | keyword |
+| checkpoint.dropped_file_type | List of file types dropped from the original file. | keyword |
+| checkpoint.dropped_file_verdict | List of file verdics dropped from the original file. | keyword |
+| checkpoint.dropped_incoming | Number of incoming bytes dropped when using UP-limit feature. | integer |
+| checkpoint.dropped_outgoing | Number of outgoing bytes dropped when using UP-limit feature. | integer |
+| checkpoint.dropped_total | Amount of dropped packets (both incoming and outgoing). | integer |
+| checkpoint.drops_amount | Amount of multicast packets dropped. | integer |
+| checkpoint.dst_country | Destination country. | keyword |
+| checkpoint.dst_phone_number | Destination IP-Phone. | keyword |
+| checkpoint.dst_user_name | Connected user name on the destination IP. | keyword |
+| checkpoint.dstkeyid | Responder Spi ID. | keyword |
+| checkpoint.duplicate | Log marked as duplicated, when mail is split and the Security Gateway sees it twice. | keyword |
+| checkpoint.duration | Scan duration. | keyword |
+| checkpoint.elapsed | Time passed since start time. | keyword |
+| checkpoint.email_content | Mail contents. Possible options: attachments/links & attachments/links/text only. | keyword |
+| checkpoint.email_control | Engine name. | keyword |
+| checkpoint.email_control_analysis | Message classification, received from spam vendor engine. | keyword |
+| checkpoint.email_headers | String containing all the email headers. | keyword |
+| checkpoint.email_id | Email number in smtp connection. | keyword |
+| checkpoint.email_message_id | Email session id (uniqe ID of the mail). | keyword |
+| checkpoint.email_queue_id | Postfix email queue id. | keyword |
+| checkpoint.email_queue_name | Postfix email queue name. | keyword |
+| checkpoint.email_recipients_num | Amount of recipients whom the mail was sent to. | long |
+| checkpoint.email_session_id | Connection uuid. | keyword |
+| checkpoint.email_spam_category | Email categories. Possible values: spam/not spam/phishing. | keyword |
+| checkpoint.email_status | Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended | keyword |
+| checkpoint.email_subject | Original email subject. | keyword |
+| checkpoint.emulated_on | Images the files were emulated on. | keyword |
+| checkpoint.encryption_failure | Message indicating why the encryption failed. | keyword |
+| checkpoint.end_time | TCP connection end time. | keyword |
+| checkpoint.end_user_firewall_type | End user firewall type. | keyword |
+| checkpoint.esod_access_status | Access denied. | keyword |
+| checkpoint.esod_associated_policies | Associated policies. | keyword |
+| checkpoint.esod_noncompliance_reason | Non-compliance reason. | keyword |
+| checkpoint.esod_rule_action | Unknown rule action. | keyword |
+| checkpoint.esod_rule_name | Unknown rule name. | keyword |
+| checkpoint.esod_rule_type | Unknown rule type. | keyword |
+| checkpoint.esod_scan_status | Scan failed. | keyword |
+| checkpoint.event_count | Number of events associated with the log. | long |
+| checkpoint.expire_time | Connection closing time. | keyword |
+| checkpoint.extension_version | Build version of the SandBlast Agent browser extension. | keyword |
+| checkpoint.extracted_file_hash | Archive hash in case of extracted files. | keyword |
+| checkpoint.extracted_file_names | Names of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_type | Types of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_uid | UID of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_verdict | Verdict of extracted files in case of an archive. | keyword |
+| checkpoint.failure_impact | The impact of update service failure. | keyword |
+| checkpoint.failure_reason | MTA failure description. | keyword |
+| checkpoint.file_direction | File direction. Possible options: upload/download. | keyword |
+| checkpoint.file_name | Malicious file name. | keyword |
+| checkpoint.files_names | List of files requested by FTP. | keyword |
+| checkpoint.first_hit_time | First hit time in current interval. | integer |
+| checkpoint.fs-proto | The file share protocol used in mobile acess file share application. | keyword |
+| checkpoint.ftp_user | FTP username. | keyword |
+| checkpoint.fw_message | Used for various firewall errors. | keyword |
+| checkpoint.fw_subproduct | Can be vpn/non vpn. | keyword |
+| checkpoint.hide_ip | Source IP which will be used after CGNAT. | ip |
+| checkpoint.hit | Number of hits on a rule. | integer |
+| checkpoint.host_time | Local time on the endpoint computer. | keyword |
+| checkpoint.http_host | Domain name of the server that the HTTP request is sent to. | keyword |
+| checkpoint.http_location | Response header, indicates the URL to redirect a page to. | keyword |
+| checkpoint.http_server | Server HTTP header value, contains information about the software used by the origin server, which handles the request. | keyword |
+| checkpoint.https_inspection_action | HTTPS inspection action (Inspect/Bypass/Error). | keyword |
+| checkpoint.https_inspection_rule_id | ID of the matched rule. | keyword |
+| checkpoint.https_inspection_rule_name | Name of the matched rule. | keyword |
+| checkpoint.https_validation | Precise error, describing HTTPS inspection failure. | keyword |
+| checkpoint.icap_more_info | Free text for verdict. | integer |
+| checkpoint.icap_server_name | Server name. | keyword |
+| checkpoint.icap_server_service | Service name, as given in the ICAP URI | keyword |
+| checkpoint.icap_service_id | Service ID, can work with multiple servers, treated as services. | integer |
+| checkpoint.icmp | Number of packets, received by the client. | keyword |
+| checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long |
+| checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long |
+| checkpoint.id | Override application ID. | integer |
+| checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword |
+| checkpoint.ike_ids | All QM ids. | keyword |
+| checkpoint.impacted_files | In case of an infection on an endpoint computer, the list of files that the malware impacted. | keyword |
+| checkpoint.incident_extension | Matched data type. | keyword |
+| checkpoint.indicator_description | IOC indicator description. | keyword |
+| checkpoint.indicator_name | IOC indicator name. | keyword |
+| checkpoint.indicator_reference | IOC indicator reference. | keyword |
+| checkpoint.indicator_uuid | IOC indicator uuid. | keyword |
+| checkpoint.info | Special log message. | keyword |
+| checkpoint.information | Policy installation status for a specific blade. | keyword |
+| checkpoint.inspection_category | Inspection category: protocol anomaly, signature etc. | keyword |
+| checkpoint.inspection_item | Blade element performed inspection. | keyword |
+| checkpoint.inspection_profile | Profile which the activated protection belongs to. | keyword |
+| checkpoint.inspection_settings_log | Indicats that the log was released by inspection settings. | keyword |
+| checkpoint.installed_products | List of installed Endpoint Software Blades. | keyword |
+| checkpoint.int_end | Subscriber end int which will be used for NAT. | integer |
+| checkpoint.int_start | Subscriber start int which will be used for NAT. | integer |
+| checkpoint.interface_name | Designated interface for mirror And decrypt. | keyword |
+| checkpoint.internal_error | Internal error, for troubleshooting | keyword |
+| checkpoint.invalid_file_size | File_size field is valid only if this field is set to 0. | integer |
+| checkpoint.ip_option | IP option that was dropped. | integer |
+| checkpoint.isp_link | Name of ISP link. | keyword |
+| checkpoint.last_hit_time | Last hit time in current interval. | integer |
+| checkpoint.last_rematch_time | Connection rematched time. | keyword |
+| checkpoint.layer_name | Layer name. | keyword |
+| checkpoint.layer_uuid | Layer UUID. | keyword |
+| checkpoint.limit_applied | Indicates whether the session was actually date limited. | integer |
+| checkpoint.limit_requested | Indicates whether data limit was requested for the session. | integer |
+| checkpoint.link_probing_status_update | IP address response status. | keyword |
+| checkpoint.links_num | Number of links in the mail. | integer |
+| checkpoint.log_delay | Time left before deleting template. | integer |
+| checkpoint.log_id | Unique identity for logs. | integer |
+| checkpoint.logid | System messages | keyword |
+| checkpoint.long_desc | More information on the process (usually describing error reason in failure). | keyword |
+| checkpoint.machine | L2TP machine which triggered the log and the log refers to it. | keyword |
+| checkpoint.malware_family | Additional information on protection. | keyword |
+| checkpoint.match_fk | Rule number. | integer |
+| checkpoint.match_id | Private key of the rule | integer |
+| checkpoint.matched_file | Unique ID of the matched data type. | keyword |
+| checkpoint.matched_file_percentage | Fingerprint: match percentage of the traffic. | integer |
+| checkpoint.matched_file_text_segments | Fingerprint: number of text segments matched by this traffic. | integer |
+| checkpoint.media_type | Media used (audio, video, etc.) | keyword |
+| checkpoint.message | ISP link has failed. | keyword |
+| checkpoint.message_info | Used for information messages, for example:NAT connection has ended. | keyword |
+| checkpoint.message_size | Mail/post size. | integer |
+| checkpoint.method | HTTP method. | keyword |
+| checkpoint.methods | IPSEc methods. | keyword |
+| checkpoint.mime_from | Sender's address. | keyword |
+| checkpoint.mime_to | List of receiver address. | keyword |
+| checkpoint.mirror_and_decrypt_type | Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). | keyword |
+| checkpoint.mitre_collection | The adversary is trying to collect data of interest to achieve his goal. | keyword |
+| checkpoint.mitre_command_and_control | The adversary is trying to communicate with compromised systems in order to control them. | keyword |
+| checkpoint.mitre_credential_access | The adversary is trying to steal account names and passwords. | keyword |
+| checkpoint.mitre_defense_evasion | The adversary is trying to avoid being detected. | keyword |
+| checkpoint.mitre_discovery | The adversary is trying to expose information about your environment. | keyword |
+| checkpoint.mitre_execution | The adversary is trying to run malicious code. | keyword |
+| checkpoint.mitre_exfiltration | The adversary is trying to steal data. | keyword |
+| checkpoint.mitre_impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data. | keyword |
+| checkpoint.mitre_initial_access | The adversary is trying to break into your network. | keyword |
+| checkpoint.mitre_lateral_movement | The adversary is trying to explore your environment. | keyword |
+| checkpoint.mitre_persistence | The adversary is trying to maintain his foothold. | keyword |
+| checkpoint.mitre_privilege_escalation | The adversary is trying to gain higher-level permissions. | keyword |
+| checkpoint.monitor_reason | Aggregated logs of monitored packets. | keyword |
+| checkpoint.msgid | Message ID. | keyword |
+| checkpoint.name | Application name. | keyword |
+| checkpoint.nat46 | NAT 46 status, in most cases "enabled". | keyword |
+| checkpoint.nat_addtnl_rulenum | When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. | integer |
+| checkpoint.nat_exhausted_pool | 4-tuple of an exhausted pool. | keyword |
+| checkpoint.nat_rulenum | NAT rulebase first matched rule. | integer |
+| checkpoint.needs_browse_time | Browse time required for the connection. | integer |
+| checkpoint.next_hop_ip | Next hop IP address. | keyword |
+| checkpoint.next_scheduled_scan_date | Next scan scheduled time according to time object. | keyword |
+| checkpoint.number_of_errors | Number of files that were not  scanned due to an error. | integer |
+| checkpoint.objecttable | Table of affected objects. | keyword |
+| checkpoint.objecttype | The type of the affected object. | keyword |
+| checkpoint.observable_comment | IOC observable signature description. | keyword |
+| checkpoint.observable_id | IOC observable signature id. | keyword |
+| checkpoint.observable_name | IOC observable signature name. | keyword |
+| checkpoint.operation | Operation made by Threat Extraction. | keyword |
+| checkpoint.operation_number | The operation nuber. | keyword |
+| checkpoint.origin_sic_name | Machine SIC. | keyword |
+| checkpoint.original_queue_id | Original postfix email queue id. | keyword |
+| checkpoint.outgoing_url | URL related to this log (for HTTP). | keyword |
+| checkpoint.packet_amount | Amount of packets dropped. | integer |
+| checkpoint.packet_capture_unique_id | Identifier of the packet capture files. | keyword |
+| checkpoint.parent_file_hash | Archive's hash in case of extracted files. | keyword |
+| checkpoint.parent_file_name | Archive's name in case of extracted files. | keyword |
+| checkpoint.parent_file_uid | Archive's UID in case of extracted files. | keyword |
+| checkpoint.parent_process_username | Owner username of the parent process of the process that triggered the attack. | keyword |
+| checkpoint.parent_rule | Parent rule number, in case of inline layer. | integer |
+| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip |
+| checkpoint.peer_ip | IP address which the client connects to. | keyword |
+| checkpoint.peer_ip_probing_status_update | IP address response status. | keyword |
+| checkpoint.performance_impact | Protection performance impact. | integer |
+| checkpoint.policy_mgmt | Name of the Management Server that manages this Security Gateway. | keyword |
+| checkpoint.policy_name | Name of the last policy that this Security Gateway fetched. | keyword |
+| checkpoint.ports_usage | Percentage of allocated ports. | integer |
+| checkpoint.ppp | Authentication status. | keyword |
+| checkpoint.precise_error | HTTP parser error. | keyword |
+| checkpoint.process_username | Owner username of the process that triggered the attack. | keyword |
+| checkpoint.properties | Application categories. | keyword |
+| checkpoint.protection_id | Protection malware id. | keyword |
+| checkpoint.protection_name | Specific signature name of the attack. | keyword |
+| checkpoint.protection_type | Type of protection used to detect the attack. | keyword |
+| checkpoint.protocol | Protocol detected on the connection. | keyword |
+| checkpoint.proxy_machine_name | Machine name connected to proxy IP. | integer |
+| checkpoint.proxy_src_ip | Sender source IP (even when using proxy). | ip |
+| checkpoint.proxy_user_dn | User distinguished name connected to proxy IP. | keyword |
+| checkpoint.proxy_user_name | User name connected to proxy IP. | keyword |
+| checkpoint.query | DNS query. | keyword |
+| checkpoint.question_rdata | List of question records domains. | keyword |
+| checkpoint.referrer | Referrer HTTP request header, previous web page address. | keyword |
+| checkpoint.referrer_parent_uid | Log UUID of the referring application. | keyword |
+| checkpoint.referrer_self_uid | UUID of the current log. | keyword |
+| checkpoint.registered_ip-phones | Registered IP-Phones. | keyword |
+| checkpoint.reject_category | Authentication failure reason. | keyword |
+| checkpoint.reject_id | A reject ID that corresponds to the one presented in the Mobile Access error page. | keyword |
+| checkpoint.rematch_info | Information sent when old connections cannot be matched during policy installation. | keyword |
+| checkpoint.remediated_files | In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. | keyword |
+| checkpoint.reply_status | ICAP reply status code, e.g. 200 or 204. | integer |
+| checkpoint.risk | Risk level we got from the engine. | keyword |
+| checkpoint.rpc_prog | Log for new RPC state - prog values. | integer |
+| checkpoint.rule | Matched rule number. | integer |
+| checkpoint.rule_action | Action of the matched rule in the access policy. | keyword |
+| checkpoint.rulebase_id | Layer number. | integer |
+| checkpoint.scan_direction | Scan direction. | keyword |
+| checkpoint.scan_hosts_day | Number of unique hosts during the last day. | integer |
+| checkpoint.scan_hosts_hour | Number of unique hosts during the last hour. | integer |
+| checkpoint.scan_hosts_week | Number of unique hosts during the last week. | integer |
+| checkpoint.scan_id | Sequential number of scan. | keyword |
+| checkpoint.scan_mail | Number of emails that were scanned by "AB malicious activity" engine. | integer |
+| checkpoint.scan_results | "Infected"/description of a failure. | keyword |
+| checkpoint.scheme | Describes the scheme used for the log. | keyword |
+| checkpoint.scope | IP related to the attack. | keyword |
+| checkpoint.scrub_activity | The result of the extraction | keyword |
+| checkpoint.scrub_download_time | File download time from resource. | keyword |
+| checkpoint.scrub_time | Extraction process duration. | keyword |
+| checkpoint.scrub_total_time | Threat extraction total file handling time. | keyword |
+| checkpoint.scrubbed_content | Active content that was found. | keyword |
+| checkpoint.sctp_association_state | The bad state you were trying to update to. | keyword |
+| checkpoint.sctp_error | Error information, what caused sctp to fail on out_of_state. | keyword |
+| checkpoint.scv_message_info | Drop reason. | keyword |
+| checkpoint.scv_user | Username whose packets are dropped on SCV. | keyword |
+| checkpoint.securexl_message | Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. | keyword |
+| checkpoint.session_id | Log uuid. | keyword |
+| checkpoint.session_uid | HTTP session-id. | keyword |
+| checkpoint.short_desc | Short description of the process that was executed. | keyword |
+| checkpoint.sig_id | Application's signature ID which how it was detected by. | keyword |
+| checkpoint.similar_communication | Network action found similar to the malicious file. | keyword |
+| checkpoint.similar_hashes | Hashes found similar to the malicious file. | keyword |
+| checkpoint.similar_strings | Strings found similar to the malicious file. | keyword |
+| checkpoint.similiar_iocs | Other IoCs similar to the ones found, related to the malicious file. | keyword |
+| checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword |
+| checkpoint.site_name | Site name. | keyword |
+| checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword |
+| checkpoint.source_object | Matched object name on source column. | keyword |
+| checkpoint.source_os | OS which generated the attack. | keyword |
+| checkpoint.special_properties | If this field is set to '1' the log will not be shown (in use for monitoring scan progress). | integer |
+| checkpoint.specific_data_type_name | Compound/Group scenario, data type that was matched. | keyword |
+| checkpoint.speed | Current scan speed. | integer |
+| checkpoint.spyware_name | Spyware name. | keyword |
+| checkpoint.spyware_type | Spyware type. | keyword |
+| checkpoint.src_country | Country name, derived from connection source IP address. | keyword |
+| checkpoint.src_phone_number | Source IP-Phone. | keyword |
+| checkpoint.src_user_dn | User distinguished name connected to source IP. | keyword |
+| checkpoint.src_user_name | User name connected to source IP | keyword |
+| checkpoint.srckeyid | Initiator Spi ID. | keyword |
+| checkpoint.status | Ok/Warning/Error. | keyword |
+| checkpoint.status_update | Last time log was updated. | keyword |
+| checkpoint.sub_policy_name | Layer name. | keyword |
+| checkpoint.sub_policy_uid | Layer uid. | keyword |
+| checkpoint.subscriber | Source IP before CGNAT. | ip |
+| checkpoint.summary | Summary message of a non-compliant DNS traffic drops or detects. | keyword |
+| checkpoint.suppressed_logs | Aggregated connections for five minutes on the same source, destination and port. | integer |
+| checkpoint.sync | Sync status and the reason (stable, at risk). | keyword |
+| checkpoint.sys_message | System messages | keyword |
+| checkpoint.tcp_end_reason | Reason for TCP connection closure. | keyword |
+| checkpoint.tcp_flags | TCP packet flags (SYN, ACK, etc.,). | keyword |
+| checkpoint.tcp_packet_out_of_state | State violation. | keyword |
+| checkpoint.tcp_state | Log reinting a tcp state change. | keyword |
+| checkpoint.te_verdict_determined_by | Emulators determined file verdict. | keyword |
+| checkpoint.ticket_id | Unique ID per file. | keyword |
+| checkpoint.tls_server_host_name | SNI/CN from encrypted TLS connection used by URLF for categorization. | keyword |
+| checkpoint.top_archive_file_name | In case of archive file: the file that was sent/received. | keyword |
+| checkpoint.total_attachments | The number of attachments in an email. | integer |
+| checkpoint.triggered_by | The name of the mechanism that triggered the Software Blade to enforce a protection. | keyword |
+| checkpoint.trusted_domain | In case of phishing event, the domain, which the attacker was impersonating. | keyword |
+| checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer |
+| checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer |
+| checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer |
+| checkpoint.update_status | Status of database update | keyword |
+| checkpoint.url | Translated URL. | keyword |
+| checkpoint.user | Source user name. | keyword |
+| checkpoint.user_agent | String identifying requesting software user agent. | keyword |
+| checkpoint.vendor_list | The vendor name that provided the verdict for a malicious URL. | keyword |
+| checkpoint.verdict | TE engine verdict Possible values: Malicious/Benign/Error. | keyword |
+| checkpoint.via | Via header is added by proxies for tracking purposes to avoid sending reqests in loop. | keyword |
+| checkpoint.voip_attach_action_info | Attachment action Info. | keyword |
+| checkpoint.voip_attach_sz | Attachment size. | integer |
+| checkpoint.voip_call_dir | Call direction: in/out. | keyword |
+| checkpoint.voip_call_id | Call-ID. | keyword |
+| checkpoint.voip_call_state | Call state. Possible values: in/out. | keyword |
+| checkpoint.voip_call_term_time | Call termination time stamp. | keyword |
+| checkpoint.voip_config | Configuration. | keyword |
+| checkpoint.voip_duration | Call duration (seconds). | keyword |
+| checkpoint.voip_est_codec | Estimated codec. | keyword |
+| checkpoint.voip_exp | Expiration. | integer |
+| checkpoint.voip_from_user_type | Source IP-Phone type. | keyword |
+| checkpoint.voip_log_type | VoIP log types. Possible values: reject, call, registration. | keyword |
+| checkpoint.voip_media_codec | Estimated codec. | keyword |
+| checkpoint.voip_media_ipp | Media IP protocol. | keyword |
+| checkpoint.voip_media_port | Media int. | keyword |
+| checkpoint.voip_method | Registration request. | keyword |
+| checkpoint.voip_reason_info | Information. | keyword |
+| checkpoint.voip_reg_int | Registration port. | integer |
+| checkpoint.voip_reg_ipp | Registration IP protocol. | integer |
+| checkpoint.voip_reg_period | Registration period. | integer |
+| checkpoint.voip_reg_server | Registrar server IP address. | ip |
+| checkpoint.voip_reg_user_type | Registered IP-Phone type. | keyword |
+| checkpoint.voip_reject_reason | Reject reason. | keyword |
+| checkpoint.voip_to_user_type | Destination IP-Phone type. | keyword |
+| checkpoint.vpn_feature_name | L2TP /IKE / Link Selection. | keyword |
+| checkpoint.watermark | Reports whether watermark is added to the cleaned file. | keyword |
+| checkpoint.web_server_type | Web server detected in the HTTP response. | keyword |
+| checkpoint.word_list | Words matched by data type. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.service.name | Name of the service data is collected from. | keyword |
+| destination.user.email | User email address. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address of logs received over the network. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.description | The description of the rule generating the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.email | User email address. | keyword |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword |
+
diff --git a/packages/checkpoint/1.3.6/img/checkpoint-logo.svg b/packages/checkpoint/1.3.6/img/checkpoint-logo.svg
new file mode 100755
index 0000000000..e71866e78c
--- /dev/null
+++ b/packages/checkpoint/1.3.6/img/checkpoint-logo.svg
@@ -0,0 +1 @@
+<svg version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1200 753"><path d="M366 205v205h466V0H366v205zm459 0v198H373V7h452v198z"/><path d="M711 25l-80 1-98-1c-25-1-28 0-39 3-4 1-5 2-11 10-7 10-18 35-22 49-2 8-2 13-3 27a253 253 0 009 79c4 26 12 49 17 50l21 4 26 6c16 3 23 4 43 5a542 542 0 00130-13l20-2c11-1 22-4 26-5 5-3 8-13 10-33 1-15-1-45-4-52a480 480 0 01-14-105V30l-6-3c-7-5-12-5-25-2zM530 36l64 11c22 5 76 5 99-2 12-3 25 0 29 8 2 3 2 5 3 42l1 65c2 32 2 44-1 48-2 3-9 8-14 9l-54 12a476 476 0 01-67 8 179 179 0 01-73-4c-11-2-19-6-22-11-3-4-4-18-4-49 0-28 0-31 4-58a227 227 0 004-33l2-19c1-10 1-12 4-18 4-7 5-8 9-9h16z"/><path d="M673 75v10h4c4 0 4 0 4 3l-1 2-4 3a387 387 0 01-58 18l-5 1c-3 2-5 2-27-2-22-3-25-4-27-6l-3-2-1-1c0-2 1-2 5-2h4V78h-10l-10 1-1 10v10h5c4 0 6 2 2 4l-4 3v6c1 3 0 5-9 26-7 17-10 22-11 22-4 0-7 7-5 11 3 4 1 6-3 4l-3-2-5 9-5 9 2 1 16 8 5-9 5-9-4-2c-5-2-4-5 0-5s7-3 7-7v-4l24-8 24-8 3 4 3 3-4 1h-4v21h20v-21h-4l-4-1 1-1 4-3c2-3 3-3 10-2 12 1 13 1 13 3l3 5c4 3 3 4-2 4h-3v20h20v-20h-4l-5-1 4-3 3-6 13-8c12-7 13-7 15-5 4 2 9 1 12-2 2-2 4-3 9-4l8-2c2 0 2 1 3 3l4 5c2 0 3 2 3 3 0 2-1 2-4 2h-4v21h21v-21h-5c-4 0-5 0-5-2l3-5c3-3 3-4 3-6-1-4-3-6-6-7-1 0-6-5-10-11-8-9-8-10-8-14 0-3 0-4-3-6-4-4-4-6 2-7h4V64h-20v10zm17 0l-1 7h-12l-1-7v-7h14v7zM561 89v6h-14V82h14v7zm114 13c1 1 1 5-2 11-2 8-3 10-5 11-1 1-3 3-3 5-1 2-3 4-15 10s-14 7-15 6l-5-2c-4 0-4-1-7-7l-2-6 52-30 2 2zm20 12c7 9 7 9 5 11l-12 3-7 2-3-4-4-3 3-8c2-9 3-9 9-10l9 9zm-41-8l-11 7-15 8-3 2v-7l14-5 15-5zm-67 8l21 3 1 2c0 2 2 6 5 7l3 2-5 3-6 3-41-23 22 3zm-6 10c22 13 21 12 19 13-2 2-3 2-5 1-4-2-8 0-10 4-1 2-3 3-26 11l-27 8 9-23c8-18 10-21 11-21 2 1 8-2 8-3s0-2 21 10zm39 14l1 5-11-7 7-4 3 6zm-8 4l6 4-9-1c-6 0-8-1-8-2-1-2 2-4 4-4l7 3zm102 11v7h-14v-6l1-7 7-1h6v7zm-115 14v6h-14v-13h14v7zm38 4v7h-14v-6c0-8 0-8 8-8h6v7zm-115 10l6 2-3 6-4 6-11-6 6-11 6 3zm180 76a333 333 0 00-50 3 396 396 0 00-58 5c-37 4-62 9-103 19-50 13-61 17-91 34l-10 8c-6 7-6 10-3 30 5 26 6 29 9 34 7 10 23 9 56-1l40-9a1211 1211 0 0057-9c7 0 17-1 23-3 14-3 36-4 66-3l32-1 54-2c38-1 46-1 55-3s10-2 13-6c7-7 7-9 6-26l-3-25-1-20-1-14c-2-5-9-10-17-11h-74zm-116 25c5 3 4 10-1 13-6 2-12-1-12-7 0-7 8-10 13-6zm77 7l5 5c3 6-1 13-9 15-5 2-13-5-13-11 0-3 4-9 6-10 4-1 8-1 11 1zm-143 4l1 4c0 6-5 9-9 5-3-3-2-8 1-10 2-1 4 0 7 1zm207 0c10 4 6 19-5 19-6 0-9-2-10-7-2-5 1-11 5-13 4-1 5-1 10 1zm-162 3c4 5 1 11-6 11-6 0-9-2-9-6 0-6 10-10 15-4zm140 18c7 3 6 14-2 19-8 4-19-6-16-15 3-5 12-8 18-4zm-122 4c4 3 4 7 0 11-3 3-5 4-8 2-3-1-6-9-5-11 1-4 9-5 13-2zm-124 4c6 5 2 14-4 14-5 0-8-3-8-8 0-8 7-12 13-6zm59 0c4 4 1 13-5 13-7 0-10-4-9-9 2-7 9-9 13-4zm-26 0c4 4 2 8-3 8-6 0-9-3-5-7 2-2 6-3 8-1zm182 3c5 2 7 6 7 11 0 9-11 14-17 9-7-6-5-17 3-20h7zm-138 2c8 3 5 14-3 14-6 0-9-9-4-13 3-2 4-2 7-1zm26 8c4 3 1 9-4 9s-8-5-4-9c2-2 6-2 8 0zm-56 10c5 3 3 13-3 14-7 2-11-2-10-9 1-5 8-8 13-5zm-25 7c3 3 3 7-1 10-4 4-9 4-12-1-2-4-1-6 1-9 2-2 3-3 6-3s4 1 6 3zm-30 3c3 3 3 6 0 9-2 2-5 2-8-1-4-5 4-13 8-8zM60 492c-29 6-49 26-57 59-3 12-3 39 0 52 6 25 18 41 36 51 14 7 30 10 46 8 25-3 43-14 54-34 3-6 7-20 8-27l1-5h-22l-1 8c-5 25-23 40-48 40-26 0-45-16-52-44-3-11-3-37 0-48 7-26 24-41 48-44 23-2 43 10 50 30l1 5h11l11-1c0-4-5-18-9-24-8-12-22-22-37-26-8-2-31-2-40 0zm106 85v82h20v-40c1-45 1-45 9-54 6-7 13-10 23-11 7 0 9 0 14 2s9 6 11 11c1 2 2 17 2 47l1 45h19v-44c0-48 0-53-6-63-6-9-13-13-27-15-18-2-37 4-44 17-2 3-2 2-2-29v-31h-20v83zm360 0v82h19v-45l9-8 10-9 21 31 20 30 12 1h13l-25-38-25-38 23-22 23-22h-26l-27 26-28 26v-97h-19v83zm175 0v82h21l1-34v-34h33c32-1 33-1 39-3 13-5 22-14 26-27 3-9 3-27 0-36-3-10-8-17-16-23-11-7-11-7-60-8h-44v83zm83-62c7 2 13 9 16 15 2 6 2 18 0 25-3 9-12 15-24 17l-30 1h-23v-61h27c25 0 28 1 34 3zm182-9v12h19l1-12v-12h-20v12zm214-2c-8 4-8 14-2 20 4 4 9 5 14 3 9-4 11-15 4-22-3-3-5-3-9-3l-7 2zm13 2c3 2 5 7 4 11 0 2-2 4-4 6-3 3-4 3-7 3-13-2-13-22 0-22l7 2z"/><path d="M1182 515l1 7 1-3c0-2 1-3 2-3l3 3c0 2 2 3 3 3l-1-3v-4c2-1 3-5 1-7l-6-1h-4v8zm8-5c1 2-1 4-4 4-2 0-2 0-2-2s0-3 2-3l4 1zm-49 11v18h-21v9l1 9h20v42c0 34 0 43 2 47 2 9 8 12 27 13h14v-18h-9c-8 0-9 0-12-2l-3-3v-79h24v-18h-24v-36h-19v18zm-815 16c-20 3-36 17-44 38-2 8-2 10-2 23 0 12 0 16 2 23 3 11 8 19 15 26 10 10 21 14 39 14 23 0 38-8 47-26l4-11v-3h-19l-3 6c-3 7-7 11-14 14s-22 3-30 0c-12-5-20-16-21-29v-7h89v-6c0-29-16-54-38-60-7-2-18-3-25-2zm23 20c10 5 17 15 19 26v4h-68v-4c2-11 11-23 21-27 8-3 21-2 28 1zm98-20c-22 3-36 17-43 40-2 7-2 9-2 24 0 14 0 16 2 24 6 18 19 30 37 35 8 2 25 2 33-1 18-5 30-18 34-38l2-6h-20l-2 5c-3 16-16 25-34 24-20-1-32-18-32-44 0-29 12-45 35-46 14-1 25 5 30 18l2 6h10c11 0 11 1 9-8-5-16-16-27-33-31-7-2-20-3-28-2zm432 0c-12 2-23 7-31 14a65 65 0 00-17 45c0 16 1 24 7 36 7 14 20 25 36 28 8 2 24 1 31-1 20-5 34-19 40-41 2-9 2-29 0-38-4-15-13-28-24-35-10-7-29-10-42-8zm25 21c20 9 28 40 17 65-4 8-9 13-17 17-6 3-7 4-15 4-11 0-17-3-24-9-9-9-13-20-13-36 0-21 8-36 24-43 8-3 20-3 28 1zm155-21c-11 2-21 8-27 17l-3 4v-19h-19v60l1 60h19v-39c1-39 1-40 3-45 5-13 15-20 29-21 10 0 17 2 21 7 7 7 7 9 7 56v42h19v-47l-2-53c-4-10-12-17-22-21-7-1-19-2-26-1zm-93 62v60h19l1-60v-60h-20v60zM20 699c-8 2-13 7-13 13 0 10 4 13 19 16 10 3 14 5 14 10s-5 9-13 9c-7 0-15-5-15-10 0-2-1-2-3-2-5 0-5 1-2 8s12 11 23 10c10-1 17-7 17-15 0-9-4-12-19-16-12-3-14-5-14-10 1-5 5-8 11-8 7 0 11 3 13 8 0 3 1 3 4 3 4 0 4-2 1-8l-6-6c-4-2-13-3-17-2zm52 0c-6 2-10 6-14 13-2 5-2 7-2 14s0 9 2 13c7 15 27 19 39 7 13-12 10-37-5-45-5-3-14-3-20-2zm16 7c9 5 13 19 8 30-3 7-8 10-15 11-10 1-17-7-19-18-2-18 12-30 26-23zm467-7c-6 1-11 6-14 13-3 5-3 6-3 14s0 9 3 15c3 7 9 11 18 12 13 1 22-5 25-18 0-3 0-3-3-3s-4 0-6 5c-2 7-5 10-13 10s-11-2-15-9c-2-4-2-6-2-12 0-7 0-9 2-13 7-11 23-12 28-1 1 2 2 3 5 3 4 0 4-2 1-7s-6-7-11-8c-6-2-10-2-15-1zm165 1c-12 3-19 18-16 32 2 11 10 19 20 21 12 1 21-3 26-14 3-6 3-7 3-15-1-9-2-13-7-18-6-7-17-9-26-7zm16 6c7 3 10 10 10 20 0 13-7 21-18 21-8 0-15-6-17-15-4-19 10-33 25-26zm84-7c-10 4-16 12-17 24-1 21 14 34 33 29 6-2 14-9 15-16 5-14 0-28-10-35-6-3-15-4-21-2zm16 7c9 5 13 19 8 30-3 7-8 10-14 11-11 1-19-7-20-19-1-17 12-28 26-22zm45-7c-12 3-19 13-19 27 0 20 18 33 35 24l5-3c0-2 2-1 2 2 1 2 1 3 3 3h3v-27l-12-1h-11v6h16v4c-1 5-4 9-9 11-14 6-25-3-25-19 0-14 9-23 21-21 5 0 10 5 11 9 1 2 2 2 5 2l3-1-5-10c-4-5-16-8-23-6zm120 0c-7 3-11 8-11 14 0 8 4 11 18 15 12 3 15 4 15 10 0 4-1 5-4 7l-8 2c-7 0-12-3-14-8-2-3-3-4-6-4s-3 0-2 3c1 9 8 14 18 15 9 0 15-1 19-6 4-3 4-4 4-9 0-9-4-13-18-16l-11-4c-6-3-5-10 2-13s15 0 18 7c1 2 1 3 4 3s3 0 3-4l-3-6c-4-6-16-8-24-6zm-885 27v26h7v-24h24v-6h-24v-17h27v-5h-34v26zm40-23c0 2 0 2 9 2h8v47h7v-46l9-1c9 0 9 0 9-2v-3h-42v3zm48-2l12 47c1 4 1 4 5 4h3l6-21 6-22 6 22 6 21h8l6-25 7-26-3-1h-4l-5 21-5 20-6-20-5-21h-9l-5 21-6 20-1-3-5-21-4-17h-4l-3 1zm76 22l-11 26-1 3h8l3-8 2-8h11l11 1 3 7 3 8h8l-2-5-10-26-8-21h-9l-8 23zm17-5l4 10c0 2-1 2-8 2h-9l8-21c1-3 1-2 5 9zm28 8v26h7v-23h8c14 0 16 2 18 15v8h5c4 0 4 0 3-2l-2-10c-1-8-2-12-5-13-2 0-2 0 0-2 4-2 6-7 6-12s-2-8-6-11c-3-2-4-2-19-2h-15v26zm31-18c3 4 3 9 0 12-2 3-7 4-17 4h-7v-19h11c10 0 10 1 13 3zm21 18v26h37v-6h-29l-1-9v-9h27v-6h-26v-16l14-1h14v-5h-36v26zm65-23c0 2 0 2 9 2l9 1v46h7v-47h9c8 0 8 0 8-2v-3h-42v3zm50 23v26h37v-6h-30v-18h28v-6h-28v-16l15-1h14v-5h-36v26zm103 0v26h7v-24h28v24h7v-52h-7v22h-28v-22h-7v26zm56 0v26h6v-21c0-20 0-20 2-18l13 20 13 19h7v-52h-6v21l-1 20-14-21-12-20h-8v26zm113 0v26h34v-6h-27v-46h-7v26zm159 0v26h7v-52h-7v26zm21 0v26h36v-6h-29v-18h27v-6h-27v-17h29v-5h-36v26zm119 0v26h35v-6h-28v-46h-7v26zm32-23c0 2 0 2 9 2h8v47h7v-23l1-23 8-1c9 0 9 0 9-2v-3h-42v3zm50 23v26h11c14 0 19-1 25-6 5-6 7-13 7-24-1-10-4-16-11-19-5-3-6-3-19-3h-13v26zm28-18c5 2 7 7 8 15 0 8-1 13-5 17-3 5-8 6-16 6h-8v-41h9c6 1 10 1 12 3z"/></svg>
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.6/manifest.yml b/packages/checkpoint/1.3.6/manifest.yml
new file mode 100755
index 0000000000..d5096cf881
--- /dev/null
+++ b/packages/checkpoint/1.3.6/manifest.yml
@@ -0,0 +1,109 @@
+name: checkpoint
+title: Check Point
+version: 1.3.6
+release: ga
+description: Collect logs from Check Point with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/checkpoint-logo.svg
+    title: Check Point
+    size: 216x216
+    type: image/svg+xml
+policy_templates:
+  - name: checkpoint
+    title: Check Point logs
+    description: Collect logs from Check Point instances
+    inputs:
+      - type: logfile
+        title: "Collect Check Point firewall logs (input: logfile)"
+        description: "Collecting firewall logs from Check Point instances (input: logfile)"
+        vars:
+          - name: paths
+            type: text
+            title: Paths
+            multi: true
+            required: true
+            show_user: true
+          - name: internal_zones
+            type: text
+            title: Internal Zones
+            multi: true
+            required: false
+            show_user: false
+            default:
+              - trust
+          - name: external_zones
+            type: text
+            title: External Zones
+            multi: true
+            required: false
+            show_user: false
+            default:
+              - untrust
+      - type: tcp
+        vars:
+          - name: syslog_host
+            type: text
+            title: Syslog Host
+            multi: false
+            required: true
+            show_user: true
+            default: localhost
+          - name: syslog_port
+            type: integer
+            title: Syslog Port
+            multi: false
+            required: true
+            show_user: true
+            default: 9001
+          - name: internal_zones
+            type: text
+            title: Internal Zones
+            multi: true
+            required: false
+            show_user: false
+          - name: external_zones
+            type: text
+            title: External Zones
+            multi: true
+            required: false
+            show_user: false
+        title: "Collect Check Point firewall logs (input: tcp)"
+        description: "Collecting firewall logs from Check Point instances (input: tcp)"
+      - type: udp
+        vars:
+          - name: syslog_host
+            type: text
+            title: Syslog Host
+            multi: false
+            required: true
+            show_user: true
+            default: localhost
+          - name: syslog_port
+            type: integer
+            title: Syslog Port
+            multi: false
+            required: true
+            show_user: true
+            default: 9001
+          - name: internal_zones
+            type: text
+            title: Internal Zones
+            multi: true
+            required: false
+            show_user: false
+          - name: external_zones
+            type: text
+            title: External Zones
+            multi: true
+            required: false
+            show_user: false
+        title: "Collect Check Point firewall logs (input: udp)"
+        description: "Collecting firewall logs from Check Point instances (input: udp)"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/cisco_duo/1.1.4/changelog.yml b/packages/cisco_duo/1.1.4/changelog.yml
new file mode 100755
index 0000000000..8d9ee38cb6
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/changelog.yml
@@ -0,0 +1,51 @@
+# newer versions go on top
+- version: "1.1.4"
+  changes:
+    - description: Fix dashboard issues.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3030
+- version: "1.1.3"
+  changes:
+    - description: Add mapping for event.created.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3021
+- version: "1.1.2"
+  changes:
+    - description: Make fields agree with ECS
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3018
+- version: "1.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2390
+- version: "1.0.0"
+  changes:
+    - description: GA integration
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2360
+- version: "0.2.1"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2249
+- version: "0.1.1"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1953
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1629
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.1.4/data_stream/admin/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..5e8eee5bc7
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,34 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+request.url: {{hostname}}/admin/v1/logs/administrator
+request.transforms:
+  - set: 
+      target: url.params.mintime
+      value: '[[.cursor.last_published]]'
+      default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+  - set:
+      target: header.Date
+      value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]'
+  - set: 
+      target: header.Authorization
+      value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/logs/administrator" "\n" .url.RawQuery)))]]'
+response.split:
+  target: body.response
+cursor:
+  last_published:
+    value: '[[toInt .last_event.timestamp]]'
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.1.4/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..50fd05d84f
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,155 @@
+---
+description: Pipeline for parsing cisco_duo administrator logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - fingerprint:
+      fields:
+        - json.timestamp
+        - json.action
+        - json.description
+        - json.object
+        - json.username
+      target_field: _id
+      ignore_missing: true
+  - date:
+      field: json.timestamp
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - UNIX
+  - set:
+      field: event.category
+      value: iam
+      if: ctx?.json?.action instanceof String && ['admin_2fa_error','admin_account_switch','admin_activation_create','admin_activation_delete','admin_activate_duo_push','admin_create','admin_delete','admin_factor_restrictions_update','admin_login','admin_login_error','admin_reactivates_duo_push','admin_reset_password','admin_self_activate','admin_send_reset_password_email','admin_update','adminapi_request_ip_denied','bypass_create','bypass_delete','bypass_view','phone_associate','phone_create','phone_delete','phone_disassociate','phone_update','group_create','group_delete','group_update','user_bulk_activate','user_bulk_enroll','user_create','user_delete','user_import','user_pending_delete','user_restore','user_update'].contains(ctx?.json?.action) 
+  - set:
+      field: event.kind
+      value: event
+  - set:
+      field: event.outcome
+      value: success
+  - set: 
+      field: event.outcome
+      value: failure
+      if: ctx?.json?.action instanceof String && ['ad_sync_failed','admin_2fa_error','admin_login_error','azure_sync_fail','openldap_sync_failed'].contains(ctx?.json?.action)
+  - append:
+      field: event.type
+      value: admin
+      if: ctx?.json?.action instanceof String && ['activation_create_link','activation_delete_link','activation_send_link','admin_2fa_error','admin_account_switch','admin_activation_create','admin_activation_delete','admin_activate_duo_push','admin_create','admin_delete','admin_factor_restrictions_update','admin_login','admin_login_error','admin_reactivates_duo_push','admin_reset_password','admin_self_activate','admin_send_reset_password_email','admin_update','adminapi_request_ip_denied'].contains(ctx?.json?.action)
+  - append:
+      field: event.type
+      value: group
+      if: ctx?.json?.action instanceof String && ['group_create','group_delete','group_update','integration_group_policy_add','integration_group_policy_remove','policy_create','policy_delete','policy_update'].contains(ctx?.json?.action)  
+  - append:
+      field: event.type
+      value: user
+      if: ctx?.json?.action instanceof String && ['ad_sync_by_user_begin','ad_sync_by_user_finish','azure_sync_by_user_begin','azure_sync_by_user_finish','bypass_create','bypass_delete','bypass_view','openldap_sync_begin','openldap_sync_by_user_begin','phone_associate','phone_create','phone_delete','phone_disassociate','phone_update','user_bulk_activate','user_bulk_enroll','user_create','user_delete','user_import','user_pending_delete','user_restore','user_update'].contains(ctx?.json?.action)
+  - append:
+      field: event.type
+      value: info
+      if: ctx?.json?.action instanceof String && ['ad_sync_begin','ad_sync_failed','ad_sync_finish','azure_directory_create','azure_directory_update','azure_directory_delete','azure_sync_begin','azure_sync_finish','azure_sync_fail','create_child_customer','credits_update','customer_update','delete_child_customer','directory_create','directory_delete','directory_groups_update','directory_sync_pause','directory_sync_resume','directory_update','edition_update','feature_add','feature_delete','hardtoken_create','hardtoken_delete','hardtoken_resync','hardtoken_update','integration_create','integration_delete','integration_policy_assign','integration_policy_unassign','integration_skey_view','integration_update','openldap_sync_by_user_finish','openldap_sync_config_download','openldap_sync_failed','openldap_sync_finish','regen_mobile','regen_sms','resend_enroll_codes','send_enroll_code'].contains(ctx?.json?.action)  
+  - append: 
+      field: event.type
+      value: creation
+      if: ctx?.json?.action instanceof String && ctx?.json?.action?.contains("create")
+  - append: 
+      field: event.type
+      value: change
+      if: ctx?.json?.action instanceof String && ctx?.json?.action?.contains("update")
+  - append: 
+      field: event.type
+      value: deletion
+      if: ctx?.json?.action instanceof String && ctx?.json?.action?.contains("delete")
+  - set: 
+      field: message
+      copy_from: json.description
+      if: ctx?.json?.description != null
+  - json:
+      field: json.description
+      target_field: cisco_duo.admin.flattened
+      if: ctx?.json?.description != null
+      ignore_failure: true
+  - set: 
+      field: event.reason
+      value: "{{{message}}}"
+  - set: 
+      field: event.action
+      copy_from: json.action
+      if: ctx?.json?.action != null
+  - set: 
+      field: user.name
+      copy_from: json.username
+      if: ctx?.json?.username != null
+  - set: 
+      field: user.email
+      copy_from: cisco_duo.admin.flattened.email
+      if: ctx?.event?.action == "admin_self_activate"
+      ignore_failure: true
+  - set: 
+      field: user.changes.name
+      copy_from: cisco_duo.admin.flattened.realname
+      if: ctx?.event?.action == "user_update"
+      ignore_failure: true
+  - set: 
+      field: user.changes.email
+      copy_from: cisco_duo.admin.flattened.email
+      if: ctx?.event?.action == "user_update"
+      ignore_failure: true
+  - set:
+      field: user.target.name
+      copy_from: json.object
+      if: ctx?.json?.object != null
+  - rename: 
+      field: json.action
+      target_field: cisco_duo.admin.action
+      ignore_missing: true
+  - rename: 
+      field: json.username
+      target_field: cisco_duo.admin.user.name
+      ignore_missing: true
+  - rename: 
+      field: json.object
+      target_field: cisco_duo.admin.action_performed_on
+      if: ctx?.json?.object != null
+  - remove: 
+      field:
+        - message 
+        - event.reason
+      if: ctx?.cisco_duo?.admin?.flattened != null
+  - remove:
+      field: json
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean drop(Object o) {
+          if (o == null || o == "") {
+            return true;
+          } else if (o instanceof Map) {
+            ((Map) o).values().removeIf(v -> drop(v));
+            return (((Map) o).size() == 0);
+          } else if (o instanceof List) {
+            ((List) o).removeIf(v -> drop(v));
+            return (((List) o).length == 0);
+          }
+          return false;
+        }
+        drop(ctx);
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/fields/agent.yml b/packages/cisco_duo/1.1.4/data_stream/admin/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/fields/base-fields.yml b/packages/cisco_duo/1.1.4/data_stream/admin/fields/base-fields.yml
new file mode 100755
index 0000000000..9ca6a026e5
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_duo
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_duo.admin
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/fields/ecs.yml b/packages/cisco_duo/1.1.4/data_stream/admin/fields/ecs.yml
new file mode 100755
index 0000000000..bcb1a42b7a
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/fields/ecs.yml
@@ -0,0 +1,108 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.
+    For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.
+    If no validation is performed then the field should be omitted.
+    The allowed values are:
+    `verified` - The `agent.id` field value matches expected value obtained from auth metadata.
+    `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.
+    `missing` - There was no `agent.id` field in the event to validate.
+    `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+  name: event.agent_id_status
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: User email address.
+  name: user.changes.email
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.changes.name
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/fields/fields.yml b/packages/cisco_duo/1.1.4/data_stream/admin/fields/fields.yml
new file mode 100755
index 0000000000..a094785089
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/fields/fields.yml
@@ -0,0 +1,19 @@
+- name: cisco_duo.admin
+  type: group
+  fields:
+    - name: action
+      type: keyword
+      description: |
+        The type of change that was performed
+    - name: action_performed_on
+      type: keyword
+      description: |
+        The object that was acted on.
+    - name: user.name
+      type: keyword
+      description: |
+        The full name of the administrator who performed the action in the Duo Admin Panel.
+    - name: flattened
+      type: flattened
+      description: |
+        ES flattened datatype for objects where the subfields aren't known in advance.
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/manifest.yml b/packages/cisco_duo/1.1.4/data_stream/admin/manifest.yml
new file mode 100755
index 0000000000..8e05f5dd5f
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/manifest.yml
@@ -0,0 +1,34 @@
+type: logs
+title: Cisco Duo administrator logs
+streams:
+  - input: httpjson
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisco_duo-admin
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: Cisco Duo administrator logs
+    description: Collect Cisco Duo administrator logs
diff --git a/packages/cisco_duo/1.1.4/data_stream/admin/sample_event.json b/packages/cisco_duo/1.1.4/data_stream/admin/sample_event.json
new file mode 100755
index 0000000000..b0540ca173
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/admin/sample_event.json
@@ -0,0 +1,54 @@
+{
+    "@timestamp": "2021-07-20T11:41:31.000Z",
+    "agent": {
+        "ephemeral_id": "d5c469ec-2802-48c4-9828-95a1a38a3d57",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "admin": {
+            "action": "activation_begin",
+            "user": {
+                "name": "narroway"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.admin",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "activation_begin",
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:39:10.869Z",
+        "dataset": "cisco_duo.admin",
+        "ingested": "2021-12-29T09:39:11Z",
+        "kind": "event",
+        "original": "{\"action\":\"activation_begin\",\"description\":\"Starting activation process\",\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}",
+        "outcome": "success",
+        "reason": "Starting activation process"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "message": "Starting activation process",
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-admin"
+    ],
+    "user": {
+        "name": "narroway"
+    }
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.1.4/data_stream/auth/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..254a2b4226
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,43 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+request.url: {{hostname}}/admin/v2/logs/authentication
+request.transforms:
+  - set: 
+      target: url.params.limit
+      value: 1000
+  - set: 
+      target: url.params.sort
+      value: ts:asc
+  - set: 
+      target: url.params.mintime
+      value: '[[.cursor.last_published]]'
+      default: '[[div (((now (parseDuration "-2m")).Add (parseDuration "-{{interval}}")).UnixNano) 1e6]]'
+  - set: 
+      target: url.params.maxtime
+      value: '[[div ((now (parseDuration "-2m")).UnixNano) 1e6]]'
+  - set:
+      target: header.Date
+      value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]'
+  - set: 
+      target: header.Authorization
+      value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v2/logs/authentication" "\n" .url.RawQuery)))]]'
+response.split:
+  target: body.response.authlogs
+cursor:
+  last_published:
+    value: '[[mul (toInt .last_event.timestamp) 1000]]'
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.1.4/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..7aa4a99ede
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,303 @@
+---
+description: Pipeline for parsing cisco_duo authentication logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - fingerprint:
+      fields:
+        - json.timestamp
+        - json.txid
+      target_field: _id
+      ignore_missing: true
+  - date:
+      field: json.timestamp
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - UNIX
+  - set:
+      field: event.category
+      value: authentication
+  - set:
+      field: event.kind
+      value: event
+  - set:
+      field: event.outcome
+      value: failed
+  - set:
+      field: event.outcome
+      value: success
+      if: ctx?.json?.result == "success"
+  - set:
+      field: event.type
+      value: info
+  - set: 
+      field: event.reason
+      copy_from: json.reason
+      ignore_failure: true
+  - set: 
+      field: source.ip
+      copy_from: json.access_device.ip
+      ignore_failure: true
+  - set: 
+      field: source.address
+      copy_from: json.access_device.ip
+      ignore_failure: true
+  - set: 
+      field: source.address
+      copy_from: json.access_device.hostname
+      if: ctx?.json?.access_device?.hostname != null
+  - set: 
+      field: source.user.email
+      copy_from: json.email
+      ignore_failure: true
+  - set:
+      field: source.user.id
+      copy_from: json.user.key
+      ignore_failure: true
+  - set:
+      field: source.user.name
+      copy_from: json.user.name
+      ignore_failure: true
+  - rename: 
+      field: json.user.groups
+      target_field: source.user.group.name
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - geoip:
+      field: json.auth_device.ip
+      target_field: cisco_duo.auth.auth_device.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: json.auth_device.ip
+      target_field: cisco_duo.auth.auth_device.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: cisco_duo.auth.auth_device.as.asn
+      target_field: cisco_duo.auth.auth_device.as.number
+      ignore_missing: true
+  - rename:
+      field: cisco_duo.auth.auth_device.as.organization_name
+      target_field: cisco_duo.auth.auth_device.as.organization.name
+      ignore_missing: true
+  - set: 
+      field: user.email
+      copy_from: json.email
+      ignore_failure: true
+  - set: 
+      field: user.name
+      copy_from: json.user.name
+      ignore_failure: true
+  - set: 
+      field: user.id
+      copy_from: json.user.key
+      ignore_failure: true
+  - set:
+      field: user_agent.name
+      copy_from: json.access_device.browser
+      ignore_failure: true
+  - set:
+      field: user_agent.version
+      copy_from: json.access_device.browser_version
+      ignore_failure: true
+  - set:
+      field: user_agent.os.name
+      copy_from: json.access_device.os
+      ignore_failure: true
+  - set:
+      field: user_agent.os.version
+      copy_from: json.access_device.os_version
+      ignore_failure: true
+  - rename: 
+      field: json.email
+      target_field: cisco_duo.auth.email
+      ignore_missing: true
+  - rename: 
+      field: json.event_type
+      target_field: cisco_duo.auth.event_type
+      ignore_missing: true
+  - rename:
+      field: json.factor
+      target_field: cisco_duo.auth.factor
+      ignore_missing: true
+  - rename:
+      field: json.ood_software
+      target_field: cisco_duo.auth.ood_software
+      ignore_missing: true
+  - rename:
+      field: json.reason
+      target_field: cisco_duo.auth.reason
+      ignore_missing: true
+  - rename:
+      field: json.result
+      target_field: cisco_duo.auth.result
+      ignore_missing: true
+  - rename:
+      field: json.txid
+      target_field: cisco_duo.auth.txid
+      ignore_missing: true
+  - rename:
+      field: json.alias
+      target_field: cisco_duo.auth.alias
+      ignore_missing: true
+  - rename:
+      field: json.access_device.flash_version
+      target_field: cisco_duo.auth.access_device.flash_version
+      ignore_missing: true
+  - rename:
+      field: json.access_device.hostname
+      target_field: cisco_duo.auth.access_device.hostname
+      if: ctx?.json?.access_device?.hostname != null
+  - rename:
+      field: json.access_device.ip
+      target_field: cisco_duo.auth.access_device.ip
+      ignore_missing: true
+  - rename:
+      field: json.access_device.is_encryption_enabled
+      target_field: cisco_duo.auth.access_device.is_encryption_enabled
+      ignore_missing: true
+  - convert: 
+      field: cisco_duo.auth.access_device.is_encryption_enabled
+      type: string  
+      ignore_failure: true
+  - rename:
+      field: json.access_device.is_firewall_enabled
+      target_field: cisco_duo.auth.access_device.is_firewall_enabled
+      ignore_missing: true
+  - convert: 
+      field: cisco_duo.auth.access_device.is_firewall_enabled
+      type: string 
+      ignore_failure: true
+  - rename:
+      field: json.access_device.is_password_set
+      target_field: cisco_duo.auth.access_device.is_password_set
+      ignore_missing: true
+  - convert: 
+      field: cisco_duo.auth.access_device.is_password_set
+      type: string 
+      ignore_failure: true
+  - rename:
+      field: json.access_device.java_version
+      target_field: cisco_duo.auth.access_device.java_version
+      ignore_missing: true
+  - rename:
+      field: json.access_device.location.city
+      target_field: cisco_duo.auth.access_device.location.city
+      ignore_missing: true
+  - rename:
+      field: json.access_device.location.country
+      target_field: cisco_duo.auth.access_device.location.country
+      ignore_missing: true
+  - rename:
+      field: json.access_device.location.state
+      target_field: cisco_duo.auth.access_device.location.state
+      ignore_missing: true
+  - rename:
+      field: json.access_device.security_agents
+      target_field: cisco_duo.auth.access_device.security_agents
+      ignore_missing: true
+  - rename:
+      field: json.application.key
+      target_field: cisco_duo.auth.application.key
+      ignore_missing: true
+  - rename:
+      field: json.application.name
+      target_field: cisco_duo.auth.application.name
+      ignore_missing: true
+  - rename:
+      field: json.auth_device.ip
+      target_field: cisco_duo.auth.auth_device.ip
+      ignore_missing: true
+  - rename:
+      field: json.auth_device.location.city
+      target_field: cisco_duo.auth.auth_device.location.city
+      ignore_missing: true
+  - rename:
+      field: json.auth_device.location.country
+      target_field: cisco_duo.auth.auth_device.location.country
+      ignore_missing: true
+  - rename:
+      field: json.auth_device.location.state
+      target_field: cisco_duo.auth.auth_device.location.state
+      ignore_missing: true
+  - rename:
+      field: json.auth_device.name
+      target_field: cisco_duo.auth.auth_device.name
+      ignore_missing: true
+  - rename:
+      field: json.trusted_endpoint_status
+      target_field: cisco_duo.auth.trusted_endpoint_status
+      ignore_missing: true 
+  - append:
+      field: related.ip
+      value: "{{{source.ip}}}"
+      if: ctx?.source?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append: 
+      field: related.ip
+      value: "{{{cisco_duo.auth.auth_device.ip}}}"
+      if: ctx?.cisco_duo?.auth?.auth_device?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean drop(Object o) {
+          if (o == null || o == "") {
+            return true;
+          } else if (o instanceof Map) {
+            ((Map) o).values().removeIf(v -> drop(v));
+            return (((Map) o).size() == 0);
+          } else if (o instanceof List) {
+            ((List) o).removeIf(v -> drop(v));
+            return (((List) o).length == 0);
+          }
+          return false;
+        }
+        drop(ctx);
+  - remove:
+      field: json
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/fields/agent.yml b/packages/cisco_duo/1.1.4/data_stream/auth/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/fields/base-fields.yml b/packages/cisco_duo/1.1.4/data_stream/auth/fields/base-fields.yml
new file mode 100755
index 0000000000..7ca807eb7c
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_duo
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_duo.auth
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/fields/ecs.yml b/packages/cisco_duo/1.1.4/data_stream/auth/fields/ecs.yml
new file mode 100755
index 0000000000..2e56033747
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/fields/ecs.yml
@@ -0,0 +1,148 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.
+    For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.
+    If no validation is performed then the field should be omitted.
+    The allowed values are:
+    `verified` - The `agent.id` field value matches expected value obtained from auth metadata.
+    `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.
+    `missing` - There was no `agent.id` field in the event to validate.
+    `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.
+  name: event.agent_id_status
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: User email address.
+  name: source.user.email
+  type: keyword
+- description: Unique identifier of the user.
+  name: source.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.name
+  type: keyword
+- description: Name of the group.
+  name: source.user.group.name
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/fields/fields.yml b/packages/cisco_duo/1.1.4/data_stream/auth/fields/fields.yml
new file mode 100755
index 0000000000..d2da845383
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/fields/fields.yml
@@ -0,0 +1,154 @@
+- name: cisco_duo.auth
+  type: group
+  fields:
+    - name: email
+      type: keyword
+      description: |
+        The email address of the user, if known to Duo, otherwise none.
+    - name: event_type
+      type: keyword
+      description: |
+        The type of activity logged.
+    - name: factor
+      type: keyword
+      description: |
+        The authentication factor.
+    - name: ood_software
+      type: keyword
+      description: |
+        If authentication was denied due to out-of-date software, shows the name of the software.
+    - name: reason
+      type: keyword
+      description: |
+        Provide the reason for the authentication attempt result.
+    - name: result
+      type: keyword
+      description: |
+        The result of the authentication attempt.
+    - name: trusted_endpoint_status
+      type: keyword
+      description: |
+        Status of Trusted Endpoint.
+    - name: txid
+      type: keyword
+      description: |
+        The transaction ID of the event.
+    - name: alias
+      type: keyword
+      description: |
+        The username alias used to log in.
+    - name: access_device
+      type: group
+      fields:
+        - name: flash_version
+          type: keyword
+          description: |
+            The Flash plugin version used, if present.
+        - name: hostname
+          type: keyword
+          description: |
+            The hostname, if present.
+        - name: ip
+          type: ip
+          description: |
+            The access device's IP address.
+        - name: is_encryption_enabled
+          type: keyword
+          description: |
+            Reports the disk encryption state as detected by the Duo Device Health app.
+        - name: is_firewall_enabled
+          type: keyword
+          description: |
+            Reports the firewall state as detected by the Duo Device Health app.
+        - name: is_password_set
+          type: keyword
+          description: |
+            Reports the system password state as detected by the Duo Device Health app
+        - name: java_version
+          type: keyword
+          description: |
+            The Java plugin version used.
+        - name: location
+          type: group
+          fields:
+            - name: city
+              type: keyword
+              description: |
+                The city name of the access device using geoip location.
+            - name: country
+              type: keyword
+              description: |
+                The country of the access device using geoip location.
+            - name: state
+              type: keyword
+              description: |
+                The state name of the access device using geoip location.
+        - name: security_agents
+          type: keyword
+          description: |
+            Reports the security agents present on the endpoint as detected by the Duo Device Health app.
+    - name: application
+      type: group
+      fields:
+        - name: key
+          type: keyword
+          description: |
+            The application's integration_key.
+        - name: name
+          type: keyword
+          description: |
+            The application's name.
+    - name: auth_device
+      type: group
+      fields:
+        - name: ip
+          type: ip
+          description: |
+            The IP address of the authentication device.
+        - name: location
+          type: group
+          fields:
+            - name: city
+              type: keyword
+              description: |
+                The city name of the authentication device using geoip location.
+            - name: country
+              type: keyword
+              description: |
+                The country of the authentication device using geoip location.
+            - name: state
+              type: keyword
+              description: |
+                The state name of the authentication device using geoip location.
+        - name: as.number
+          type: long
+          description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+        - name: as.organization.name
+          type: keyword
+          description: Organization name.
+        - name: geo.city_name
+          type: keyword
+          description: City name.
+        - name: geo.continent_name
+          type: keyword
+          description: Name of the continent.
+        - name: geo.country_iso_code
+          type: keyword
+          description: Country ISO code.
+        - name: geo.country_name
+          type: keyword
+          description: Country name.
+        - name: geo.location
+          type: geo_point
+          level: core
+          description: Longitude and latitude.
+        - name: geo.region_iso_code
+          type: keyword
+          description: Region ISO code.
+        - name: geo.region_name
+          type: keyword
+          description: Region name.
+        - name: name
+          type: keyword
+          description: |
+            The name of the authentication device.
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/manifest.yml b/packages/cisco_duo/1.1.4/data_stream/auth/manifest.yml
new file mode 100755
index 0000000000..5e503233c2
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/manifest.yml
@@ -0,0 +1,34 @@
+type: logs
+title: Cisco Duo authentication logs
+streams:
+  - input: httpjson
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisco_duo-auth
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: Cisco Duo authentication logs
+    description: Collect Cisco Duo authentication logs
diff --git a/packages/cisco_duo/1.1.4/data_stream/auth/sample_event.json b/packages/cisco_duo/1.1.4/data_stream/auth/sample_event.json
new file mode 100755
index 0000000000..7868871412
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/auth/sample_event.json
@@ -0,0 +1,132 @@
+{
+    "@timestamp": "2020-02-13T18:56:20.000Z",
+    "agent": {
+        "ephemeral_id": "af742618-01e6-4406-b573-aab628bfa898",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "auth": {
+            "access_device": {
+                "flash_version": "uninstalled",
+                "ip": "89.160.20.156",
+                "is_encryption_enabled": "true",
+                "is_firewall_enabled": "true",
+                "is_password_set": "true",
+                "java_version": "uninstalled",
+                "location": {
+                    "city": "Ann Arbor",
+                    "country": "United States",
+                    "state": "Michigan"
+                }
+            },
+            "application": {
+                "key": "DIY231J8BR23QK4UKBY8",
+                "name": "Microsoft Azure Active Directory"
+            },
+            "auth_device": {
+                "ip": "192.168.225.254",
+                "location": {
+                    "city": "Ann Arbor",
+                    "country": "United States",
+                    "state": "Michigan"
+                },
+                "name": "My iPhone X (734-555-2342)"
+            },
+            "email": "narroway@example.com",
+            "event_type": "authentication",
+            "factor": "duo_push",
+            "reason": "user_approved",
+            "result": "success",
+            "trusted_endpoint_status": "not trusted",
+            "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb"
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.auth",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "authentication",
+        "created": "2021-12-29T09:39:46.431Z",
+        "dataset": "cisco_duo.auth",
+        "ingested": "2021-12-29T09:39:47Z",
+        "kind": "event",
+        "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}",
+        "outcome": "success",
+        "reason": "user_approved",
+        "type": "info"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "ip": [
+            "89.160.20.156",
+            "192.168.225.254"
+        ]
+    },
+    "source": {
+        "address": "89.160.20.156",
+        "as": {
+            "number": 29518,
+            "organization": {
+                "name": "Bredband2 AB"
+            }
+        },
+        "geo": {
+            "city_name": "Linköping",
+            "continent_name": "Europe",
+            "country_iso_code": "SE",
+            "country_name": "Sweden",
+            "location": {
+                "lat": 58.4167,
+                "lon": 15.6167
+            },
+            "region_iso_code": "SE-E",
+            "region_name": "Östergötland County"
+        },
+        "ip": "89.160.20.156",
+        "user": {
+            "email": "narroway@example.com",
+            "group": {
+                "name": [
+                    "Duo Users",
+                    "CorpHQ Users"
+                ]
+            },
+            "id": "DU3KC77WJ06Y5HIV7XKQ",
+            "name": "narroway@example.com"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-auth"
+    ],
+    "user": {
+        "email": "narroway@example.com",
+        "id": "DU3KC77WJ06Y5HIV7XKQ",
+        "name": "narroway@example.com"
+    },
+    "user_agent": {
+        "name": "Chrome",
+        "os": {
+            "name": "Mac OS X",
+            "version": "10.14.1"
+        },
+        "version": "67.0.3396.99"
+    }
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..e293caac5a
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,34 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+request.url: {{hostname}}/admin/v1/logs/offline_enrollment
+request.transforms:
+  - set: 
+      target: url.params.mintime
+      value: '[[.cursor.last_published]]'
+      default: '[[((now (parseDuration "-2m")).Add (parseDuration "-{{interval}}")).Unix]]'
+  - set:
+      target: header.Date
+      value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]'
+  - set: 
+      target: header.Authorization
+      value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/logs/offline_enrollment" "\n" .url.RawQuery)))]]'
+response.split:
+  target: body.response
+cursor:
+  last_published:
+    value: '[[toInt .last_event.timestamp]]'
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..46574aa431
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,75 @@
+---
+description: Pipeline for parsing cisco_duo offline enrollment logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - fingerprint:
+      fields:
+        - json.timestamp
+        - json.action
+        - json.description
+        - json.object
+        - json.username
+      target_field: _id
+      ignore_missing: true
+  - date:
+      field: json.timestamp
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - UNIX
+  - json: 
+      field: json.description
+      target_field: json_description
+      ignore_failure: true
+  - set: 
+      field: user.name
+      copy_from: json.username
+      ignore_failure: true
+  - rename:
+      field: json.action
+      target_field: cisco_duo.offline_enrollment.action
+      ignore_missing: true
+  - rename: 
+      field: json_description.hostname
+      target_field: cisco_duo.offline_enrollment.description.hostname
+      ignore_missing: true
+  - rename: 
+      field: json_description.user_agent
+      target_field: cisco_duo.offline_enrollment.description.user_agent
+      ignore_missing: true
+  - rename: 
+      field: json_description.factor
+      target_field: cisco_duo.offline_enrollment.description.factor
+      ignore_missing: true
+  - rename: 
+      field: json.object
+      target_field: cisco_duo.offline_enrollment.object
+      ignore_missing: true
+  - rename: 
+      field: json.username
+      target_field: cisco_duo.offline_enrollment.user.name
+      ignore_missing: true
+  - remove:
+      field: json
+  - remove:
+        field: json_description
+        if: ctx?.json_description != null
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/agent.yml b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/base-fields.yml b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/base-fields.yml
new file mode 100755
index 0000000000..09ab334566
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_duo
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_duo.offline_enrollment
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/ecs.yml b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/ecs.yml
new file mode 100755
index 0000000000..8196a41fe8
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/ecs.yml
@@ -0,0 +1,28 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/fields.yml b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/fields.yml
new file mode 100755
index 0000000000..d651a89f6a
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/fields/fields.yml
@@ -0,0 +1,27 @@
+- name: cisco_duo.offline_enrollment
+  type: group
+  fields:
+    - name: action
+      type: keyword
+      description: |
+        The offline enrollment operation
+    - name: description.hostname
+      type: keyword
+      description: |
+        The host name of the system where Duo Windows Logon is installed.
+    - name: description.user_agent
+      type: keyword
+      description: |
+        The Duo Windows Logon application version information and the Windows OS version and platform information.
+    - name: description.factor
+      type: keyword
+      description: |
+        The type of authenticator used for offline access.
+    - name: object
+      type: keyword
+      description: |
+        The Duo Windows Logon integration's name.
+    - name: user.name
+      type: keyword
+      description: |
+        The Duo username
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/manifest.yml b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/manifest.yml
new file mode 100755
index 0000000000..f36d248b6c
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/manifest.yml
@@ -0,0 +1,34 @@
+type: logs
+title: Cisco Duo offline enrollment logs
+streams:
+  - input: httpjson
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisco_duo-offline_enrollment
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: Cisco Duo offline enrollment logs
+    description: Collect Cisco Duo offline enrollment logs
diff --git a/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/sample_event.json b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/sample_event.json
new file mode 100755
index 0000000000..34474bbeb1
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/offline_enrollment/sample_event.json
@@ -0,0 +1,55 @@
+{
+    "@timestamp": "2019-08-30T16:10:05.000Z",
+    "agent": {
+        "ephemeral_id": "3470fbe5-8d73-49db-8555-7e5f4cfd8504",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "offline_enrollment": {
+            "action": "o2fa_user_provisioned",
+            "description": {
+                "factor": "duo_otp",
+                "hostname": "WKSW10x64",
+                "user_agent": "DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)"
+            },
+            "object": "Acme Laptop Windows Logon",
+            "user": {
+                "name": "narroway"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.offline_enrollment",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:40:24.650Z",
+        "dataset": "cisco_duo.offline_enrollment",
+        "ingested": "2021-12-29T09:40:25Z",
+        "original": "{\"action\":\"o2fa_user_provisioned\",\"description\":\"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\":\"2019-08-30T16:10:05+00:00\",\"object\":\"Acme Laptop Windows Logon\",\"timestamp\":1567181405,\"username\":\"narroway\"}"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-offline_enrollment"
+    ],
+    "user": {
+        "name": "narroway"
+    }
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.1.4/data_stream/summary/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..0bd9565680
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,25 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+request.url: {{hostname}}/admin/v1/info/summary
+request.transforms:
+  - set:
+      target: header.Date
+      value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]'
+  - set: 
+      target: header.Authorization
+      value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/info/summary" "\n")))]]'
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.1.4/data_stream/summary/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..1f32382e23
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,40 @@
+---
+description: Pipeline for parsing cisco_duo summary logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - set: 
+      field: "@timestamp"
+      value: "{{{_ingest.timestamp}}}"
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true      
+  - rename:
+      field: json.response.admin_count
+      target_field: cisco_duo.summary.admin_count
+  - rename:
+      field: json.response.integration_count
+      target_field: cisco_duo.summary.integration_count
+  - rename:
+      field: json.response.telephony_credits_remaining
+      target_field: cisco_duo.summary.telephony_credits_remaining
+  - rename:
+      field: json.response.user_count
+      target_field: cisco_duo.summary.user_count
+  - remove:
+      field: json
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/fields/agent.yml b/packages/cisco_duo/1.1.4/data_stream/summary/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/fields/base-fields.yml b/packages/cisco_duo/1.1.4/data_stream/summary/fields/base-fields.yml
new file mode 100755
index 0000000000..28715de5b4
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_duo
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_duo.summary
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/fields/ecs.yml b/packages/cisco_duo/1.1.4/data_stream/summary/fields/ecs.yml
new file mode 100755
index 0000000000..27c12f2f15
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/fields/ecs.yml
@@ -0,0 +1,22 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/fields/fields.yml b/packages/cisco_duo/1.1.4/data_stream/summary/fields/fields.yml
new file mode 100755
index 0000000000..1c312f69e3
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/fields/fields.yml
@@ -0,0 +1,19 @@
+- name: cisco_duo.summary
+  type: group
+  fields:
+    - name: admin_count
+      type: integer
+      description: |
+        Current number of admins in the account.
+    - name: integration_count
+      type: integer
+      description: |
+        Current number of integrations in the account.
+    - name: telephony_credits_remaining
+      type: integer
+      description: |
+        Current total number of telephony credits available in the account. This is the sum of all types of telephony credits.
+    - name: user_count
+      type: integer
+      description: |
+        Current number of users in the account.
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/manifest.yml b/packages/cisco_duo/1.1.4/data_stream/summary/manifest.yml
new file mode 100755
index 0000000000..a76e61ce40
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/manifest.yml
@@ -0,0 +1,34 @@
+type: logs
+title: Cisco Duo summary logs
+streams:
+  - input: httpjson
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisco_duo-summary
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: Cisco Duo summary logs
+    description: Collect Cisco Duo summary logs
diff --git a/packages/cisco_duo/1.1.4/data_stream/summary/sample_event.json b/packages/cisco_duo/1.1.4/data_stream/summary/sample_event.json
new file mode 100755
index 0000000000..d1b9379ca8
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/summary/sample_event.json
@@ -0,0 +1,46 @@
+{
+    "@timestamp": "2021-12-29T09:41:01.807330132Z",
+    "agent": {
+        "ephemeral_id": "88177cd0-9798-45a3-86b1-48ab8de2fe35",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "summary": {
+            "admin_count": 3,
+            "integration_count": 9,
+            "telephony_credits_remaining": 960,
+            "user_count": 8
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.summary",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:41:00.695Z",
+        "dataset": "cisco_duo.summary",
+        "ingested": "2021-12-29T09:41:01Z",
+        "original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-summary"
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/agent/stream/httpjson.yml.hbs b/packages/cisco_duo/1.1.4/data_stream/telephony/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..f6b939bffb
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,34 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+request.url: {{hostname}}/admin/v1/logs/telephony
+request.transforms:
+  - set: 
+      target: url.params.mintime
+      value: '[[.cursor.last_published]]'
+      default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+  - set:
+      target: header.Date
+      value: '[[formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700"]]'
+  - set: 
+      target: header.Authorization
+      value: '[[sprintf "Basic %s" (base64Encode (sprintf "%s:%s" "{{integration_key}}" (hmac "sha1" "{{secret_key}}" (formatDate (now) "Mon, 02 Jan 2006 15:04:05 -0700") "\n" "GET" "\n" .url.Host "\n" "/admin/v1/logs/telephony" "\n" .url.RawQuery)))]]'
+response.split:
+  target: body.response
+cursor:
+  last_published:
+    value: '[[toInt .last_event.timestamp]]'
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/1.1.4/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..9d5fdca924
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,59 @@
+---
+description: Pipeline for parsing cisco_duo telephony logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - set:
+      field: event.kind
+      value: event
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - fingerprint:
+      fields:
+        - json.timestamp
+        - json.phone
+        - json.context
+        - json.type
+      target_field: _id
+      ignore_missing: true
+  - date:
+      field: json.timestamp
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - UNIX
+  - rename:
+      field: json.context
+      target_field: cisco_duo.telephony.event_type
+      ignore_missing: true
+  - rename:
+      field: json.credits
+      target_field: cisco_duo.telephony.credits
+      ignore_missing: true
+  - rename:
+      field: json.phone
+      target_field: cisco_duo.telephony.phone_number
+      ignore_missing: true
+  - rename:
+      field: json.type  
+      target_field: cisco_duo.telephony.type
+      ignore_missing: true
+  - remove:
+      field: json
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/fields/agent.yml b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/fields/base-fields.yml b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/base-fields.yml
new file mode 100755
index 0000000000..e63ba8b443
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_duo
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_duo.telephony
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/fields/ecs.yml b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/ecs.yml
new file mode 100755
index 0000000000..df1220f07b
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/ecs.yml
@@ -0,0 +1,28 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/fields/fields.yml b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/fields.yml
new file mode 100755
index 0000000000..8d6f259a10
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/fields/fields.yml
@@ -0,0 +1,19 @@
+- name: cisco_duo.telephony
+  type: group
+  fields:
+    - name: event_type
+      type: keyword
+      description: |
+        How this telephony event was initiated.
+    - name: credits
+      type: integer
+      description: |
+        How many telephony credits this event cost.
+    - name: phone_number
+      type: keyword
+      description: |
+        The phone number that initiated this event.
+    - name: type
+      type: keyword
+      description: |
+        This type of telephony Event.
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/manifest.yml b/packages/cisco_duo/1.1.4/data_stream/telephony/manifest.yml
new file mode 100755
index 0000000000..f8555c13a8
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/manifest.yml
@@ -0,0 +1,34 @@
+type: logs
+title: Cisco Duo telephony logs
+streams:
+  - input: httpjson
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisco_duo-telephony
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: Cisco Duo telephony logs
+    description: Collect Cisco Duo telephony logs
diff --git a/packages/cisco_duo/1.1.4/data_stream/telephony/sample_event.json b/packages/cisco_duo/1.1.4/data_stream/telephony/sample_event.json
new file mode 100755
index 0000000000..ebb201a53b
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/data_stream/telephony/sample_event.json
@@ -0,0 +1,47 @@
+{
+    "@timestamp": "2020-03-20T15:38:12.000Z",
+    "agent": {
+        "ephemeral_id": "42a4e3b7-2d15-41a9-9b9c-2f2d1a4ae179",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "telephony": {
+            "credits": 1,
+            "event_type": "authentication",
+            "phone_number": "+121234512345",
+            "type": "sms"
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.telephony",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:41:39.239Z",
+        "dataset": "cisco_duo.telephony",
+        "ingested": "2021-12-29T09:41:40Z",
+        "kind": "event",
+        "original": "{\"context\":\"authentication\",\"credits\":1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-telephony"
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/docs/README.md b/packages/cisco_duo/1.1.4/docs/README.md
new file mode 100755
index 0000000000..b057d70723
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/docs/README.md
@@ -0,0 +1,752 @@
+# Cisco Duo
+
+The Cisco Duo integration collects and parses data from the Cisco Duo Admin APIs.
+
+## Compatibility
+
+This module has been tested against Cisco Duo `Core Authentication Service: D224.13` and `Admin Panel: D224.18`
+
+## Requirements
+
+In order to ingest data from the Cisco Duo Admin API you must:
+- Have a the Cisco Duo administrator account with **Owner** role [Sign up](https://signup.duo.com/)
+- Sign in to [Duo Admin Panel](https://admin.duosecurity.com/)
+- Go through following tabs **Application > Protect an Application > Admin API > Protect**
+- Now you will find your **Hostname**, **Integration key** and **Secret key** which will be required while configuring the integration package.
+- For this integration you will require **Grant read information** and **Grant read log** permissions.
+- Make sure you have whitelisted your IP Address.
+
+## Note
+
+While setting up the interval take care of following.
+- `Interval has to be greater than 1m.`
+- `Larger values of interval might cause delay in data ingestion.`
+
+## Logs
+
+### Administrator
+
+This is the `admin` dataset.
+
+An example event for `admin` looks as following:
+
+```json
+{
+    "@timestamp": "2021-07-20T11:41:31.000Z",
+    "agent": {
+        "ephemeral_id": "d5c469ec-2802-48c4-9828-95a1a38a3d57",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "admin": {
+            "action": "activation_begin",
+            "user": {
+                "name": "narroway"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.admin",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "activation_begin",
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:39:10.869Z",
+        "dataset": "cisco_duo.admin",
+        "ingested": "2021-12-29T09:39:11Z",
+        "kind": "event",
+        "original": "{\"action\":\"activation_begin\",\"description\":\"Starting activation process\",\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}",
+        "outcome": "success",
+        "reason": "Starting activation process"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "message": "Starting activation process",
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-admin"
+    ],
+    "user": {
+        "name": "narroway"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cisco_duo.admin.action | The type of change that was performed | keyword |
+| cisco_duo.admin.action_performed_on | The object that was acted on. | keyword |
+| cisco_duo.admin.flattened | ES flattened datatype for objects where the subfields aren't known in advance. | flattened |
+| cisco_duo.admin.user.name | The full name of the administrator who performed the action in the Duo Admin Panel. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| user.changes.email | User email address. | keyword |
+| user.changes.name | Short name or login of the user. | keyword |
+| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text |
+| user.email | User email address. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+
+
+### Authentication
+
+This is the `auth` dataset.
+
+An example event for `auth` looks as following:
+
+```json
+{
+    "@timestamp": "2020-02-13T18:56:20.000Z",
+    "agent": {
+        "ephemeral_id": "af742618-01e6-4406-b573-aab628bfa898",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "auth": {
+            "access_device": {
+                "flash_version": "uninstalled",
+                "ip": "89.160.20.156",
+                "is_encryption_enabled": "true",
+                "is_firewall_enabled": "true",
+                "is_password_set": "true",
+                "java_version": "uninstalled",
+                "location": {
+                    "city": "Ann Arbor",
+                    "country": "United States",
+                    "state": "Michigan"
+                }
+            },
+            "application": {
+                "key": "DIY231J8BR23QK4UKBY8",
+                "name": "Microsoft Azure Active Directory"
+            },
+            "auth_device": {
+                "ip": "192.168.225.254",
+                "location": {
+                    "city": "Ann Arbor",
+                    "country": "United States",
+                    "state": "Michigan"
+                },
+                "name": "My iPhone X (734-555-2342)"
+            },
+            "email": "narroway@example.com",
+            "event_type": "authentication",
+            "factor": "duo_push",
+            "reason": "user_approved",
+            "result": "success",
+            "trusted_endpoint_status": "not trusted",
+            "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb"
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.auth",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "authentication",
+        "created": "2021-12-29T09:39:46.431Z",
+        "dataset": "cisco_duo.auth",
+        "ingested": "2021-12-29T09:39:47Z",
+        "kind": "event",
+        "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}",
+        "outcome": "success",
+        "reason": "user_approved",
+        "type": "info"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "ip": [
+            "89.160.20.156",
+            "192.168.225.254"
+        ]
+    },
+    "source": {
+        "address": "89.160.20.156",
+        "as": {
+            "number": 29518,
+            "organization": {
+                "name": "Bredband2 AB"
+            }
+        },
+        "geo": {
+            "city_name": "Linköping",
+            "continent_name": "Europe",
+            "country_iso_code": "SE",
+            "country_name": "Sweden",
+            "location": {
+                "lat": 58.4167,
+                "lon": 15.6167
+            },
+            "region_iso_code": "SE-E",
+            "region_name": "Östergötland County"
+        },
+        "ip": "89.160.20.156",
+        "user": {
+            "email": "narroway@example.com",
+            "group": {
+                "name": [
+                    "Duo Users",
+                    "CorpHQ Users"
+                ]
+            },
+            "id": "DU3KC77WJ06Y5HIV7XKQ",
+            "name": "narroway@example.com"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-auth"
+    ],
+    "user": {
+        "email": "narroway@example.com",
+        "id": "DU3KC77WJ06Y5HIV7XKQ",
+        "name": "narroway@example.com"
+    },
+    "user_agent": {
+        "name": "Chrome",
+        "os": {
+            "name": "Mac OS X",
+            "version": "10.14.1"
+        },
+        "version": "67.0.3396.99"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cisco_duo.auth.access_device.flash_version | The Flash plugin version used, if present. | keyword |
+| cisco_duo.auth.access_device.hostname | The hostname, if present. | keyword |
+| cisco_duo.auth.access_device.ip | The access device's IP address. | ip |
+| cisco_duo.auth.access_device.is_encryption_enabled | Reports the disk encryption state as detected by the Duo Device Health app. | keyword |
+| cisco_duo.auth.access_device.is_firewall_enabled | Reports the firewall state as detected by the Duo Device Health app. | keyword |
+| cisco_duo.auth.access_device.is_password_set | Reports the system password state as detected by the Duo Device Health app | keyword |
+| cisco_duo.auth.access_device.java_version | The Java plugin version used. | keyword |
+| cisco_duo.auth.access_device.location.city | The city name of the access device using geoip location. | keyword |
+| cisco_duo.auth.access_device.location.country | The country of the access device using geoip location. | keyword |
+| cisco_duo.auth.access_device.location.state | The state name of the access device using geoip location. | keyword |
+| cisco_duo.auth.access_device.security_agents | Reports the security agents present on the endpoint as detected by the Duo Device Health app. | keyword |
+| cisco_duo.auth.alias | The username alias used to log in. | keyword |
+| cisco_duo.auth.application.key | The application's integration_key. | keyword |
+| cisco_duo.auth.application.name | The application's name. | keyword |
+| cisco_duo.auth.auth_device.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| cisco_duo.auth.auth_device.as.organization.name | Organization name. | keyword |
+| cisco_duo.auth.auth_device.geo.city_name | City name. | keyword |
+| cisco_duo.auth.auth_device.geo.continent_name | Name of the continent. | keyword |
+| cisco_duo.auth.auth_device.geo.country_iso_code | Country ISO code. | keyword |
+| cisco_duo.auth.auth_device.geo.country_name | Country name. | keyword |
+| cisco_duo.auth.auth_device.geo.location | Longitude and latitude. | geo_point |
+| cisco_duo.auth.auth_device.geo.region_iso_code | Region ISO code. | keyword |
+| cisco_duo.auth.auth_device.geo.region_name | Region name. | keyword |
+| cisco_duo.auth.auth_device.ip | The IP address of the authentication device. | ip |
+| cisco_duo.auth.auth_device.location.city | The city name of the authentication device using geoip location. | keyword |
+| cisco_duo.auth.auth_device.location.country | The country of the authentication device using geoip location. | keyword |
+| cisco_duo.auth.auth_device.location.state | The state name of the authentication device using geoip location. | keyword |
+| cisco_duo.auth.auth_device.name | The name of the authentication device. | keyword |
+| cisco_duo.auth.email | The email address of the user, if known to Duo, otherwise none. | keyword |
+| cisco_duo.auth.event_type | The type of activity logged. | keyword |
+| cisco_duo.auth.factor | The authentication factor. | keyword |
+| cisco_duo.auth.ood_software | If authentication was denied due to out-of-date software, shows the name of the software. | keyword |
+| cisco_duo.auth.reason | Provide the reason for the authentication attempt result. | keyword |
+| cisco_duo.auth.result | The result of the authentication attempt. | keyword |
+| cisco_duo.auth.trusted_endpoint_status | Status of Trusted Endpoint. | keyword |
+| cisco_duo.auth.txid | The transaction ID of the event. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| related.ip | All of the IPs seen on your event. | ip |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.user.email | User email address. | keyword |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
+
+### Offline Enrollment
+
+This is the `offline_enrollment` dataset.
+
+An example event for `offline_enrollment` looks as following:
+
+```json
+{
+    "@timestamp": "2019-08-30T16:10:05.000Z",
+    "agent": {
+        "ephemeral_id": "3470fbe5-8d73-49db-8555-7e5f4cfd8504",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "offline_enrollment": {
+            "action": "o2fa_user_provisioned",
+            "description": {
+                "factor": "duo_otp",
+                "hostname": "WKSW10x64",
+                "user_agent": "DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)"
+            },
+            "object": "Acme Laptop Windows Logon",
+            "user": {
+                "name": "narroway"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.offline_enrollment",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:40:24.650Z",
+        "dataset": "cisco_duo.offline_enrollment",
+        "ingested": "2021-12-29T09:40:25Z",
+        "original": "{\"action\":\"o2fa_user_provisioned\",\"description\":\"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\":\"2019-08-30T16:10:05+00:00\",\"object\":\"Acme Laptop Windows Logon\",\"timestamp\":1567181405,\"username\":\"narroway\"}"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-offline_enrollment"
+    ],
+    "user": {
+        "name": "narroway"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cisco_duo.offline_enrollment.action | The offline enrollment operation | keyword |
+| cisco_duo.offline_enrollment.description.factor | The type of authenticator used for offline access. | keyword |
+| cisco_duo.offline_enrollment.description.hostname | The host name of the system where Duo Windows Logon is installed. | keyword |
+| cisco_duo.offline_enrollment.description.user_agent | The Duo Windows Logon application version information and the Windows OS version and platform information. | keyword |
+| cisco_duo.offline_enrollment.object | The Duo Windows Logon integration's name. | keyword |
+| cisco_duo.offline_enrollment.user.name | The Duo username | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| tags | List of keywords used to tag each event. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+
+
+### Summary
+
+This is the `summary` dataset.
+
+An example event for `summary` looks as following:
+
+```json
+{
+    "@timestamp": "2021-12-29T09:41:01.807330132Z",
+    "agent": {
+        "ephemeral_id": "88177cd0-9798-45a3-86b1-48ab8de2fe35",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "summary": {
+            "admin_count": 3,
+            "integration_count": 9,
+            "telephony_credits_remaining": 960,
+            "user_count": 8
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.summary",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:41:00.695Z",
+        "dataset": "cisco_duo.summary",
+        "ingested": "2021-12-29T09:41:01Z",
+        "original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-summary"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cisco_duo.summary.admin_count | Current number of admins in the account. | integer |
+| cisco_duo.summary.integration_count | Current number of integrations in the account. | integer |
+| cisco_duo.summary.telephony_credits_remaining | Current total number of telephony credits available in the account. This is the sum of all types of telephony credits. | integer |
+| cisco_duo.summary.user_count | Current number of users in the account. | integer |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+### Telephony
+
+This is the `telephony` dataset.
+
+An example event for `telephony` looks as following:
+
+```json
+{
+    "@timestamp": "2020-03-20T15:38:12.000Z",
+    "agent": {
+        "ephemeral_id": "42a4e3b7-2d15-41a9-9b9c-2f2d1a4ae179",
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cisco_duo": {
+        "telephony": {
+            "credits": 1,
+            "event_type": "authentication",
+            "phone_number": "+121234512345",
+            "type": "sms"
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_duo.telephony",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2021-12-29T09:41:39.239Z",
+        "dataset": "cisco_duo.telephony",
+        "ingested": "2021-12-29T09:41:40Z",
+        "kind": "event",
+        "original": "{\"context\":\"authentication\",\"credits\":1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "cisco_duo-telephony"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cisco_duo.telephony.credits | How many telephony credits this event cost. | integer |
+| cisco_duo.telephony.event_type | How this telephony event was initiated. | keyword |
+| cisco_duo.telephony.phone_number | The phone number that initiated this event. | keyword |
+| cisco_duo.telephony.type | This type of telephony Event. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| tags | List of keywords used to tag each event. | keyword |
diff --git a/packages/cisco_duo/1.1.4/img/cisco_duo-logo.svg b/packages/cisco_duo/1.1.4/img/cisco_duo-logo.svg
new file mode 100755
index 0000000000..ab30cd5b18
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/img/cisco_duo-logo.svg
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="layer" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 652 652" style="enable-background:new 0 0 652 652;" xml:space="preserve">
+<style type="text/css">
+	.st0{opacity:0.85;}
+	.st1{fill:#6DBE50;}
+</style>
+<g>
+	<g class="st0">
+		<g>
+			<path class="st1" d="M214.3,325.7H20.9v99.2h96.8C169.5,424.9,211.8,381,214.3,325.7"/>
+		</g>
+	</g>
+	<path class="st1" d="M117.7,216.1H20.9v99.2h193.5C211.8,260,169.5,216.1,117.7,216.1"/>
+	<path class="st1" d="M524.2,216.1c-51.8,0-94.2,44-96.7,99.2h193.3C618.4,260,576,216.1,524.2,216.1"/>
+	<g class="st0">
+		<g>
+			<path class="st1" d="M620.9,325.7H427.5c2.5,55.3,44.8,99.2,96.7,99.2C576,424.9,618.4,381,620.9,325.7"/>
+		</g>
+	</g>
+	<path class="st1" d="M224.1,216.1v104.4c0,55.9,40.7,101.6,92,104.3V216.1H224.1z"/>
+	<g class="st0">
+		<g>
+			<polygon class="st1" points="417.7,216.1 325.8,216.1 325.8,424.9 417.7,424.9 417.7,320.5 			"/>
+		</g>
+	</g>
+</g>
+</svg>
diff --git a/packages/cisco_duo/1.1.4/img/cisco_duo-screenshot.png b/packages/cisco_duo/1.1.4/img/cisco_duo-screenshot.png
new file mode 100755
index 0000000000..1270f7f8cf
Binary files /dev/null and b/packages/cisco_duo/1.1.4/img/cisco_duo-screenshot.png differ
diff --git a/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..1e5bb38068
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,52 @@
+{
+  "attributes": {
+    "description": "This dashboard shows summary logs collected by the Cisco Duo integration.",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_duo.summary\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_duo.summary\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"3b33c381-80ab-4111-ab09-fcc73e3f9a0b\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"3b33c381-80ab-4111-ab09-fcc73e3f9a0b\",\"panelRefName\":\"panel_3b33c381-80ab-4111-ab09-fcc73e3f9a0b\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"e6ac6ace-57bd-4d11-b92b-a051cece0d4c\",\"w\":12,\"x\":0,\"y\":13},\"panelIndex\":\"e6ac6ace-57bd-4d11-b92b-a051cece0d4c\",\"panelRefName\":\"panel_e6ac6ace-57bd-4d11-b92b-a051cece0d4c\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"b31e0b4a-7166-421d-bb0a-e02cc3def401\",\"w\":12,\"x\":12,\"y\":13},\"panelIndex\":\"b31e0b4a-7166-421d-bb0a-e02cc3def401\",\"panelRefName\":\"panel_b31e0b4a-7166-421d-bb0a-e02cc3def401\",\"title\":\"[Cisco Duo] Integrations Count\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"85c0ed49-374f-448d-a9b4-88f4600d6ad8\",\"w\":12,\"x\":24,\"y\":13},\"panelIndex\":\"85c0ed49-374f-448d-a9b4-88f4600d6ad8\",\"panelRefName\":\"panel_85c0ed49-374f-448d-a9b4-88f4600d6ad8\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"80fb20e4-3445-450f-8b05-bcf29c015d7a\",\"w\":12,\"x\":36,\"y\":13},\"panelIndex\":\"80fb20e4-3445-450f-8b05-bcf29c015d7a\",\"panelRefName\":\"panel_80fb20e4-3445-450f-8b05-bcf29c015d7a\",\"type\":\"visualization\",\"version\":\"7.17.2\"}]",
+    "timeRestore": false,
+    "title": "[Cisco Duo] Summary Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-6b585210-0faa-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4",
+      "name": "3b33c381-80ab-4111-ab09-fcc73e3f9a0b:panel_3b33c381-80ab-4111-ab09-fcc73e3f9a0b",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4",
+      "name": "e6ac6ace-57bd-4d11-b92b-a051cece0d4c:panel_e6ac6ace-57bd-4d11-b92b-a051cece0d4c",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4",
+      "name": "b31e0b4a-7166-421d-bb0a-e02cc3def401:panel_b31e0b4a-7166-421d-bb0a-e02cc3def401",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4",
+      "name": "85c0ed49-374f-448d-a9b4-88f4600d6ad8:panel_85c0ed49-374f-448d-a9b4-88f4600d6ad8",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4",
+      "name": "80fb20e4-3445-450f-8b05-bcf29c015d7a:panel_80fb20e4-3445-450f-8b05-bcf29c015d7a",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..c34df2dfc1
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,37 @@
+{
+  "attributes": {
+    "description": "This dashboard shows telephony logs collected by the Cisco Duo integration.",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"4109bbba-072c-4f73-8530-39f86d6b732d\",\"w\":25,\"x\":0,\"y\":0},\"panelIndex\":\"4109bbba-072c-4f73-8530-39f86d6b732d\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"afbddd10-9ee9-4e14-b984-cf15e057b9ce\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"afbddd10-9ee9-4e14-b984-cf15e057b9ce\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd25e144-12c2-4668-ac09-eadf51b0acfb\",\"w\":25,\"x\":0,\"y\":18},\"panelIndex\":\"fd25e144-12c2-4668-ac09-eadf51b0acfb\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "[Cisco Duo] Telephony Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-a48b1130-0fb4-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4",
+      "name": "panel_2",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..b674b48107
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,97 @@
+{
+  "attributes": {
+    "description": "This dashboard shows authentication logs collected by the Cisco Duo integration.",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_duo.auth\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_duo.auth\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":0.99},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"25031c05-54c2-4d92-a275-1fa3a2bdf399\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"25031c05-54c2-4d92-a275-1fa3a2bdf399\",\"panelRefName\":\"panel_25031c05-54c2-4d92-a275-1fa3a2bdf399\",\"type\":\"map\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Number of failed attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"cisco_duo.auth\\\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":false,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"orderBucketsBySum\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"5\",\"label\":\"Number of failed attempts\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Number of failed attempts\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":17,\"i\":\"14cc4daa-2411-4927-be9d-20fc287bd46f\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14cc4daa-2411-4927-be9d-20fc287bd46f\",\"panelRefName\":\"panel_14cc4daa-2411-4927-be9d-20fc287bd46f\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"988a5cf4-cba9-4437-9323-fe7f37e2beba\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"988a5cf4-cba9-4437-9323-fe7f37e2beba\",\"panelRefName\":\"panel_988a5cf4-cba9-4437-9323-fe7f37e2beba\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"410d1a65-1a7a-4680-95a9-1ecac80433b2\",\"w\":24,\"x\":0,\"y\":37},\"panelIndex\":\"410d1a65-1a7a-4680-95a9-1ecac80433b2\",\"panelRefName\":\"panel_410d1a65-1a7a-4680-95a9-1ecac80433b2\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"f56f5a11-3d30-4a6a-bdf1-0b32c7e26547\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"f56f5a11-3d30-4a6a-bdf1-0b32c7e26547\",\"panelRefName\":\"panel_f56f5a11-3d30-4a6a-bdf1-0b32c7e26547\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"90ee91c4-ebe8-4a2e-898b-e3492f302162\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"90ee91c4-ebe8-4a2e-898b-e3492f302162\",\"panelRefName\":\"panel_90ee91c4-ebe8-4a2e-898b-e3492f302162\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae\",\"panelRefName\":\"panel_d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"2c3d7bcf-27ad-4fa0-9db2-a19282133333\",\"w\":24,\"x\":0,\"y\":71},\"panelIndex\":\"2c3d7bcf-27ad-4fa0-9db2-a19282133333\",\"panelRefName\":\"panel_2c3d7bcf-27ad-4fa0-9db2-a19282133333\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"cisco_duo.auth.access_device.is_firewall_enabled\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":17,\"i\":\"42f72b64-1bbf-49bd-909a-af8fcbc4c4e9\",\"w\":24,\"x\":24,\"y\":71},\"panelIndex\":\"42f72b64-1bbf-49bd-909a-af8fcbc4c4e9\",\"panelRefName\":\"panel_42f72b64-1bbf-49bd-909a-af8fcbc4c4e9\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.auth.access_device.is_password_set\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.auth\\\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"bbabe39a-d588-40c3-81d5-fcfe6448b0ff\",\"w\":24,\"x\":0,\"y\":88},\"panelIndex\":\"bbabe39a-d588-40c3-81d5-fcfe6448b0ff\",\"panelRefName\":\"panel_bbabe39a-d588-40c3-81d5-fcfe6448b0ff\",\"type\":\"visualization\",\"version\":\"7.17.2\"}]",
+    "timeRestore": false,
+    "title": "[Cisco Duo] Authentication Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-bd7d4870-0fbe-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "cisco_duo-158c0e80-148c-11ec-9386-31989719f9db",
+      "name": "25031c05-54c2-4d92-a275-1fa3a2bdf399:panel_25031c05-54c2-4d92-a275-1fa3a2bdf399",
+      "type": "map"
+    },
+    {
+      "id": "cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4",
+      "name": "14cc4daa-2411-4927-be9d-20fc287bd46f:panel_14cc4daa-2411-4927-be9d-20fc287bd46f",
+      "type": "visualization"
+    },
+    {
+      "id": "logs-*",
+      "name": "14cc4daa-2411-4927-be9d-20fc287bd46f:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "14cc4daa-2411-4927-be9d-20fc287bd46f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4",
+      "name": "988a5cf4-cba9-4437-9323-fe7f37e2beba:panel_988a5cf4-cba9-4437-9323-fe7f37e2beba",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4",
+      "name": "410d1a65-1a7a-4680-95a9-1ecac80433b2:panel_410d1a65-1a7a-4680-95a9-1ecac80433b2",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4",
+      "name": "f56f5a11-3d30-4a6a-bdf1-0b32c7e26547:panel_f56f5a11-3d30-4a6a-bdf1-0b32c7e26547",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4",
+      "name": "90ee91c4-ebe8-4a2e-898b-e3492f302162:panel_90ee91c4-ebe8-4a2e-898b-e3492f302162",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4",
+      "name": "d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae:panel_d676d2bc-e5cc-41c5-ab3d-d380e7cf24ae",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4",
+      "name": "2c3d7bcf-27ad-4fa0-9db2-a19282133333:panel_2c3d7bcf-27ad-4fa0-9db2-a19282133333",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4",
+      "name": "42f72b64-1bbf-49bd-909a-af8fcbc4c4e9:panel_42f72b64-1bbf-49bd-909a-af8fcbc4c4e9",
+      "type": "visualization"
+    },
+    {
+      "id": "logs-*",
+      "name": "42f72b64-1bbf-49bd-909a-af8fcbc4c4e9:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4",
+      "name": "bbabe39a-d588-40c3-81d5-fcfe6448b0ff:panel_bbabe39a-d588-40c3-81d5-fcfe6448b0ff",
+      "type": "visualization"
+    },
+    {
+      "id": "logs-*",
+      "name": "bbabe39a-d588-40c3-81d5-fcfe6448b0ff:kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..ce7e1180e7
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/dashboard/cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,62 @@
+{
+  "attributes": {
+    "description": "This dashboard shows offline enrollment logs collected by the Cisco Duo integration.",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_duo.offline_enrollment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_duo.offline_enrollment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":true,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9e1a3121-6df9-41a0-b167-3f837016650a\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"9e1a3121-6df9-41a0-b167-3f837016650a\",\"panelRefName\":\"panel_9e1a3121-6df9-41a0-b167-3f837016650a\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd1a3e7c-5e1b-4fa1-8796-45abfa64e536\",\"w\":9,\"x\":9,\"y\":0},\"panelIndex\":\"fd1a3e7c-5e1b-4fa1-8796-45abfa64e536\",\"panelRefName\":\"panel_fd1a3e7c-5e1b-4fa1-8796-45abfa64e536\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"73433d45-2afb-45aa-b823-e048841115c2\",\"w\":12,\"x\":18,\"y\":0},\"panelIndex\":\"73433d45-2afb-45aa-b823-e048841115c2\",\"panelRefName\":\"panel_73433d45-2afb-45aa-b823-e048841115c2\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a0546004-8d4b-444d-af9d-23a249df93e3\",\"w\":9,\"x\":30,\"y\":0},\"panelIndex\":\"a0546004-8d4b-444d-af9d-23a249df93e3\",\"panelRefName\":\"panel_a0546004-8d4b-444d-af9d-23a249df93e3\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"68f7d41f-43dd-49d6-88ac-afa36a19ebeb\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"68f7d41f-43dd-49d6-88ac-afa36a19ebeb\",\"panelRefName\":\"panel_68f7d41f-43dd-49d6-88ac-afa36a19ebeb\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cc8c06d5-4825-4b25-9d69-e6fec23d07b3\",\"w\":9,\"x\":39,\"y\":0},\"panelIndex\":\"cc8c06d5-4825-4b25-9d69-e6fec23d07b3\",\"panelRefName\":\"panel_cc8c06d5-4825-4b25-9d69-e6fec23d07b3\",\"type\":\"visualization\",\"version\":\"7.17.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"91d1ac3b-5cec-4e60-9179-18aaf7ce6198\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"91d1ac3b-5cec-4e60-9179-18aaf7ce6198\",\"panelRefName\":\"panel_91d1ac3b-5cec-4e60-9179-18aaf7ce6198\",\"type\":\"visualization\",\"version\":\"7.17.2\"}]",
+    "timeRestore": false,
+    "title": "[Cisco Duo] Offline Enrollment Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-f2277ef0-0fd8-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "dashboard": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4",
+      "name": "9e1a3121-6df9-41a0-b167-3f837016650a:panel_9e1a3121-6df9-41a0-b167-3f837016650a",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4",
+      "name": "fd1a3e7c-5e1b-4fa1-8796-45abfa64e536:panel_fd1a3e7c-5e1b-4fa1-8796-45abfa64e536",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4",
+      "name": "73433d45-2afb-45aa-b823-e048841115c2:panel_73433d45-2afb-45aa-b823-e048841115c2",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4",
+      "name": "a0546004-8d4b-444d-af9d-23a249df93e3:panel_a0546004-8d4b-444d-af9d-23a249df93e3",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4",
+      "name": "68f7d41f-43dd-49d6-88ac-afa36a19ebeb:panel_68f7d41f-43dd-49d6-88ac-afa36a19ebeb",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4",
+      "name": "cc8c06d5-4825-4b25-9d69-e6fec23d07b3:panel_cc8c06d5-4825-4b25-9d69-e6fec23d07b3",
+      "type": "visualization"
+    },
+    {
+      "id": "cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4",
+      "name": "91d1ac3b-5cec-4e60-9179-18aaf7ce6198:panel_91d1ac3b-5cec-4e60-9179-18aaf7ce6198",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/map/cisco_duo-158c0e80-148c-11ec-9386-31989719f9db.json b/packages/cisco_duo/1.1.4/kibana/map/cisco_duo-158c0e80-148c-11ec-9386-31989719f9db.json
new file mode 100755
index 0000000000..94a0d26a3e
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/map/cisco_duo-158c0e80-148c-11ec-9386-31989719f9db.json
@@ -0,0 +1,22 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"ce0cde1e-240f-4a56-bc83-60374450e029\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"4e14ab8b-6ac0-4c0d-92e4-56b7074b28f6\",\"includeInFitToBounds\":true,\"label\":\"Failed login attempts\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"768d716e-4cb1-435c-b301-f26d08954838\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]",
+    "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_duo.auth\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":0.99}",
+    "title": "[Cisco Duo] Failed Login attempts",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-158c0e80-148c-11ec-9386-31989719f9db",
+  "migrationVersion": {
+    "map": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..a9a287430c
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Unique integration count",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique integration count\",\"field\":\"cisco_duo.offline_enrollment.object\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique integration count\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-10edf670-1088-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..9014ebf37b
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Top 10 Offline Enrollment Actions by user",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"cisco_duo.offline_enrollment.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Action\",\"field\":\"cisco_duo.offline_enrollment.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 Offline Enrollment Actions by user\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-1952e300-1085-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..5c3a27e86a
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Number of Integration",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Number of Integrations\",\"field\":\"cisco_duo.summary.integration_count\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Number of Integration\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-1b1c61d0-0fa8-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..4931b9348e
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Telephony credits remaining",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Telephony Credits remaining\",\"field\":\"cisco_duo.summary.telephony_credits_remaining\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Telephony credits remaining\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-1e9e23a0-0faa-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..cd30ba06d2
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}"
+    },
+    "title": "[Cisco Duo] Telephony credits used by telephony type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cisco_duo.telephony.credits\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.telephony.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Telephony credits used by telephony type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-2c710c70-0fbb-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..59db0e4238
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Factor used for offline enrollment",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Factor\",\"field\":\"cisco_duo.offline_enrollment.description.factor\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Factor used for offline enrollment\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-2e81b860-1089-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..40b7177218
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Password set in user devices",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.auth.access_device.is_password_set\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Password set in user devices\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-315d3b40-0fdf-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..90b0e19ac1
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Admin Count",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Number of Admin\",\"field\":\"cisco_duo.summary.admin_count\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Admin Count\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-32c97410-0fa0-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..9907b6ab37
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}"
+    },
+    "title": "[Cisco Duo] Telephony credits used by types of telephony event",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cisco_duo.telephony.credits\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.telephony.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Telephony credits used by types of telephony event\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-3c0a89a0-0fba-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..87d11eeb62
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.telephony\\\"\"}}"
+    },
+    "title": "[Cisco Duo] Telephony credits used by Users",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Telephony credits used by user\",\"field\":\"cisco_duo.telephony.credits\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.telephony.phone_number\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Telephony credits used by Users\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-43e47440-0fb7-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..20f6c91824
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Authentication Failed login attempts by Source IP",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Number of failed attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Source IPs\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"5\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":false,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"orderBucketsBySum\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"5\",\"label\":\"Number of failed attempts\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Number of failed attempts\"},\"type\":\"value\"}]},\"title\":\"[Cisco Duo] Authentication Failed login attempts by Source IP\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-66ca2220-0fd0-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..078da4c7c6
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Unique user count",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique user count\",\"field\":\"cisco_duo.offline_enrollment.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique user count\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-6872e680-1088-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..da2378ca4d
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Encryption enabled in user devices",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cisco_duo.auth.access_device.is_encryption_enabled\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Encryption enabled in user devices\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-692d5e20-0fde-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..d92b2f3dd3
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Login Attempts by OS",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Login Attempts by OS\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-7633dff0-0fd3-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..fab286e90d
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"success\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Top 10 successful login attempts by Application name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Successful Login attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Application Name\",\"field\":\"cisco_duo.auth.application.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 successful login attempts by Application name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-7a1ff1c0-0fd4-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..d58a1fb237
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] User Count",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Number of Users\",\"field\":\"cisco_duo.summary.user_count\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] User Count\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-8342fad0-0fa8-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..6e47523657
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Login attempts by authentication factor",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Factor of authentication\",\"field\":\"cisco_duo.auth.factor\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Others\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Login attempts by authentication factor\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-8e8d9a00-0fd8-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..1a376593c1
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,19 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.summary\\\"\"}}"
+    },
+    "title": "[Cisco Duo] Remaining telephony credits over time",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"f05fb810-0fa8-11ec-8382-e117c2442b42\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4a31a4d0-81c1-4705-879d-f5d196dacbd2\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":30,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"94a8c66d-6999-46aa-a647-20789ed9bdc1\",\"label\":\"Remaining telephony credits\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"cisco_duo.summary.telephony_credits_remaining\",\"id\":\"ef27c46b-0bb7-44cc-b819-331c4abb7798\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"[Cisco Duo] Remaining telephony credits over time\",\"type\":\"metrics\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-9818eda0-1063-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..40264dcc13
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Unique hostname count",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique hostname count\",\"field\":\"cisco_duo.offline_enrollment.description.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique hostname count\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-c228b5c0-1087-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..2e2a815f69
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Unique action count",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique action count\",\"field\":\"cisco_duo.offline_enrollment.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Cisco Duo] Unique action count\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-d1ba6030-1085-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..e7acd2b977
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Firewall enabled in user devices",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"cisco_duo.auth.access_device.is_firewall_enabled\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Cisco Duo] Firewall enabled in user devices\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-dfdd2050-0fde-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..79ff8e5399
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,19 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Failed login attempts by reason over time",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"d8f092a5-ae66-4065-b008-32c860c6981a\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.auth\\\" and event.outcome : \\\"failure\\\"\"},\"formatter\":\"number\",\"id\":\"28cb790c-2e1a-4805-84aa-1ed88babbed1\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"14432c40-0fd5-11ec-921c-81166521206e\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_duo.auth\\\"\"},\"id\":\"f284b6f0-0fd4-11ec-921c-81166521206e\",\"label\":\"\"}],\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"event.reason\",\"terms_size\":\"100\",\"time_range_mode\":\"entire_time_range\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"[Cisco Duo] Failed login attempts by reason over time\",\"type\":\"metrics\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-e2482680-0fd6-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..640464c274
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Top 10 Failed login attempts by username",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of failed attempts\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 Failed login attempts by username\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-f14ab7b0-0fd1-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4.json b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4.json
new file mode 100755
index 0000000000..2786cb3f53
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/kibana/visualization/cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Cisco Duo] Top 10 Offline Enrollment actions",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"cisco_duo.offline_enrollment.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Number of unique hosts\",\"field\":\"cisco_duo.offline_enrollment.description.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Number of unique integrations\",\"field\":\"cisco_duo.offline_enrollment.object\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total count of action execution\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Cisco Duo] Top 10 Offline Enrollment actions\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.17.2",
+  "id": "cisco_duo-f7bdbe50-0fd9-11ec-8b4b-67126a72b1d4",
+  "migrationVersion": {
+    "visualization": "7.17.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_duo/1.1.4/manifest.yml b/packages/cisco_duo/1.1.4/manifest.yml
new file mode 100755
index 0000000000..c85cbcab2a
--- /dev/null
+++ b/packages/cisco_duo/1.1.4/manifest.yml
@@ -0,0 +1,56 @@
+format_version: 1.0.0
+name: cisco_duo
+title: Cisco Duo
+version: 1.1.4
+license: basic
+description: Collect logs from Cisco Duo with Elastic Agent.
+type: integration
+categories:
+  - security
+release: ga
+conditions:
+  kibana.version: ^7.17.2 || ^8.0.0
+screenshots:
+  - src: /img/cisco_duo-screenshot.png
+    title: Cisco Duo authentication log dashboard
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/cisco_duo-logo.svg
+    title: Cisco Duo logo
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: cisco_duo
+    title: Cisco Duo logs
+    description: Collect Cisco Duo logs
+    inputs:
+      - type: httpjson
+        vars:
+          - name: hostname
+            type: text
+            title: Hostname
+            description: Hostname for the Cisco Duo Admin API (Add https:// before the hostname).
+            required: true
+          - name: integration_key
+            type: text
+            title: Integration Key
+            description: Integration key for the Cisco Duo Admin API.
+            required: true
+          - name: secret_key
+            type: password
+            title: Secret Key
+            description: Secret key for the Cisco Duo Admin API.
+            required: true
+          - name: interval
+            type: text
+            title: Interval
+            description: Interval to query Cisco Duo Admin API.
+            multi: false
+            required: true
+            show_user: true
+            default: 1m
+        title: Collect Cisco Duo logs via API
+        description: Collect Cisco Duo Administrator, Authentication, Offline Enrollment, Summary, and Telephony logs
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/cisco_ftd/2.0.4/changelog.yml b/packages/cisco_ftd/2.0.4/changelog.yml
new file mode 100755
index 0000000000..7cd6c0f065
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/changelog.yml
@@ -0,0 +1,66 @@
+# newer versions go on top
+- version: "2.0.4"
+  changes:
+    - description: Set event.kind to alert only when sha_disposition is malware or custom
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3041
+- version: "2.0.3"
+  changes:
+    - description: Make fields agree with ECS
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3018
+- version: "2.0.2"
+  changes:
+    - description: Update observer to ftd and idps to better match this integration.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2551
+- version: "2.0.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "2.0.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2391
+- version: "1.2.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2258
+- version: "1.1.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1954
+- version: "1.1.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1806
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1783
+- version: "1.0.1"
+  changes:
+    - description: Adding missing ECS fields
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1731
+- version: "1.0.0"
+  changes:
+    - description: Initial version to split Cisco FTD out from the general Cisco package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1586
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ftd/2.0.4/data_stream/log/agent/stream/stream.yml.hbs
new file mode 100755
index 0000000000..28ea4aaa98
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/agent/stream/stream.yml.hbs
@@ -0,0 +1,20 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ftd/2.0.4/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..e129442a23
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,16 @@
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/2.0.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..86cd3e514a
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1972 @@
+---
+description: "Pipeline for Cisco FTD logs"
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - set:
+      field: ecs.version
+      value: "8.0.0"
+  #
+  # Parse the syslog header
+  #
+  # This populates the host.hostname, process.name, timestamp and other fields
+  # from the header and stores the message contents in _temp_.full_message.
+  - grok:
+      field: event.original
+      patterns:
+        - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}"
+      pattern_definitions:
+        SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?"
+        SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>"
+        # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424.
+        FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})"
+        ASA_DATE: "(?:%{DAY} )?%{MONTH}  *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?"
+        PROCESS: "(?:[^%\\s:\\[]+)"
+        SYSLOG_END: "(?:(:|\\s)\\s+)"
+        # exactly match the syntax for firepower management logs
+        PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})"
+        HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?"
+
+  #
+  # Parse FTD/ASA style message
+  #
+  # This parses the header of an EMBLEM-style message for FTD and ASA prefixes.
+  - grok:
+      field: _temp_.full_message
+      patterns:
+        - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}"
+        # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header.
+        - "%{GREEDYDATA:message}"
+      pattern_definitions:
+        FTD_SUFFIX: "[^0-9-]+"
+        # Before version 6.3, FTD used ASA prefix in syslog messages
+        FTD_PREFIX: "%{DATA}%(?:[A-Z]+)"
+
+  #
+  # Create missing fields when no %FTD label is present
+  #
+  # message_id is needed in order for some processors below to work.
+  - set:
+      field: _temp_.cisco.message_id
+      value: ""
+      if: "ctx?._temp_?.cisco?.message_id == null"
+
+  #
+  # set default event.severity to 7 (debug):
+  #
+  # This value is read from the EMBLEM header and won't be present if this is not
+  # an emblem message (firewalls can be configured to report other kinds of events)
+  - set:
+      field: event.severity
+      value: 7
+      if: "ctx?.event?.severity == null"
+
+  #
+  # Parse the date included in FTD logs
+  #
+  - date:
+      if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null"
+      field: "_temp_.raw_date"
+      target_field: "@timestamp"
+      formats:
+        - "ISO8601"
+        - "MMM  d HH:mm:ss"
+        - "MMM dd HH:mm:ss"
+        - "EEE MMM  d HH:mm:ss"
+        - "EEE MMM dd HH:mm:ss"
+        - "MMM  d HH:mm:ss z"
+        - "MMM dd HH:mm:ss z"
+        - "EEE MMM  d HH:mm:ss z"
+        - "EEE MMM dd HH:mm:ss z"
+        - "MMM  d yyyy HH:mm:ss"
+        - "MMM dd yyyy HH:mm:ss"
+        - "EEE MMM  d yyyy HH:mm:ss"
+        - "EEE MMM dd yyyy HH:mm:ss"
+        - "MMM  d yyyy HH:mm:ss z"
+        - "MMM dd yyyy HH:mm:ss z"
+        - "EEE MMM  d yyyy HH:mm:ss z"
+        - "EEE MMM dd yyyy HH:mm:ss z"
+      on_failure:
+        [
+          {
+            "append":
+              {
+                "field": "error.message",
+                "value": "{{ _ingest.on_failure_message }}",
+              },
+          },
+        ]
+  - date:
+      if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null"
+      timezone: "{{ event.timezone }}"
+      field: "_temp_.raw_date"
+      target_field: "@timestamp"
+      formats:
+        - "ISO8601"
+        - "MMM  d HH:mm:ss"
+        - "MMM dd HH:mm:ss"
+        - "EEE MMM  d HH:mm:ss"
+        - "EEE MMM dd HH:mm:ss"
+        - "MMM  d HH:mm:ss z"
+        - "MMM dd HH:mm:ss z"
+        - "EEE MMM  d HH:mm:ss z"
+        - "EEE MMM dd HH:mm:ss z"
+        - "MMM  d yyyy HH:mm:ss"
+        - "MMM dd yyyy HH:mm:ss"
+        - "EEE MMM  d yyyy HH:mm:ss"
+        - "EEE MMM dd yyyy HH:mm:ss"
+        - "MMM  d yyyy HH:mm:ss z"
+        - "MMM dd yyyy HH:mm:ss z"
+        - "EEE MMM  d yyyy HH:mm:ss z"
+        - "EEE MMM dd yyyy HH:mm:ss z"
+      on_failure:
+        [
+          {
+            "append":
+              {
+                "field": "error.message",
+                "value": "{{ _ingest.on_failure_message }}",
+              },
+          },
+        ]
+
+  #
+  # Set log.level
+  #
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 0"
+      value: unknown
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 1"
+      value: alert
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 2"
+      value: critical
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 3"
+      value: error
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 4"
+      value: warning
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 5"
+      value: notification
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 6"
+      value: informational
+  - set:
+      field: "log.level"
+      if: "ctx.event.severity == 7"
+      value: debug
+
+  #
+  # Firewall messages
+  #
+  # This set of messages is shared between FTD and ASA.
+  - set:
+      if: 'ctx._temp_.cisco.message_id != ""'
+      field: "event.action"
+      value: "firewall-rule"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106001'"
+      field: "message"
+      description: "106001"
+      pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106002'"
+      field: "message"
+      description: "106002"
+      pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106006'"
+      field: "message"
+      description: "106006"
+      pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106007'"
+      field: "message"
+      description: "106007"
+      pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '106010'"
+      field: "message"
+      description: "106010"
+      patterns:
+        - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106013'"
+      field: "message"
+      description: "106013"
+      pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '106013'"
+      field: "network.transport"
+      description: "106013"
+      value: icmp
+  - set:
+      if: "ctx._temp_.cisco.message_id == '106013'"
+      field: "network.direction"
+      description: "106013"
+      value: inbound
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '106014'"
+      field: "message"
+      description: "106014"
+      patterns:
+        - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?<destination.address>[^ (]*)(%{GREEDYDATA})?"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '106015'"
+      field: "message"
+      description: "106015"
+      patterns:
+        - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106016'"
+      field: "message"
+      pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+      description: "106016"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106017'"
+      field: "message"
+      pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}"
+      description: "106017"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106018'"
+      field: "message"
+      pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+      description: "106018"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106020'"
+      field: "message"
+      pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}"
+      description: "106020"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106021'"
+      field: "message"
+      pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+      description: "106021"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106022'"
+      field: "message"
+      pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+      description: "106022"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '106023'"
+      field: "message"
+      description: "106023"
+      patterns:
+        - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106027'"
+      field: "message"
+      description: "106027"
+      pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"'
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106100'"
+      field: "message"
+      description: "106100"
+      pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'"
+      field: "message"
+      description: "106103"
+      pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '111004'"
+      field: "message"
+      description: "111004"
+      pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}"
+  - set:
+      field: event.outcome
+      description: "111004"
+      value: "success"
+      if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'"
+  - set:
+      field: event.outcome
+      description: "111004"
+      value: "failure"
+      if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'"
+  - remove:
+      field: _temp_.cisco.cli_outcome
+      ignore_missing: true
+  - append:
+      field: event.type
+      description: "111004"
+      value: "change"
+      if: "ctx._temp_.cisco.message_id == '111004'"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '111009'"
+      description: "111009"
+      field: "message"
+      patterns:
+        - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '111010'"
+      field: "message"
+      description: "111010"
+      patterns:
+        - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '113019'"
+      field: "message"
+      description: "113019"
+      pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}"
+  - grok:
+      if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)'
+      field: "message"
+      description: "302013, 302015"
+      patterns:
+        - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '303002'"
+      field: "message"
+      description: "303002"
+      pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '302012'"
+      field: "message"
+      description: "302012"
+      pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '302020'"
+      field: "message"
+      description: "302020"
+      patterns:
+        - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?"
+      pattern_definitions:
+        NOTCOLON: "[^:]*"
+        ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+        ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+        MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '302022'"
+      field: "message"
+      description: "302022"
+      pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '302023'"
+      field: "message"
+      description: "302023"
+      pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '304001'"
+      field: "message"
+      description: "304001"
+      patterns:
+        - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '304001'"
+      field: "event.outcome"
+      description: "304001"
+      value: success
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '304002'"
+      field: "message"
+      description: "304002"
+      pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '305011'"
+      field: "message"
+      description: "305011"
+      patterns:
+        - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port}
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '313001'"
+      field: "message"
+      description: "313001"
+      pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '313004'"
+      field: "message"
+      description: "313004"
+      pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '313005'"
+      field: "message"
+      description: "313005"
+      pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '313008'"
+      field: "message"
+      description: "313008"
+      pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '313009'"
+      field: "message"
+      description: "313009"
+      pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '322001'"
+      field: "message"
+      description: "322001"
+      pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338001'"
+      field: "message"
+      description: "338001"
+      pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338001'"
+      field: "server.domain"
+      description: "338001"
+      value: "{{source.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338002'"
+      field: "message"
+      description: "338002"
+      pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338002'"
+      field: "server.domain"
+      description: "338002"
+      value: "{{destination.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338003'"
+      field: "message"
+      description: "338003"
+      pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338004'"
+      field: "message"
+      description: "338004"
+      pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338005'"
+      field: "message"
+      description: "338005"
+      pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338005'"
+      field: "server.domain"
+      description: "338005"
+      value: "{{source.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338006'"
+      field: "message"
+      description: "338006"
+      pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338006'"
+      field: "server.domain"
+      description: "338006"
+      value: "{{destination.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338007'"
+      field: "message"
+      description: "338007"
+      pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338008'"
+      field: "message"
+      description: "338008"
+      pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338101'"
+      field: "message"
+      description: "338101"
+      pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338101'"
+      field: "server.domain"
+      description: "338101"
+      value: "{{source.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338102'"
+      field: "message"
+      description: "338102"
+      pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338102'"
+      field: "server.domain"
+      description: "338102"
+      value: "{{destination.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338103'"
+      field: "message"
+      description: "338103"
+      pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338104'"
+      field: "message"
+      description: "338104"
+      pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338201'"
+      field: "message"
+      description: "338201"
+      pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338201'"
+      field: "server.domain"
+      description: "338201"
+      value: "{{source.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338202'"
+      field: "message"
+      description: "338202"
+      pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338202'"
+      field: "server.domain"
+      description: "338202"
+      value: "{{destination.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338203'"
+      field: "message"
+      description: "338203"
+      pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338203'"
+      field: "server.domain"
+      description: "338203"
+      value: "{{source.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338204'"
+      field: "message"
+      description: "338204"
+      pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338204'"
+      field: "server.domain"
+      description: "338204"
+      value: "{{destination.domain}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '338301'"
+      field: "message"
+      description: "338301"
+      pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}"
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338301'"
+      field: "client.address"
+      description: "338301"
+      value: "{{destination.address}}"
+      ignore_empty_value: true
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338301'"
+      field: "client.port"
+      description: "338301"
+      value: "{{destination.port}}"
+      ignore_empty_value: true
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338301'"
+      field: "server.address"
+      description: "338301"
+      value: "{{source.address}}"
+      ignore_empty_value: true
+  - set:
+      if: "ctx._temp_.cisco.message_id == '338301'"
+      field: "server.port"
+      description: "338301"
+      value: "{{source.port}}"
+      ignore_empty_value: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '502103'"
+      field: "message"
+      description: "502103"
+      pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}"
+  - append:
+      if: "ctx._temp_.cisco.message_id == '502103'"
+      field: "event.type"
+      description: "502103"
+      value:
+        - "group"
+        - "change"
+  - append:
+      if: "ctx._temp_.cisco.message_id == '502103'"
+      field: "event.category"
+      description: "502103"
+      value: "iam"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '507003'"
+      field: "message"
+      description: "507003"
+      pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}"
+  - dissect:
+      if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)'
+      field: "message"
+      description: "605004, 605005"
+      pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"'
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '609001'"
+      field: "message"
+      description: "609001"
+      pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '609002'"
+      field: "message"
+      description: "609002"
+      pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}"
+  - dissect:
+      if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)'
+      field: "message"
+      description: "611102, 611101"
+      pattern: "User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '710003'"
+      field: "message"
+      description: "710003"
+      pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '710005'"
+      field: "message"
+      description: "710005"
+      pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '713049'"
+      field: "message"
+      description: "713049"
+      pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '716002'"
+      field: "message"
+      description: "716002"
+      patterns:
+        - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}."
+        - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}."
+  - grok:
+      if: "ctx._temp_.cisco.message_id == '722051'"
+      field: "message"
+      description: "722051"
+      patterns:
+        - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}"
+        - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '733100'"
+      field: "message"
+      description: "733100"
+      pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '734001'"
+      field: "message"
+      description: "734001"
+      pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '805001'"
+      field: "message"
+      description: "805001"
+      pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '805002'"
+      field: "message"
+      description: "805002"
+      pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+  - split:
+      field: "_temp_.cisco.dap_records"
+      separator: ",\\s+"
+      ignore_missing: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '434002'"
+      field: "message"
+      pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '434004'"
+      field: "message"
+      pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '110002'"
+      field: "message"
+      pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '419002'"
+      field: "message"
+      pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}"
+  - dissect:
+      if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+      field: "message"
+      pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}."
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '750002'"
+      field: "message"
+      pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '713120'"
+      field: "message"
+      pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '713202'"
+      field: "message"
+      pattern: "IP = %{source.address}, %{event.reason}. %{} packet."
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '750003'"
+      field: "message"
+      pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}"
+  - grok:
+      if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+      field: "message"
+      patterns:
+        - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$"
+    # Handle ecs action outcome protocol
+  - set:
+      if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.outcome"
+      value: "unknown"
+  - set:
+      if: '["419002"].contains(ctx._temp_.cisco.message_id)'
+      field: "network.protocol"
+      value: "tcp"
+  - set:
+      if: '["110002"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.outcome"
+      value: "failure"
+  - set:
+      if: '["713120"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.outcome"
+      value: "success"
+  - set:
+      if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.outcome"
+      value: "success"
+  - set:
+      if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.outcome"
+      value: "failure"
+  - set:
+      if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.action"
+      value: "connection-started"
+  - set:
+      if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.action"
+      value: "error"
+  - append:
+      if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.type"
+      value: "error"
+
+  #
+  # Handle 302xxx messages (Flow expiration a.k.a "Teardown")
+  #
+  - set:
+      if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)'
+      field: "event.action"
+      value: "flow-expiration"
+      description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002"
+  - grok:
+      field: "message"
+      if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)'
+      description: "302014, 302016, 302018, 302021, 302036, 302304, 302306"
+      patterns:
+        - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+        - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator}
+        - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+        - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+        - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason}
+        - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes})
+        - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?
+      pattern_definitions:
+        NOTCOLON: "[^:]*"
+        ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+        ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+        MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})"
+
+  #
+  # Decode FTD's Security Event Syslog Messages
+  #
+  # 43000x messages are security event syslog messages specific to FTD.
+  # Format is a comma-separated sequence of key: value pairs.
+  #
+  # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value}
+  - kv:
+      if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)'
+      field: "message"
+      description: "430001, 430002, 430003, 430004, 430005"
+      field_split: ",(?=[A-za-z1-9\\s]+:)"
+      value_split: ":"
+      target_field: "_temp_.orig_security"
+      trim_key: " "
+      trim_value: " "
+      ignore_failure: true
+
+  #
+  # Remove _temp_.full_message.
+  #
+  # The field has been used as temporary buffer while decoding. The full message
+  # is kept under event.original. Processors below can still add a message field, as some
+  # security events contain an explanatory Message field.
+  - remove:
+      field:
+        - message
+        - _temp_.full_message
+      ignore_missing: true
+
+  #
+  # Populate ECS fields from Security Events
+  #
+  # This script uses the key-value pairs from Security Events to populate
+  # the appropriate ECS fields.
+  #
+  # A single key can be mapped to multiple ECS fields, and more than one key can
+  # map to the same ECS field, which results in an array being created.
+  #
+  # This script performs an additional job:
+  #
+  # Before FTD version 6.3, the message_id was not included in Security Events.
+  # As this field encodes the kind of event (intrusion, connection, malware...)
+  # the script below will guess the right message_id from the keys present in
+  # the event.
+  #
+  # The reason for overloading this script with different behaviors is
+  # that this pipeline is already reaching the limit on script compilations.
+  #
+  #*******************************************************************************
+  # Code generated by go generate. DO NOT EDIT.
+  #*******************************************************************************
+  - script:
+      if: ctx._temp_?.orig_security != null
+      params:
+        ACPolicy:
+          target: ac_policy
+          id: ["430001", "430002", "430003"]
+          ecs: [_temp_.cisco.rule_name]
+        AccessControlRuleAction:
+          target: access_control_rule_action
+          id: ["430002", "430003"]
+          ecs: [event.outcome]
+        AccessControlRuleName:
+          target: access_control_rule_name
+          id: ["430002", "430003"]
+          ecs: [_temp_.cisco.rule_name]
+        AccessControlRuleReason:
+          target: access_control_rule_reason
+          id: ["430002", "430003"]
+        ApplicationProtocol:
+          target: application_protocol
+          ecs: [network.protocol]
+        ArchiveDepth:
+          target: archive_depth
+          id: ["430004", "430005"]
+        ArchiveFileName:
+          target: archive_file_name
+          id: ["430004", "430005"]
+          ecs: [file.name]
+        ArchiveFileStatus:
+          target: archive_file_status
+          id: ["430004", "430005"]
+        ArchiveSHA256:
+          target: archive_sha256
+          id: ["430004", "430005"]
+          ecs: [file.hash.sha256]
+        Classification:
+          target: classification
+          id: ["430001"]
+        Client:
+          target: client
+          ecs: [network.application]
+        ClientVersion:
+          target: client_version
+          id: ["430002", "430003"]
+        ConnectionDuration:
+          target: connection_duration
+          id: ["430003"]
+          ecs: [event.duration]
+        DNS_Sinkhole:
+          target: dns_sinkhole
+          id: ["430002", "430003"]
+        DNS_TTL:
+          target: dns_ttl
+          id: ["430002", "430003"]
+        DNSQuery:
+          target: dns_query
+          id: ["430002", "430003"]
+          ecs: [dns.question.name]
+        DNSRecordType:
+          target: dns_record_type
+          id: ["430002", "430003"]
+          ecs: [dns.question.type]
+        DNSResponseType:
+          target: dns_response_type
+          id: ["430002", "430003"]
+          ecs: [dns.response_code]
+        DNSSICategory:
+          target: dnssi_category
+          id: ["430002", "430003"]
+        DstIP:
+          target: dst_ip
+          ecs: [destination.address]
+        DstPort:
+          target: dst_port
+          ecs: [destination.port]
+        EgressInterface:
+          target: egress_interface
+          id: ["430001", "430002", "430003"]
+          ecs: [_temp_.cisco.destination_interface]
+        EgressZone:
+          target: egress_zone
+          id: ["430001", "430002", "430003"]
+        Endpoint Profile:
+          target: endpoint_profile
+          id: ["430002", "430003"]
+        FileAction:
+          target: file_action
+          id: ["430004", "430005"]
+        FileCount:
+          target: file_count
+          id: ["430002", "430003"]
+        FileDirection:
+          target: file_direction
+          id: ["430004", "430005"]
+        FileName:
+          target: file_name
+          id: ["430004", "430005"]
+          ecs: [file.name]
+        FilePolicy:
+          target: file_policy
+          id: ["430004", "430005"]
+          ecs: [_temp_.cisco.rule_name]
+        FileSHA256:
+          target: file_sha256
+          id: ["430004", "430005"]
+          ecs: [file.hash.sha256]
+        FileSandboxStatus:
+          target: file_sandbox_status
+          id: ["430004", "430005"]
+        FileSize:
+          target: file_size
+          id: ["430004", "430005"]
+          ecs: [file.size]
+        FileStorageStatus:
+          target: file_storage_status
+          id: ["430004", "430005"]
+        FileType:
+          target: file_type
+          id: ["430004", "430005"]
+        FirstPacketSecond:
+          target: first_packet_second
+          id: ["430004", "430005"]
+          ecs: [event.start]
+        GID:
+          target: gid
+          id: ["430001"]
+          ecs: [service.id]
+        HTTPReferer:
+          target: http_referer
+          id: ["430002", "430003"]
+          ecs: [http.request.referrer]
+        HTTPResponse:
+          target: http_response
+          id: ["430001", "430002", "430003"]
+          ecs: [http.response.status_code]
+        ICMPCode:
+          target: icmp_code
+          id: ["430001", "430002", "430003"]
+        ICMPType:
+          target: icmp_type
+          id: ["430001", "430002", "430003"]
+        IPReputationSICategory:
+          target: ip_reputation_si_category
+          id: ["430002", "430003"]
+        IPSCount:
+          target: ips_count
+          id: ["430002", "430003"]
+        IngressInterface:
+          target: ingress_interface
+          id: ["430001", "430002", "430003"]
+          ecs: [_temp_.cisco.source_interface]
+        IngressZone:
+          target: ingress_zone
+          id: ["430001", "430002", "430003"]
+        InitiatorBytes:
+          target: initiator_bytes
+          id: ["430003"]
+          ecs: [source.bytes]
+        InitiatorPackets:
+          target: initiator_packets
+          id: ["430003"]
+          ecs: [source.packets]
+        InlineResult:
+          target: inline_result
+          id: ["430001"]
+          ecs: [event.outcome]
+        IntrusionPolicy:
+          target: intrusion_policy
+          id: ["430001"]
+          ecs: [_temp_.cisco.rule_name]
+        MPLS_Label:
+          target: mpls_label
+          id: ["430001"]
+        Message:
+          target: message
+          id: ["430001"]
+          ecs: [message]
+        NAPPolicy:
+          target: nap_policy
+          id: ["430001", "430002", "430003"]
+        NetBIOSDomain:
+          target: net_bios_domain
+          id: ["430002", "430003"]
+          ecs: [host.hostname]
+        NumIOC:
+          target: num_ioc
+          id: ["430001"]
+        Prefilter Policy:
+          target: prefilter_policy
+          id: ["430002", "430003"]
+        Priority:
+          target: priority
+          id: ["430001"]
+        Protocol:
+          target: protocol
+          ecs: [network.transport]
+        ReferencedHost:
+          target: referenced_host
+          id: ["430002", "430003"]
+          ecs: [url.domain]
+        ResponderBytes:
+          target: responder_bytes
+          id: ["430003"]
+          ecs: [destination.bytes]
+        ResponderPackets:
+          target: responder_packets
+          id: ["430003"]
+          ecs: [destination.packets]
+        Revision:
+          target: revision
+          id: ["430001"]
+        SHA_Disposition:
+          target: sha_disposition
+          id: ["430004", "430005"]
+        SID:
+          target: sid
+          id: ["430001"]
+        SSLActualAction:
+          target: ssl_actual_action
+          ecs: [event.outcome]
+        SSLCertificate:
+          target: ssl_certificate
+          id: ["430002", "430003", "430004", "430005"]
+        SSLExpectedAction:
+          target: ssl_expected_action
+          id: ["430002", "430003"]
+        SSLFlowStatus:
+          target: ssl_flow_status
+          id: ["430002", "430003", "430004", "430005"]
+        SSLPolicy:
+          target: ssl_policy
+          id: ["430002", "430003"]
+        SSLRuleName:
+          target: ssl_rule_name
+          id: ["430002", "430003"]
+        SSLServerCertStatus:
+          target: ssl_server_cert_status
+          id: ["430002", "430003"]
+        SSLServerName:
+          target: ssl_server_name
+          id: ["430002", "430003"]
+          ecs: [server.domain]
+        SSLSessionID:
+          target: ssl_session_id
+          id: ["430002", "430003"]
+        SSLTicketID:
+          target: ssl_ticket_id
+          id: ["430002", "430003"]
+        SSLURLCategory:
+          target: sslurl_category
+          id: ["430002", "430003"]
+        SSLVersion:
+          target: ssl_version
+          id: ["430002", "430003"]
+        SSSLCipherSuite:
+          target: sssl_cipher_suite
+          id: ["430002", "430003"]
+        SecIntMatchingIP:
+          target: sec_int_matching_ip
+          id: ["430002", "430003"]
+        Security Group:
+          target: security_group
+          id: ["430002", "430003"]
+        SperoDisposition:
+          target: spero_disposition
+          id: ["430004", "430005"]
+        SrcIP:
+          target: src_ip
+          ecs: [source.address]
+        SrcPort:
+          target: src_port
+          ecs: [source.port]
+        TCPFlags:
+          target: tcp_flags
+          id: ["430002", "430003"]
+        ThreatName:
+          target: threat_name
+          id: ["430005"]
+          ecs: [_temp_.cisco.threat_category]
+        ThreatScore:
+          target: threat_score
+          id: ["430005"]
+          ecs: [_temp_.cisco.threat_level]
+        Tunnel or Prefilter Rule:
+          target: tunnel_or_prefilter_rule
+          id: ["430002", "430003"]
+        URI:
+          target: uri
+          id: ["430004", "430005"]
+          ecs: [url.original]
+        URL:
+          target: url
+          id: ["430002", "430003"]
+          ecs: [url.original]
+        URLCategory:
+          target: url_category
+          id: ["430002", "430003"]
+        URLReputation:
+          target: url_reputation
+          id: ["430002", "430003"]
+        URLSICategory:
+          target: urlsi_category
+          id: ["430002", "430003"]
+        User:
+          target: user
+          ecs: [user.id, user.name]
+        UserAgent:
+          target: user_agent
+          id: ["430002", "430003"]
+          ecs: [user_agent.original]
+        VLAN_ID:
+          target: vlan_id
+          id: ["430001", "430002", "430003"]
+        WebApplication:
+          target: web_application
+          ecs: [network.application]
+        originalClientSrcIP:
+          target: original_client_src_ip
+          id: ["430002", "430003"]
+          ecs: [client.address]
+      lang: painless
+      source: |
+        boolean isEmpty(def value) {
+          return (value instanceof AbstractList? value.size() : value.length()) == 0;
+        }
+        def appendOrCreate(Map dest, String[] path, def value) {
+         for (int i=0; i<path.length-1; i++) {
+          dest = dest.computeIfAbsent(path[i], _ -> new HashMap());
+         }
+         String key = path[path.length - 1];
+         def existing = dest.get(key);
+         return existing == null?
+          dest.put(key, value)
+          : existing instanceof AbstractList?
+            existing.add(value)
+            : dest.put(key, new ArrayList([existing, value]));
+        }
+        def msg = ctx._temp_.orig_security;
+        def counters = new HashMap();
+        def dest = new HashMap();
+        ctx._temp_.cisco['security'] = dest;
+        for (entry in msg.entrySet()) {
+         def param = params.get(entry.getKey());
+         if (param == null) {
+           continue;
+         }
+         param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) );
+         if (!isEmpty(entry.getValue())) {
+          param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) );
+          dest[param.target] = entry.getValue();
+         }
+        }
+        if (ctx._temp_.cisco.message_id != "") return;
+        def best;
+        for (entry in counters.entrySet()) {
+         if (best == null || best.getValue() < entry.getValue()) best = entry;
+        }
+        if (best != null) ctx._temp_.cisco.message_id = best.getKey();
+  #*******************************************************************************
+  # End of generated code.
+  #*******************************************************************************
+
+  #
+  # Normalize ECS field values
+  #
+  - script:
+      lang: painless
+      params:
+        "ctx._temp_.cisco.message_id":
+          target: event.action
+          map:
+            "430001": intrusion-detected
+            "430002": connection-started
+            "430003": connection-finished
+            "430004": file-detected
+            "430005": malware-detected
+        "dns.question.type":
+          map:
+            "a host address": A
+            "ip6 address": AAAA
+            "text strings": TXT
+            "a domain name pointer": PTR
+            "an authoritative name server": NS
+            "the canonical name for an alias": CNAME
+            "marks the start of a zone of authority": SOA
+            "mail exchange": MX
+            "server selection": SRV
+        "dns.response_code":
+          map:
+            "non-existent domain": NXDOMAIN
+            "server failure": SERVFAIL
+            "query refused": REFUSED
+            "no error": NOERROR
+      source: |
+        def getField(Map src, String[] path) {
+         for (int i=0; i<path.length-1; i++) {
+          src = src.getOrDefault(path[i], null);
+          if (src == null || !(src instanceof Map)) {
+            return null;
+          }
+         }
+         return src[path[path.length-1]];
+        }
+        def setField(Map dest, String[] path, def value) {
+         for (int i=0; i<path.length-1; i++) {
+           dest = dest.computeIfAbsent(path[i], _ -> new HashMap());
+         }
+         dest[path[path.length-1]] = value;
+        }
+        for (entry in params.entrySet()) {
+          def srcField = entry.getKey();
+          def param = entry.getValue();
+          String oldVal = getField(ctx, srcField.splitOnToken('.'));
+          if (oldVal == null) continue;
+          def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null);
+          if (newVal != null) {
+            def dstField = param.getOrDefault('target', srcField);
+            setField(ctx, dstField.splitOnToken('.'), newVal);
+          }
+        }
+  - set:
+      if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null"
+      field: dns.response_code
+      value: NOERROR
+  - set:
+      if: 'ctx._temp_.cisco.message_id == "430001"'
+      field: event.action
+      value: intrusion-detected
+  - set:
+      if: 'ctx._temp_.cisco.message_id == "430002"'
+      field: event.action
+      value: connection-started
+  - set:
+      if: 'ctx._temp_.cisco.message_id == "430003"'
+      field: event.action
+      value: connection-finished
+  - set:
+      if: 'ctx._temp_.cisco.message_id == "430004"'
+      field: event.action
+      value: file-detected
+  - set:
+      if: 'ctx._temp_.cisco.message_id == "430005"'
+      field: event.action
+      value: malware-detected
+
+  #
+  # Handle event.duration
+  #
+  # It can be set from ConnectionDuration FTD field above. This field holds
+  # seconds as a string. Copy it to _temp_.duration_hms so that the following
+  # processor converts it to the right value and populates start and end.
+  - set:
+      field: "_temp_.duration_hms"
+      value: "{{event.duration}}"
+      ignore_empty_value: true
+
+  #
+  # Process the flow duration "hh:mm:ss" present in some messages
+  # This will fill event.start, event.end and event.duration
+  #
+  - script:
+      lang: painless
+      if: "ctx?._temp_?.duration_hms != null"
+      source: >
+        long parse_hms(String s) {
+            long cur = 0, total = 0;
+            for (char c: s.toCharArray()) {
+                if (c >= (char)'0' && c <= (char)'9') {
+                    cur = (cur*10) + (long)c - (char)'0';
+                } else if (c == (char)':') {
+                    total = (total + cur) * 60;
+                    cur = 0;
+                } else {
+                    return 0;
+                }
+            }
+            return total + cur;
+        }
+        if (ctx?.event == null) {
+            ctx['event'] = new HashMap();
+        }
+        String end = ctx['@timestamp'];
+        ctx.event['end'] = end;
+        long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L;
+        ctx.event['duration'] = nanos;
+        ctx.event['start'] = ZonedDateTime.ofInstant(
+            Instant.parse(end).minusNanos(nanos),
+            ZoneOffset.UTC);
+  #
+  # Normalize protocol names
+  #
+  - lowercase:
+      field: "network.transport"
+      ignore_failure: true
+  - lowercase:
+      field: "network.protocol"
+      ignore_failure: true
+  - lowercase:
+      field: "network.application"
+      ignore_failure: true
+  - lowercase:
+      field: "file.type"
+      ignore_failure: true
+  - lowercase:
+      field: "network.direction"
+      ignore_failure: true
+  - lowercase:
+      field: "network.type"
+      ignore_failure: true
+  #
+  # Populate network.iana_number from network.transport. Also does reverse
+  # mapping in case network.transport contains the iana_number.
+  #
+  - script:
+      if: "ctx?.network?.transport != null"
+      lang: painless
+      params:
+        icmp: 1
+        igmp: 2
+        ipv4: 4
+        tcp: 6
+        egp: 8
+        igp: 9
+        pup: 12
+        udp: 17
+        rdp: 27
+        irtp: 28
+        dccp: 33
+        idpr: 35
+        ipv6: 41
+        ipv6-route: 43
+        ipv6-frag: 44
+        rsvp: 46
+        gre: 47
+        esp: 50
+        ipv6-icmp: 58
+        ipv6-nonxt: 59
+        ipv6-opts: 60
+      source: >
+        def net = ctx.network;
+        def iana = params[net.transport];
+        if (iana != null) {
+          net['iana_number'] = iana;
+          return;
+        }
+        def reverse = new HashMap();
+        def[] arr = new def[] { null };
+        for (entry in params.entrySet()) {
+          arr[0] = entry.getValue();
+          reverse.put(String.format("%d", arr), entry.getKey());
+        }
+        def trans = reverse[net.transport];
+        if (trans != null) {
+          net['iana_number'] = net.transport;
+          net['transport'] = trans;
+        }
+  #
+  # Normalize event.outcome
+  #
+  - lowercase:
+      field: "event.outcome"
+      ignore_missing: true
+  - set:
+      field: "event.outcome"
+      if: 'ctx.event?.outcome == "est-allowed"'
+      value: success
+  - set:
+      field: "event.outcome"
+      if: 'ctx.event?.outcome == "permitted"'
+      value: success
+  - set:
+      field: "event.outcome"
+      if: 'ctx.event?.outcome == "allow"'
+      value: success
+  - set:
+      field: "event.outcome"
+      if: 'ctx.event?.outcome == "denied"'
+      value: failure
+  - set:
+      field: "event.outcome"
+      if: 'ctx.event?.outcome == "deny"'
+      value: failure
+  - set:
+      field: "event.outcome"
+      if: 'ctx.event?.outcome == "dropped"'
+      value: failure
+  - set:
+      field: "network.transport"
+      if: 'ctx.network?.transport == "icmpv6"'
+      value: "ipv6-icmp"
+  #
+  # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string
+  #
+  - convert:
+      field: source.port
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: destination.port
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: source.bytes
+      type: long
+      ignore_failure: true
+  - convert:
+      field: destination.bytes
+      type: long
+      ignore_failure: true
+  - convert:
+      field: network.bytes
+      type: long
+      ignore_failure: true
+  - convert:
+      field: source.packets
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: destination.packets
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: _temp_.cisco.mapped_source_port
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: _temp_.cisco.mapped_destination_port
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: _temp_.cisco.icmp_code
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: _temp_.cisco.icmp_type
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: http.response.status_code
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: file.size
+      type: integer
+      ignore_failure: true
+  - convert:
+      field: network.iana_number
+      type: string
+      ignore_failure: true
+  #
+  # Assign ECS .ip fields from .address is a valid IP address is found,
+  # otherwise set .domain field.
+  #
+  - grok:
+      field: source.address
+      patterns:
+        - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$"
+      ignore_failure: true
+  - grok:
+      field: destination.address
+      patterns:
+        - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$"
+      ignore_failure: true
+  - grok:
+      field: client.address
+      patterns:
+        - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$"
+      ignore_failure: true
+  - grok:
+      field: server.address
+      patterns:
+        - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$"
+      ignore_failure: true
+  #
+  # Geolocation for source and destination addresses
+  #
+  - geoip:
+      field: "source.ip"
+      target_field: "source.geo"
+      ignore_missing: true
+  - geoip:
+      field: "destination.ip"
+      target_field: "destination.geo"
+      ignore_missing: true
+  #
+  # IP Autonomous System (AS) Lookup
+  #
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+  #
+  # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address.
+  #
+  - grok:
+      field: _temp_.natsrcip
+      patterns:
+        - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$"
+      ignore_failure: true
+  - grok:
+      field: _temp_.natdstip
+      patterns:
+        - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$"
+      ignore_failure: true
+  #
+  # NAT fields
+  #
+  # The firewall always populates mapped ip and port even if there was no NAT.
+  # This populates both nat.ip and nat.port only when some translation is done.
+  # Fills nat.ip and nat.port even when only the ip or port changed.
+  - set:
+      field: source.nat.ip
+      value: "{{_temp_.cisco.mapped_source_ip}}"
+      if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip"
+      ignore_empty_value: true
+  - convert:
+      field: source.nat.ip
+      type: ip
+      ignore_missing: true
+  - set:
+      field: source.nat.port
+      value: "{{_temp_.cisco.mapped_source_port}}"
+      if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port"
+      ignore_empty_value: true
+  - convert:
+      field: source.nat.port
+      type: long
+      ignore_missing: true
+  - set:
+      field: destination.nat.ip
+      value: "{{_temp_.cisco.mapped_destination_ip}}"
+      if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip"
+      ignore_empty_value: true
+  - convert:
+      field: destination.nat.ip
+      type: ip
+      ignore_missing: true
+  - set:
+      field: destination.nat.port
+      value: "{{_temp_.cisco.mapped_destination_port}}"
+      if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port"
+      ignore_empty_value: true
+  - convert:
+      field: destination.nat.port
+      type: long
+      ignore_missing: true
+  #
+  # Zone-based Network Directionality
+  #
+  # If external and internal zones are specified and our ingress/egress zones are
+  # populated, then we can classify traffic directionality based off of our defined
+  # zones rather than the logs.
+  - set:
+      field: network.direction
+      value: inbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+  - set:
+      field: network.direction
+      value: outbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: internal
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: external
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: unknown
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        (
+          (
+            !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+          ) ||
+          (
+            !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+          )
+        )
+
+  - set:
+      field: _temp_.url_domain
+      value: "{{url.domain}}"
+      ignore_failure: true
+      if: ctx?.url?.domain != null
+
+  - uri_parts:
+      field: url.original
+      ignore_failure: true
+      if: ctx?.url?.original != null
+  - append:
+      field: url.domain
+      value: "{{_temp_.url_domain}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx?._temp_?.url_domain != null
+
+  #
+  # Populate ECS event.code
+  #
+  - rename:
+      field: _temp_.cisco.message_id
+      target_field: event.code
+      ignore_failure: true
+  - remove:
+      field:
+        - _temp_.cisco.message_id
+        - event.code
+      if: 'ctx._temp_.cisco.message_id == ""'
+      ignore_failure: true
+  #
+  # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd.
+  #
+  - rename:
+      field: _temp_.cisco
+      target_field: "cisco.ftd"
+      ignore_failure: true
+  #
+  # Remove temporary fields
+  #
+  - remove:
+      field: _temp_
+      ignore_missing: true
+  #
+  # Rename some 7.x fields
+  #
+  - rename:
+      field: cisco.ftd.list_id
+      target_field: cisco.ftd.rule_name
+      ignore_missing: true
+  # ECS categorization
+  - script:
+      lang: painless
+      params:
+        connection-finished:
+          kind: event
+          category:
+            - network
+          type:
+            - connection
+            - end
+        connection-started:
+          kind: event
+          category:
+            - network
+          type:
+            - connection
+            - start
+        file-detected:
+          kind: alert
+          category:
+            - malware
+          type:
+            - info
+        firewall-rule:
+          kind: event
+          category:
+            - network
+          type:
+            - info
+        flow-expiration:
+          kind: event
+          category:
+            - network
+          type:
+            - connection
+            - end
+        intrusion-detected:
+          kind: alert
+          category:
+            - intrusion_detection
+          type:
+            - info
+        malware-detected:
+          kind: event
+          category:
+            - malware
+          type:
+            - info
+        bypass:
+          kind: event
+          category:
+            - network
+          type:
+            - info
+            - change
+        error:
+          kind: event
+          outcome: failure
+          category:
+            - network
+          type:
+            - error
+        deleted:
+          kind: event
+          category:
+            - network
+          type:
+            - info
+            - deletion
+            - user
+        creation:
+          kind: event
+          category:
+            - network
+          type:
+            - info
+            - creation
+            - user
+      source: >-
+        if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) {
+          return;
+        }
+        ctx.event.kind = params.get(ctx.event.action).get('kind');
+        ctx.event.category = params.get(ctx.event.action).get('category').clone();
+        ctx.event.type = params.get(ctx.event.action).get('type').clone();
+        if (ctx?.event?.outcome == null) {
+          return;
+        }
+        if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) {
+          if (ctx.event.outcome == 'success') {
+            ctx.event.type.add('allowed');
+          }
+          if (ctx.event.outcome == 'failure') {
+            ctx.event.type.add('denied');
+          }
+          if (ctx.event.outcome == 'block') {
+            ctx.event.type.add('denied');
+          }
+        }
+
+  # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases.
+  - set:
+      if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)'
+      field: event.kind
+      value: alert
+  - append:
+      if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)'
+      field: event.category
+      value: file
+
+  - set:
+      description: copy destination.user.name to user.name if it is not set
+      field: user.name
+      value: "{{destination.user.name}}"
+      ignore_empty_value: true
+      if: ctx?.user?.name == null
+
+  # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname.
+  - set:
+      field: observer.hostname
+      value: "{{ host.hostname }}"
+      ignore_empty_value: true
+  - set:
+      field: observer.vendor
+      value: "Cisco"
+      ignore_empty_value: true
+  - set:
+      field: observer.type
+      value: "idps"
+      ignore_empty_value: true
+  - set:
+      field: observer.product
+      value: "ftd"
+      ignore_empty_value: true
+  - set:
+      field: observer.egress.interface.name
+      value: "{{ cisco.ftd.destination_interface }}"
+      ignore_empty_value: true
+  - set:
+      field: observer.ingress.interface.name
+      value: "{{ cisco.ftd.source_interface }}"
+      ignore_empty_value: true
+  - append:
+      field: related.ip
+      value: "{{source.ip}}"
+      if: "ctx?.source?.ip != null"
+      allow_duplicates: false
+  - append:
+      field: related.ip
+      value: "{{source.nat.ip}}"
+      if: "ctx?.source?.nat?.ip != null"
+      allow_duplicates: false
+  - append:
+      field: related.ip
+      value: "{{destination.ip}}"
+      if: "ctx?.destination?.ip != null"
+      allow_duplicates: false
+  - append:
+      field: related.ip
+      value: "{{destination.nat.ip}}"
+      if: "ctx?.destination?.nat?.ip != null"
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: "{{user.name}}"
+      if: ctx?.user?.name != null && ctx?.user?.name != ''
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: "{{server.user.name}}"
+      if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != ''
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: "{{source.user.name}}"
+      if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: "{{destination.user.name}}"
+      if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''
+      allow_duplicates: false
+  - append:
+      field: related.hash
+      value: "{{file.hash.sha256}}"
+      if: "ctx?.file?.hash?.sha256 != null"
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{host.hostname}}"
+      if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{observer.hostname}}"
+      if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{destination.domain}}"
+      if: ctx.destination?.domain != null && ctx.destination?.domain != ''
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{source.domain}}"
+      if: ctx.source?.domain != null && ctx.source?.domain != ''
+      allow_duplicates: false
+  - script:
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |
+        void handleMap(Map map) {
+          for (def x : map.values()) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+          }
+          map.values().removeIf(v -> v == null);
+        }
+        void handleList(List list) {
+          for (def x : list) {
+              if (x instanceof Map) {
+                  handleMap(x);
+              } else if (x instanceof List) {
+                  handleList(x);
+              }
+          }
+        }
+        handleMap(ctx);
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  # Copy any fields under _temp_.cisco to its final destination. Those can help
+  # with diagnosing the failure.
+  - rename:
+      field: _temp_.cisco
+      target_field: "cisco.ftd"
+      ignore_failure: true
+  # Remove _temp_ to avoid adding a lot of unnecessary fields to the index.
+  - remove:
+      field: _temp_
+      ignore_missing: true
+  - append:
+      field: "error.message"
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/fields/agent.yml b/packages/cisco_ftd/2.0.4/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..d38a70bd6b
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/fields/agent.yml
@@ -0,0 +1,207 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/2.0.4/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..e02b7e2a25
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_ftd
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_ftd.log
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/2.0.4/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..e981c336d5
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/fields/ecs.yml
@@ -0,0 +1,567 @@
+- description: |-
+    Date/time when the event originated.
+    This is the date/time extracted from the event, typically representing when the event was generated by the source.
+    If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
+    Required field for all events.
+  name: '@timestamp'
+  type: date
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.user.name
+  type: keyword
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: |-
+    The domain name of the destination system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: destination.domain
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.ip
+  type: ip
+- description: |-
+    Port the source session is translated to by NAT Device.
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.port
+  type: long
+- description: Packets sent from the destination to the source.
+  name: destination.packets
+  type: long
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.user.name
+  type: keyword
+- description: |-
+    The name being queried.
+    If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+  name: dns.question.name
+  type: keyword
+- description: The type of record being queried.
+  name: dns.question.type
+  type: keyword
+- description: The DNS response code.
+  name: dns.response_code
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Identification code for this event, if one exists.
+    Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+  name: event.code
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Duration of the event in nanoseconds.
+    If event.start and event.end are known this value should be the difference between the end and start time.
+  name: event.duration
+  type: long
+- description: event.end contains the date when the event ended or when the activity was last observed.
+  name: event.end
+  type: date
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Source of the event.
+    Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+  name: event.provider
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+  name: event.start
+  type: date
+- description: |-
+    This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+  name: event.timezone
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: SHA256 hash.
+  name: file.hash.sha256
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    File size in bytes.
+    Only relevant when `file.type` is "file".
+  name: file.size
+  type: long
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: HTTP response status code.
+  name: http.response.status_code
+  type: long
+- description: |-
+    Custom key/value pairs.
+    Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+    Example: `docker` and `k8s` labels.
+  name: labels
+  type: object
+- description: |-
+    Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+    If the event wasn't read from a log file, do not populate this field.
+  name: log.file.path
+  type: keyword
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+    For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+    The field value must be normalized to lowercase for querying.
+  name: network.application
+  type: keyword
+- description: |-
+    Total bytes transferred in both directions.
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+  name: network.bytes
+  type: long
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+  name: network.iana_number
+  type: keyword
+- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+  name: network.inner
+  type: object
+- description: VLAN ID as reported by the observer.
+  name: network.inner.vlan.id
+  type: keyword
+- description: Optional VLAN name as reported by the observer.
+  name: network.inner.vlan.name
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+    The field value must be normalized to lowercase for querying.
+  name: network.type
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.egress.interface.name
+  type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+  name: observer.egress.zone
+  type: keyword
+- description: Hostname of the observer.
+  name: observer.hostname
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.ingress.interface.name
+  type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+  name: observer.ingress.zone
+  type: keyword
+- description: IP addresses of the observer.
+  name: observer.ip
+  type: ip
+- description: |-
+    Custom name of the observer.
+    This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+    If no custom name is needed, the field can be left empty.
+  name: observer.name
+  type: keyword
+- description: The product name of the observer.
+  name: observer.product
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: Observer version.
+  name: observer.version
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: |-
+    The domain name of the server system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: server.domain
+  type: keyword
+- description: |-
+    Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
+    This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
+    Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+  name: service.id
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    Translated ip of source based NAT sessions (e.g. internal client to internet)
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: source.nat.ip
+  type: ip
+- description: |-
+    Translated port of source based NAT sessions. (e.g. internal client to internet)
+    Typically used with load balancers, firewalls, or routers.
+  name: source.nat.port
+  type: long
+- description: Packets sent from the source to the destination.
+  name: source.packets
+  type: long
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    The field contains the file extension from the original request url, excluding the leading dot.
+    The file extension is only set if it exists, as not every url has a file extension.
+    The leading period must not be included. For example, the value must be "png", not ".png".
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: url.extension
+  type: keyword
+- description: |-
+    Portion of the url after the `#`, such as "top".
+    The `#` is not part of the fragment.
+  name: url.fragment
+  type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.full
+  type: wildcard
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Password of the request.
+  name: url.password
+  type: keyword
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: Port of the request, such as 443.
+  name: url.port
+  type: long
+- description: |-
+    The query field describes the query string of the request, such as "q=elasticsearch".
+    The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+  name: url.query
+  type: keyword
+- description: |-
+    The highest registered url domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: url.registered_domain
+  type: keyword
+- description: |-
+    Scheme of the request, such as "https".
+    Note: The `:` is not part of the scheme.
+  name: url.scheme
+  type: keyword
+- description: |-
+    The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: url.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: url.top_level_domain
+  type: keyword
+- description: Username of the request.
+  name: url.username
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: |-
+    The domain name of the server system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: server.domain
+  type: keyword
+- description: |-
+    Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: server.address
+  type: keyword
+- description: Port of the server.
+  name: server.port
+  type: long
+- description: IP address of the server (IPv4 or IPv6).
+  name: server.ip
+  type: ip
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: server.user.name
+  type: keyword
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: |-
+    Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: client.address
+  type: keyword
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/fields/fields.yml b/packages/cisco_ftd/2.0.4/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..cd3a6b2e3a
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/fields/fields.yml
@@ -0,0 +1,155 @@
+- name: cisco.ftd
+  type: group
+  fields:
+    - name: message_id
+      type: keyword
+      description: |
+        The Cisco FTD message identifier.
+    - name: suffix
+      type: keyword
+      description: |
+        Optional suffix after %FTD identifier.
+    - name: source_interface
+      type: keyword
+      description: |
+        Source interface for the flow or event.
+    - name: destination_interface
+      type: keyword
+      description: |
+        Destination interface for the flow or event.
+    - name: rule_name
+      type: keyword
+      description: |
+        Name of the Access Control List rule that matched this event.
+    - name: source_username
+      type: keyword
+      description: |
+        Name of the user that is the source for this event.
+    - name: destination_username
+      type: keyword
+      description: |
+        Name of the user that is the destination for this event.
+    - name: mapped_source_ip
+      type: ip
+      description: |
+        The translated source IP address.
+    - name: mapped_source_port
+      type: long
+      description: |
+        The translated source port.
+    - name: mapped_destination_ip
+      type: ip
+      description: |
+        The translated destination IP address.
+    - name: mapped_destination_port
+      type: long
+      description: |
+        The translated destination port.
+    - name: threat_level
+      type: keyword
+      description: |
+        Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+    - name: threat_category
+      type: keyword
+      description: |
+        Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+    - name: connection_id
+      type: keyword
+      description: |
+        Unique identifier for a flow.
+    - name: icmp_type
+      type: short
+      description: |
+        ICMP type.
+    - name: icmp_code
+      type: short
+      description: |
+        ICMP code.
+    - name: connection_type
+      type: keyword
+      description: |
+        The VPN connection type
+    - name: dap_records
+      type: keyword
+      description: |
+        The assigned DAP records
+    - name: mapped_destination_host
+      type: keyword
+    - name: username
+      type: keyword
+    - name: mapped_source_host
+      type: keyword
+    - name: command_line_arguments
+      default_field: false
+      type: keyword
+      description: |
+        The command line arguments logged by the local audit log
+    - name: assigned_ip
+      default_field: false
+      type: ip
+      description: |
+        The IP address assigned to a VPN client successfully connecting
+    - name: privilege.old
+      default_field: false
+      type: keyword
+      description: |
+        When a users privilege is changed this is the old value
+    - name: privilege.new
+      default_field: false
+      type: keyword
+      description: |
+        When a users privilege is changed this is the new value
+    - name: burst.object
+      default_field: false
+      type: keyword
+      description: |
+        The related object for burst warnings
+    - name: burst.id
+      default_field: false
+      type: keyword
+      description: |
+        The related rate ID for burst warnings
+    - name: burst.current_rate
+      default_field: false
+      type: keyword
+      description: |
+        The current burst rate seen
+    - name: burst.configured_rate
+      default_field: false
+      type: keyword
+      description: |
+        The current configured burst rate
+    - name: burst.avg_rate
+      default_field: false
+      type: keyword
+      description: |
+        The current average burst rate seen
+    - name: burst.configured_avg_rate
+      default_field: false
+      type: keyword
+      description: |
+        The current configured average burst rate allowed
+    - name: burst.cumulative_count
+      default_field: false
+      type: keyword
+      description: |
+        The total count of burst rate hits since the object was created or cleared
+    - name: security
+      type: flattened
+      description: Cisco FTD security event fields.
+    - name: webvpn.group_name
+      type: keyword
+      default_field: false
+      description: |
+        The WebVPN group name the user belongs to
+    - name: termination_user
+      default_field: false
+      type: keyword
+      description: |-
+        AAA name of user requesting termination
+- name: syslog.facility.code
+  type: long
+  description: Syslog numeric facility of the event.
+- name: syslog.priority
+  type: long
+  description: Syslog priority of the event.
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/manifest.yml b/packages/cisco_ftd/2.0.4/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..4c7fab8f5d
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/manifest.yml
@@ -0,0 +1,87 @@
+title: Cisco FTD logs
+type: logs
+streams:
+  - input: udp
+    title: Cisco FTD logs
+    description: Collect Cisco FTD logs
+    template_path: udp.yml.hbs
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - cisco-ftd
+          - forwarded
+      - name: udp_host
+        type: text
+        title: UDP host to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: udp_port
+        type: integer
+        title: UDP Port to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: 9003
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+  - input: logfile
+    enabled: false
+    title: Cisco FTD logs
+    description: Collect Cisco FTD logs from file
+    vars:
+      - name: paths
+        type: text
+        title: Paths
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - /var/log/cisco-ftd.log
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - cisco-ftd
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/cisco_ftd/2.0.4/data_stream/log/sample_event.json b/packages/cisco_ftd/2.0.4/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..f297153442
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/data_stream/log/sample_event.json
@@ -0,0 +1,157 @@
+{
+    "@timestamp": "2019-08-16T09:39:03.000Z",
+    "agent": {
+        "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102",
+        "hostname": "docker-fleet-agent",
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "cisco": {
+        "ftd": {
+            "rule_name": "malware-and-file-policy",
+            "security": {
+                "application_protocol": "HTTP",
+                "client": "cURL",
+                "dst_ip": "81.2.69.144",
+                "dst_port": "80",
+                "file_action": "Malware Cloud Lookup",
+                "file_direction": "Download",
+                "file_name": "eicar_com.zip",
+                "file_policy": "malware-and-file-policy",
+                "file_sandbox_status": "File Size Is Too Small",
+                "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad",
+                "file_size": "184",
+                "file_storage_status": "Not Stored (Disposition Was Pending)",
+                "file_type": "ZIP",
+                "first_packet_second": "2019-08-16T09:39:02Z",
+                "protocol": "tcp",
+                "sha_disposition": "Unavailable",
+                "spero_disposition": "Spero detection not performed on file",
+                "src_ip": "10.0.1.20",
+                "src_port": "46004",
+                "threat_name": "Win.Ransomware.Eicar::95.sbx.tg",
+                "uri": "http://www.eicar.org/download/eicar_com.zip",
+                "user": "No Authentication Required"
+            },
+            "threat_category": "Win.Ransomware.Eicar::95.sbx.tg"
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_ftd.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "81.2.69.144",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.144",
+        "port": 80
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "action": "malware-detected",
+        "agent_id_status": "verified",
+        "category": [
+            "malware",
+            "file"
+        ],
+        "code": "430005",
+        "dataset": "cisco_ftd.log",
+        "ingested": "2022-04-11T08:03:35Z",
+        "kind": "event",
+        "original": "2019-08-16T09:39:03Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n",
+        "severity": 1,
+        "start": "2019-08-16T09:39:02Z",
+        "timezone": "+00:00",
+        "type": [
+            "info"
+        ]
+    },
+    "file": {
+        "hash": {
+            "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+        },
+        "name": "eicar_com.zip",
+        "size": 184
+    },
+    "host": {
+        "hostname": "firepower"
+    },
+    "input": {
+        "type": "udp"
+    },
+    "log": {
+        "level": "alert",
+        "source": {
+            "address": "172.21.0.4:50821"
+        }
+    },
+    "network": {
+        "application": "curl",
+        "iana_number": "6",
+        "protocol": "http",
+        "transport": "tcp"
+    },
+    "observer": {
+        "hostname": "firepower",
+        "product": "asa",
+        "type": "firewall",
+        "vendor": "Cisco"
+    },
+    "related": {
+        "hash": [
+            "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+        ],
+        "hosts": [
+            "firepower"
+        ],
+        "ip": [
+            "10.0.1.20",
+            "81.2.69.144"
+        ],
+        "user": [
+            "No Authentication Required"
+        ]
+    },
+    "source": {
+        "address": "10.0.1.20",
+        "ip": "10.0.1.20",
+        "port": 46004
+    },
+    "tags": [
+        "preserve_original_event",
+        "cisco-ftd",
+        "forwarded"
+    ],
+    "url": {
+        "domain": "www.eicar.org",
+        "extension": "zip",
+        "original": "http://www.eicar.org/download/eicar_com.zip",
+        "path": "/download/eicar_com.zip",
+        "scheme": "http"
+    },
+    "user": {
+        "id": "No Authentication Required",
+        "name": "No Authentication Required"
+    }
+}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.4/docs/README.md b/packages/cisco_ftd/2.0.4/docs/README.md
new file mode 100755
index 0000000000..fc2df5e903
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/docs/README.md
@@ -0,0 +1,392 @@
+# Cisco FTD Integration
+
+This integration is for Cisco Firepower Threat Defence (FTD) device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco Firepower Threat Defense (FTD) logs.
+
+## Logs
+
+### FTD
+
+The `log` dataset collects the Cisco Firepower Threat Defense (FTD) logs.
+
+An example event for `log` looks as following:
+
+```json
+{
+    "@timestamp": "2019-08-16T09:39:03.000Z",
+    "agent": {
+        "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102",
+        "hostname": "docker-fleet-agent",
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "cisco": {
+        "ftd": {
+            "rule_name": "malware-and-file-policy",
+            "security": {
+                "application_protocol": "HTTP",
+                "client": "cURL",
+                "dst_ip": "81.2.69.144",
+                "dst_port": "80",
+                "file_action": "Malware Cloud Lookup",
+                "file_direction": "Download",
+                "file_name": "eicar_com.zip",
+                "file_policy": "malware-and-file-policy",
+                "file_sandbox_status": "File Size Is Too Small",
+                "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad",
+                "file_size": "184",
+                "file_storage_status": "Not Stored (Disposition Was Pending)",
+                "file_type": "ZIP",
+                "first_packet_second": "2019-08-16T09:39:02Z",
+                "protocol": "tcp",
+                "sha_disposition": "Unavailable",
+                "spero_disposition": "Spero detection not performed on file",
+                "src_ip": "10.0.1.20",
+                "src_port": "46004",
+                "threat_name": "Win.Ransomware.Eicar::95.sbx.tg",
+                "uri": "http://www.eicar.org/download/eicar_com.zip",
+                "user": "No Authentication Required"
+            },
+            "threat_category": "Win.Ransomware.Eicar::95.sbx.tg"
+        }
+    },
+    "data_stream": {
+        "dataset": "cisco_ftd.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "81.2.69.144",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.144",
+        "port": 80
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "43265318-62cb-431d-b8c2-c36438978d88",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "action": "malware-detected",
+        "agent_id_status": "verified",
+        "category": [
+            "malware",
+            "file"
+        ],
+        "code": "430005",
+        "dataset": "cisco_ftd.log",
+        "ingested": "2022-04-11T08:03:35Z",
+        "kind": "event",
+        "original": "2019-08-16T09:39:03Z firepower  %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n",
+        "severity": 1,
+        "start": "2019-08-16T09:39:02Z",
+        "timezone": "+00:00",
+        "type": [
+            "info"
+        ]
+    },
+    "file": {
+        "hash": {
+            "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+        },
+        "name": "eicar_com.zip",
+        "size": 184
+    },
+    "host": {
+        "hostname": "firepower"
+    },
+    "input": {
+        "type": "udp"
+    },
+    "log": {
+        "level": "alert",
+        "source": {
+            "address": "172.21.0.4:50821"
+        }
+    },
+    "network": {
+        "application": "curl",
+        "iana_number": "6",
+        "protocol": "http",
+        "transport": "tcp"
+    },
+    "observer": {
+        "hostname": "firepower",
+        "product": "asa",
+        "type": "firewall",
+        "vendor": "Cisco"
+    },
+    "related": {
+        "hash": [
+            "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+        ],
+        "hosts": [
+            "firepower"
+        ],
+        "ip": [
+            "10.0.1.20",
+            "81.2.69.144"
+        ],
+        "user": [
+            "No Authentication Required"
+        ]
+    },
+    "source": {
+        "address": "10.0.1.20",
+        "ip": "10.0.1.20",
+        "port": 46004
+    },
+    "tags": [
+        "preserve_original_event",
+        "cisco-ftd",
+        "forwarded"
+    ],
+    "url": {
+        "domain": "www.eicar.org",
+        "extension": "zip",
+        "original": "http://www.eicar.org/download/eicar_com.zip",
+        "path": "/download/eicar_com.zip",
+        "scheme": "http"
+    },
+    "user": {
+        "id": "No Authentication Required",
+        "name": "No Authentication Required"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip |
+| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword |
+| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword |
+| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword |
+| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword |
+| cisco.ftd.burst.current_rate | The current burst rate seen | keyword |
+| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword |
+| cisco.ftd.burst.object | The related object for burst warnings | keyword |
+| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword |
+| cisco.ftd.connection_id | Unique identifier for a flow. | keyword |
+| cisco.ftd.connection_type | The VPN connection type | keyword |
+| cisco.ftd.dap_records | The assigned DAP records | keyword |
+| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword |
+| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword |
+| cisco.ftd.icmp_code | ICMP code. | short |
+| cisco.ftd.icmp_type | ICMP type. | short |
+| cisco.ftd.mapped_destination_host |  | keyword |
+| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip |
+| cisco.ftd.mapped_destination_port | The translated destination port. | long |
+| cisco.ftd.mapped_source_host |  | keyword |
+| cisco.ftd.mapped_source_ip | The translated source IP address. | ip |
+| cisco.ftd.mapped_source_port | The translated source port. | long |
+| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword |
+| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword |
+| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword |
+| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword |
+| cisco.ftd.security | Cisco FTD security event fields. | flattened |
+| cisco.ftd.source_interface | Source interface for the flow or event. | keyword |
+| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword |
+| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword |
+| cisco.ftd.termination_user | AAA name of user requesting termination | keyword |
+| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword |
+| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword |
+| cisco.ftd.username |  | keyword |
+| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| client.user.name | Short name or login of the user. | keyword |
+| client.user.name.text | Multi-field of `client.user.name`. | match_only_text |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.response_code | The DNS response code. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.status_code | HTTP response status code. | long |
+| input.type | Input type. | keyword |
+| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object |
+| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword |
+| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.port | Port of the server. | long |
+| server.user.name | Short name or login of the user. | keyword |
+| server.user.name.text | Multi-field of `server.user.name`. | match_only_text |
+| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| syslog.facility.code | Syslog numeric facility of the event. | long |
+| syslog.priority | Syslog priority of the event. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| url.username | Username of the request. | keyword |
+| user.email | User email address. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+
diff --git a/packages/cisco_ftd/2.0.4/img/cisco.svg b/packages/cisco_ftd/2.0.4/img/cisco.svg
new file mode 100755
index 0000000000..20ebebf197
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/img/cisco.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="216" height="216" fill="#049fd9"><g transform="translate(0 50.059)"><path d="M106.48 76.238c-.282-.077-4.621-1.196-9.232-1.196-8.73 0-13.986 4.714-13.986 11.734 0 6.214 4.397 9.313 9.674 10.98.585.193 1.447.463 2.021.653 2.349.739 4.224 1.837 4.224 3.739 0 2.127-2.167 3.504-6.878 3.504-4.14 0-8.109-1.184-8.945-1.395v8.637c.466.099 5.183 1.025 10.222 1.025 7.248 0 15.539-3.167 15.539-12.595 0-4.573-2.8-8.783-8.947-10.737l-2.613-.832c-1.559-.492-4.342-1.289-4.342-3.574 0-1.805 2.062-3.076 5.859-3.076 3.276 0 7.263 1.101 7.404 1.145zm80.041 18.243c0 5.461-4.183 9.879-9.796 9.879-5.619 0-9.791-4.418-9.791-9.879 0-5.45 4.172-9.87 9.791-9.87 5.613 0 9.796 4.42 9.796 9.87m-9.796-19.427c-11.544 0-19.823 8.707-19.823 19.427 0 10.737 8.279 19.438 19.823 19.438 11.543 0 19.834-8.701 19.834-19.438 0-10.72-8.291-19.427-19.834-19.427M70.561 113.251h-9.472V75.719h9.472"/><path id="a" d="M48.07 76.399c-.89-.264-4.18-1.345-8.636-1.345-11.526 0-19.987 8.218-19.987 19.427 0 12.093 9.34 19.438 19.987 19.438 4.23 0 7.459-1.002 8.636-1.336v-10.075c-.407.226-3.503 1.992-7.957 1.992-6.31 0-10.38-4.441-10.38-10.019 0-5.748 4.246-10.011 10.38-10.011 4.53 0 7.576 1.805 7.957 2.004"/><use transform="translate(98.86)" xlink:href="#a" width="100%" height="100%"/><g id="c"><path id="b" d="M61.061 4.759c0-2.587-2.113-4.685-4.703-4.685-2.589 0-4.702 2.098-4.702 4.685v49.84a4.701 4.701 0 004.702 4.699 4.701 4.701 0 004.703-4.699zM35.232 22.451c0-2.586-2.112-4.687-4.702-4.687s-4.702 2.101-4.702 4.687v22.785a4.701 4.701 0 004.702 4.699 4.701 4.701 0 004.702-4.699zM9.404 35.383c0-2.587-2.112-4.684-4.702-4.684C2.115 30.699 0 32.796 0 35.383v9.853a4.703 4.703 0 009.404 0"/><use transform="matrix(-1 0 0 1 112.717 0)" xlink:href="#b" width="100%" height="100%"/></g><use transform="matrix(-1 0 0 1 216 0)" xlink:href="#c" width="100%" height="100%"/></g></svg>
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.4/manifest.yml b/packages/cisco_ftd/2.0.4/manifest.yml
new file mode 100755
index 0000000000..3dc70b6c6b
--- /dev/null
+++ b/packages/cisco_ftd/2.0.4/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: cisco_ftd
+title: Cisco FTD
+version: 2.0.4
+license: basic
+description: Collect logs from Cisco FTD with Elastic Agent.
+type: integration
+categories:
+  - network
+  - security
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/cisco.svg
+    title: cisco
+    size: 216x216
+    type: image/svg+xml
+policy_templates:
+  - name: cisco_ftd
+    title: Cisco FTD logs
+    description: Collect logs from Cisco FTD instances
+    inputs:
+      - type: udp
+        title: Collect logs from Cisco FTD via UDP
+        description: Collecting logs from Cisco FTD via UDP
+      - type: logfile
+        title: Collect logs from Cisco FTD via file
+        description: Collecting logs from Cisco FTD via file
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/crowdstrike/1.2.7/changelog.yml b/packages/crowdstrike/1.2.7/changelog.yml
new file mode 100755
index 0000000000..e3b4fa7bc9
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/changelog.yml
@@ -0,0 +1,146 @@
+# newer versions go on top
+- version: "1.2.7"
+  changes:
+    - description: Move invalid field value
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3098
+- version: "1.2.6"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.5"
+  changes:
+    - description: Add date parsing for BiosReleaseDate field.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2867
+- version: "1.2.4"
+  changes:
+    - description: Add missing field mapping for several event and host fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2869
+- version: "1.2.3"
+  changes:
+    - description: Change type of 'fdr_parsing_script' variable to 'yaml' so that the multi-line string creates a valid YAML config document.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2701
+- version: "1.2.2"
+  changes:
+    - description: Add Ingest Pipeline script to map IANA Protocol Numbers
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2470
+- version: "1.2.1"
+  changes:
+    - description: Fix issue with "Is FDR Queue" selector having no effect.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2653
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2398
+- version: "1.1.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.1.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.1.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2229
+- version: "1.0.4"
+  changes:
+    - description: Add ability to read from both FDR provided and user owned SQS queues for FDR.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2198
+    - description: Pipeline fixes for FDR
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2198
+- version: "1.0.3"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: |
+        https://github.com/elastic/integrations/pull/2022
+- version: "1.0.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1961
+- version: "1.0.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1812
+- version: '1.0.0'
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1630
+- version: "0.9.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1655
+- version: "0.8.1"
+  changes:
+    - description: Add proxy config
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1648
+- version: "0.8.0"
+  changes:
+    - description: Add FDR data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1522
+    - description: Change Falcon ECS fields definition to use references
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1522
+    - description: Add cleanup processor to Falcon
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1522
+- version: '0.7.1'
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1378
+- version: "0.7.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "0.6.0"
+  changes:
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1258
+- version: "0.5.0"
+  changes:
+    - description: update to ECS 1.10.0 and add event.original options
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1036
+- version: "0.4.1"
+  changes:
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/841
+- version: "0.4.0"
+  changes:
+    - description: Moves edge processing to ingest pipeline
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/774
+- version: "0.3.1"
+  changes:
+    - description: Change kibana.version constraint to be more conservative.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/749
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/182
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/agent/stream/log.yml.hbs b/packages/crowdstrike/1.2.7/data_stream/falcon/agent/stream/log.yml.hbs
new file mode 100755
index 0000000000..79e1726037
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/agent/stream/log.yml.hbs
@@ -0,0 +1,25 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+# Crowdstrike Falcon SIEM connector logs are multiline JSON by default
+multiline.pattern: '^{'
+multiline.negate: true
+multiline.match: after
+multiline.max_lines: 5000
+multiline.timeout: 10
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml
new file mode 100755
index 0000000000..1469046543
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml
@@ -0,0 +1,32 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [authentication]
+  - append:
+      field: event.type
+      value: [change]
+  - convert:
+      field: crowdstrike.event.ServiceName
+      type: string
+      target_field: message
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.UserIp
+      target_field: source.ip
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != ""
+  - script:
+      lang: painless
+      source: |
+        def regex = /([a-z0-9])([A-Z])/;
+        def replacement = "$1_$2";
+        def action = ctx?.crowdstrike?.event?.OperationName;
+        if (action == null || action == "") return;
+        ctx["event.action"] = regex.matcher(action).replaceAll(replacement).toLowerCase();
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..2884f6e94d
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,423 @@
+---
+description: Ingest pipeline for normalizing CrowdStrike Falcon logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: crowdstrike
+  - remove:
+      field:
+        - host.name
+      ignore_missing: true
+  - remove:
+      field: crowdstrike.event.ProcessStartTime
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.ProcessStartTime == 0
+  - date:
+      field: crowdstrike.event.ProcessStartTime
+      target_field: crowdstrike.event.ProcessStartTime
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.ProcessStartTime != null &&
+        !(ctx.crowdstrike.event.ProcessStartTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) >= 12
+  - remove:
+      field: crowdstrike.event.ProcessEndTime
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.ProcessEndTime == 0
+  - date:
+      field: crowdstrike.event.ProcessEndTime
+      target_field: crowdstrike.event.ProcessEndTime
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.ProcessEndTime != null &&
+        !(ctx.crowdstrike.event.ProcessEndTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) >= 12
+  - remove:
+      field: crowdstrike.event.IncidentStartTime
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.IncidentStartTime == 0
+  - date:
+      field: crowdstrike.event.IncidentStartTime
+      target_field: crowdstrike.event.IncidentStartTime
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.IncidentStartTime != null &&
+        !(ctx.crowdstrike.event.IncidentStartTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) >= 12
+  - remove:
+      field: crowdstrike.event.IncidentEndTime
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.IncidentEndTime == 0
+  - date:
+      field: crowdstrike.event.IncidentEndTime
+      target_field: crowdstrike.event.IncidentEndTime
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.IncidentEndTime != null &&
+        !(ctx.crowdstrike.event.IncidentEndTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) >= 12
+  - remove:
+      field: crowdstrike.event.StartTimestamp
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.StartTimestamp == 0
+  - date:
+      field: crowdstrike.event.StartTimestamp
+      target_field: crowdstrike.event.StartTimestamp
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.StartTimestamp != null &&
+        !(ctx.crowdstrike.event.StartTimestamp instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) >= 12
+  - remove:
+      field: crowdstrike.event.EndTimestamp
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.EndTimestamp == 0
+  - date:
+      field: crowdstrike.event.EndTimestamp
+      target_field: crowdstrike.event.EndTimestamp
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.EndTimestamp != null &&
+        !(ctx.crowdstrike.event.EndTimestamp instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) >= 12
+  - remove:
+      field: crowdstrike.event.UTCTimestamp
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.UTCTimestamp == 0
+  - date:
+      field: crowdstrike.event.UTCTimestamp
+      target_field: crowdstrike.event.UTCTimestamp
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.UTCTimestamp != null &&
+        !(ctx.crowdstrike.event.UTCTimestamp instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) >= 12
+  - remove:
+      field: crowdstrike.metadata.eventCreationTime
+      ignore_missing: true
+      if: ctx?.crowdstrike?.metadata?.eventCreationTime == 0
+  - date:
+      field: crowdstrike.metadata.eventCreationTime
+      target_field: crowdstrike.metadata.eventCreationTime
+      timezone: UTC
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.metadata?.eventCreationTime != null &&
+        !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) >= 12
+  - date:
+      field: crowdstrike.event.ProcessStartTime
+      target_field: crowdstrike.event.ProcessStartTime
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.ProcessStartTime != null &&
+        !(ctx.crowdstrike.event.ProcessStartTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) < 12
+  - date:
+      field: crowdstrike.event.ProcessEndTime
+      target_field: crowdstrike.event.ProcessEndTime
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.ProcessEndTime != null &&
+        !(ctx.crowdstrike.event.ProcessEndTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) < 12
+  - date:
+      field: crowdstrike.event.IncidentStartTime
+      target_field: crowdstrike.event.IncidentStartTime
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.IncidentStartTime != null &&
+        !(ctx.crowdstrike.event.IncidentStartTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) < 12
+  - date:
+      field: crowdstrike.event.IncidentEndTime
+      target_field: crowdstrike.event.IncidentEndTime
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.IncidentEndTime != null &&
+        !(ctx.crowdstrike.event.IncidentEndTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) < 12
+  - date:
+      field: crowdstrike.event.StartTimestamp
+      target_field: crowdstrike.event.StartTimestamp
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.StartTimestamp != null &&
+        !(ctx.crowdstrike.event.StartTimestamp instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) < 12
+  - date:
+      field: crowdstrike.event.EndTimestamp
+      target_field: crowdstrike.event.EndTimestamp
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.EndTimestamp != null &&
+        !(ctx.crowdstrike.event.EndTimestamp instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) < 12
+  - date:
+      field: crowdstrike.event.UTCTimestamp
+      target_field: crowdstrike.event.UTCTimestamp
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.event?.UTCTimestamp != null &&
+        !(ctx.crowdstrike.event.UTCTimestamp instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) < 12
+  - date:
+      field: crowdstrike.metadata.eventCreationTime
+      target_field: crowdstrike.metadata.eventCreationTime
+      timezone: UTC
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: |
+        ctx?.crowdstrike?.metadata?.eventCreationTime != null &&
+        !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) &&
+        (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) < 12
+  - set:
+      field: event.outcome
+      value: success
+      if: ctx?.crowdstrike?.event?.Success == true
+  - set:
+      field: event.outcome
+      value: failure
+      if: ctx?.crowdstrike?.event?.Success == false
+  - set:
+      field: event.outcome
+      value: unknown
+      if: ctx?.event?.outcome == null
+  - convert:
+      field: crowdstrike.metadata.eventCreationTime
+      target_field: "@timestamp"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.LateralMovement
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.LocalPort
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.MatchCount
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.MatchCountSinceLastReport
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.PID
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.RemotePort
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: source.port
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: destination.port
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.UserName
+      target_field: user.name
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.UserId
+      target_field: user.name
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.user?.name == null || ctx?.user?.name == ""
+  - set:
+      field: user.email
+      value: "{{user.name}}"
+      ignore_empty_value: true
+      ignore_failure: true
+      if: ctx?.user?.name != null && /@/.split(ctx.user.name).length == 2
+  - script:
+      lang: painless
+      source: |
+        def commandLine = ctx?.crowdstrike?.event?.CommandLine;
+        if (commandLine != null) {
+
+          commandLine = commandLine.trim();
+
+          if (commandLine != "") {
+            def args = Arrays.asList(/ /.split(commandLine));
+            args.removeIf(arg -> arg == "");
+
+            ctx["process.command_line"] = commandLine;
+            ctx["process.args"] = args;
+            ctx["process.executable"] = args.get(0);
+          }
+        }
+  - pipeline:
+      name: '{{ IngestPipeline "detection_summary" }}'
+      if: ctx?.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent"
+  - pipeline:
+      name: '{{ IngestPipeline "incident_summary" }}'
+      if: ctx?.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent"
+  - pipeline:
+      name: '{{ IngestPipeline "user_activity_audit" }}'
+      if: ctx?.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent"
+  - pipeline:
+      name: '{{ IngestPipeline "auth_activity_audit" }}'
+      if: ctx?.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent"
+  - pipeline:
+      name: '{{ IngestPipeline "firewall_match" }}'
+      if: ctx?.crowdstrike?.metadata?.eventType == "FirewallMatchEvent"
+  - pipeline:
+      name: '{{ IngestPipeline "remote_response_session_start" }}'
+      if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent"
+  - pipeline:
+      name: '{{ IngestPipeline "remote_response_session_end" }}'
+      if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent"
+  - script:
+      lang: painless
+      if: ctx?.crowdstrike?.event != null
+      params:
+        values:
+          - null
+          - ''
+          - '-'
+          - 'N/A'
+          - 'NA'
+          - 0
+      source: |
+        ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue()));
+  - script:
+      lang: painless
+      if: ctx?.crowdstrike?.metadata != null
+      params:
+        values:
+          - null
+          - ''
+          - '-'
+          - 'N/A'
+          - 'NA'
+      source: |
+        ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue()));
+  - append:
+      field: related.user
+      value: "{{user.name}}"
+      allow_duplicates: false
+      ignore_failure: true
+      if: ctx?.user?.name != null && ctx?.user?.name != ""
+  - append:
+      field: related.ip
+      value: "{{source.ip}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx?.source?.ip != null && ctx?.source?.ip != ""
+  - append:
+      field: related.ip
+      value: "{{destination.ip}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx?.destination?.ip != null && ctx?.destination?.ip != ""
+  - append:
+      field: related.hosts
+      value: "{{host.name}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx?.host?.name != null && ctx?.host?.name != ""
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+  - script:
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |
+        void handleMap(Map map) {
+          for (def x : map.values()) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+          }
+          map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+        }
+        void handleList(List list) {
+          for (def x : list) {
+              if (x instanceof Map) {
+                  handleMap(x);
+              } else if (x instanceof List) {
+                  handleList(x);
+              }
+          }
+          list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+        }
+        handleMap(ctx);
+on_failure:
+  - set:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml
new file mode 100755
index 0000000000..22bebe784e
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml
@@ -0,0 +1,161 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: alert
+  - append:
+      field: event.category
+      value: [malware]
+  - append:
+      field: event.type
+      value: [info]
+  - set:
+      field: agent.type
+      value: falcon
+  - convert:
+      field: crowdstrike.event.LocalIP
+      target_field: source.ip
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != ""
+  - convert:
+      field: crowdstrike.event.ProcessId
+      target_field: process.pid
+      ignore_failure: true
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.ParentImageFileName
+      target_field: process.parent.executable
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.ParentCommandLine
+      target_field: process.parent.command_line
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.PatternDispositionDescription
+      target_field: event.action
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.FalconHostLink
+      target_field: event.url
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.Severity
+      target_field: event.severity
+      type: long
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.DetectDescription
+      target_field: message
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.FileName
+      target_field: process.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.UserName
+      target_field: user.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.MachineDomain
+      target_field: user.domain
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.SensorId
+      target_field: agent.id
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.ComputerName
+      target_field: host.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.SHA256String
+      target_field: file.hash.sha256
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - append:
+      field: related.hash
+      value: "{{file.hash.sha256}}"
+      allow_duplicates: false
+      ignore_failure: true
+      if: ctx?.file?.hash?.sha256 != null && ctx?.file?.hash?.sha256 != "" && !(/^0+$/.matcher(ctx.file.hash.sha256).matches())
+  - convert:
+      field: crowdstrike.event.MD5String
+      target_field: file.hash.md5
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - append:
+      field: related.hash
+      value: "{{file.hash.md5}}"
+      allow_duplicates: false
+      ignore_failure: true
+      if: ctx?.file?.hash?.md5 != null && ctx?.file?.hash?.md5 != "" && !(/^0+$/.matcher(ctx.file.hash.md5).matches())
+  - convert:
+      field: crowdstrike.event.SHA1String
+      target_field: file.hash.sha1
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - append:
+      field: related.hash
+      value: "{{file.hash.sha1}}"
+      allow_duplicates: false
+      ignore_failure: true
+      if: ctx?.file?.hash?.sha1 != null && ctx?.file?.hash?.sha1 != "" && !(/^0+$/.matcher(ctx.file.hash.sha1).matches())
+  - convert:
+      field: crowdstrike.event.DetectName
+      target_field: rule.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.DetectDescription
+      target_field: rule.description
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.Technique
+      target_field: threat.technique.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - lowercase:
+      field: threat.technique.name
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.event.Tactic
+      target_field: threat.tactic.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - lowercase:
+      field: threat.tactic.name
+      ignore_missing: true
+      ignore_failure: true
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml
new file mode 100755
index 0000000000..28dac8ccd0
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml
@@ -0,0 +1,135 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [network]
+  - append:
+      field: event.action
+      value: [firewall_match_event]
+  - append:
+      field: event.type
+      value: [start, connection]
+  - set:
+      field: message
+      value: "Firewall Rule '{{crowdstrike.event.RuleName}}' triggered"
+      if: ctx?.crowdstrike?.event?.RuleName != null
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.Ipv"
+      target_field: "network.type"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.PID"
+      target_field: "process.pid"
+      ignore_failure: true
+      ignore_missing: true
+      type: "long"
+  - convert:
+      field: "crowdstrike.event.RuleId"
+      target_field: "rule.id"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.RuleName"
+      target_field: "rule.name"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.RuleGroupName"
+      target_field: "rule.ruleset"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.RuleDescription"
+      target_field: "rule.description"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.RuleFamilyID"
+      target_field: "rule.category"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.HostName"
+      target_field: "host.name"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.Ipv"
+      target_field: "network.type"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: "crowdstrike.event.EventType"
+      target_field: "event.code"
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: network.direction
+      value: ingress
+      if: ctx?.crowdstrike?.event?.ConnectionDirection == "1"
+  - set:
+      field: source.ip
+      value: "{{crowdstrike.event.RemoteAddress}}"
+      ignore_empty_value: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection == "1"
+  - convert:
+      field: crowdstrike.event.RemotePort
+      target_field: source.port
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection == "1"
+  - set:
+      field: destination.ip
+      value: "{{crowdstrike.event.LocalAddress}}"
+      ignore_empty_value: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection == "1"
+  - convert:
+      field: crowdstrike.event.LocalPort
+      target_field: destination.port
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection == "1"
+  - set:
+      field: network.direction
+      value: ingress
+      if: ctx?.crowdstrike?.event?.ConnectionDirection != "1"
+  - set:
+      field: destination.ip
+      value: "{{crowdstrike.event.RemoteAddress}}"
+      ignore_empty_value: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection != "1"
+  - convert:
+      field: crowdstrike.event.RemotePort
+      target_field: destination.port
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection != "1"
+  - set:
+      field: source.ip
+      value: "{{crowdstrike.event.LocalAddress}}"
+      ignore_empty_value: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection != "1"
+  - convert:
+      field: crowdstrike.event.LocalPort
+      target_field: source.port
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.crowdstrike?.event?.ConnectionDirection != "1"
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml
new file mode 100755
index 0000000000..667222dc79
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml
@@ -0,0 +1,27 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: alert
+  - append:
+      field: event.category
+      value: [malware]
+  - append:
+      field: event.type
+      value: [info]
+  - set:
+      field: event.action
+      value: incident
+  - set:
+      field: agent.type
+      value: falcon
+  - convert:
+      field: crowdstrike.event.FalconHostLink
+      target_field: event.url
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - set:
+      field: message
+      value: "Incident score {{crowdstrike.event.FineScore}}"
+      if: ctx?.crowdstrike?.event?.FineScore != null
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml
new file mode 100755
index 0000000000..7415f62e1d
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml
@@ -0,0 +1,23 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [network, session]
+  - append:
+      field: event.action
+      value: [remote_response_session_end_event]
+  - append:
+      field: event.type
+      value: [end]
+  - set:
+      field: message
+      value: Remote response session ended.
+  - convert:
+      field: crowdstrike.event.HostnameField
+      target_field: host.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml
new file mode 100755
index 0000000000..d965bd8ac7
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml
@@ -0,0 +1,23 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [network, session]
+  - append:
+      field: event.action
+      value: [remote_response_session_start_event]
+  - append:
+      field: event.type
+      value: [start]
+  - set:
+      field: message
+      value: Remote response session started.
+  - convert:
+      field: crowdstrike.event.HostnameField
+      target_field: host.name
+      type: string
+      ignore_failure: true
+      ignore_missing: true
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml
new file mode 100755
index 0000000000..7d03e0115b
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml
@@ -0,0 +1,27 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [iam]
+  - append:
+      field: event.type
+      value: [change]
+  - set:
+      field: event.action
+      value: user_activity_audit_event
+  - convert:
+      field: crowdstrike.event.OperationName
+      target_field: message
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.event.UserIp
+      target_field: source.ip
+      type: string
+      ignore_failure: true
+      ignore_missing: true
+      if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != ""
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/fields/agent.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/fields/base-fields.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/base-fields.yml
new file mode 100755
index 0000000000..8248c071b3
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: crowdstrike
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: crowdstrike.falcon
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/fields/beats.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/fields/ecs.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/ecs.yml
new file mode 100755
index 0000000000..01f046a566
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/ecs.yml
@@ -0,0 +1,237 @@
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    Identification code for this event, if one exists.
+    Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+  name: event.code
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    URL linking to an external system to continue investigation of this event.
+    This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+  name: event.url
+  type: keyword
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: threat.technique.name
+  type: keyword
+- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
+  name: threat.tactic.name
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.command_line
+  type: wildcard
+- description: |-
+    Array of process arguments, starting with the absolute path to the executable.
+    May be filtered to protect sensitive information.
+  name: process.args
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.executable
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.command_line
+  type: wildcard
+- description: |-
+    Custom name of the agent.
+    This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
+    If no name is given, the name is often left empty.
+  name: agent.name
+  type: keyword
+- description: |-
+    Unique identifier of this agent (if one exists).
+    Example: For Beats this would be beat.id.
+  name: agent.id
+  type: keyword
+- description: |-
+    Type of the agent.
+    The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+  name: agent.type
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: SHA1 hash.
+  name: file.hash.sha1
+  type: keyword
+- description: SHA256 hash.
+  name: file.hash.sha256
+  type: keyword
+- description: MD5 hash.
+  name: file.hash.md5
+  type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+  name: rule.id
+  type: keyword
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: The description of the rule generating the event.
+  name: rule.description
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+  name: rule.ruleset
+  type: keyword
+- description: A categorization value keyword used by the entity using the rule for detection of this event.
+  name: rule.category
+  type: keyword
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+    The field value must be normalized to lowercase for querying.
+  name: network.type
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: Unique container id.
+  name: container.id
+  type: keyword
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/fields/fields.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/fields.yml
new file mode 100755
index 0000000000..f8b93a2aaf
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/fields/fields.yml
@@ -0,0 +1,399 @@
+- name: crowdstrike.metadata
+  title: Metadata fields
+  type: group
+  fields:
+    - name: eventType
+      type: keyword
+      description: |
+        DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent
+    - name: eventCreationTime
+      type: date
+      description: |
+        The time this event occurred on the endpoint in UTC UNIX_MS format.
+    - name: offset
+      type: integer
+      description: |
+        Offset number that tracks the location of the event in stream. This is used to identify unique detection events.
+    - name: customerIDString
+      type: keyword
+      description: |
+        Customer identifier
+    - name: version
+      type: keyword
+      description: |
+        Schema version
+- name: crowdstrike.event
+  title: Event fields
+  type: group
+  fields:
+    - name: ProcessStartTime
+      type: date
+      description: |
+        The process start time in UTC UNIX_MS format.
+    - name: ProcessEndTime
+      type: date
+      description: |
+        The process termination time in UTC UNIX_MS format.
+    - name: ProcessId
+      type: integer
+      description: |
+        Process ID related to the detection.
+    - name: ParentProcessId
+      type: integer
+      description: |
+        Parent process ID related to the detection.
+    - name: ComputerName
+      type: keyword
+      description: |
+        Name of the computer where the detection occurred.
+    - name: UserName
+      type: keyword
+      description: |
+        User name associated with the detection.
+    - name: DetectName
+      type: keyword
+      description: |
+        Name of the detection.
+    - name: DetectDescription
+      type: keyword
+      description: |
+        Description of the detection.
+    - name: Severity
+      type: integer
+      description: |
+        Severity score of the detection.
+    - name: SeverityName
+      type: keyword
+      description: |
+        Severity score text.
+    - name: FileName
+      type: keyword
+      description: |
+        File name of the associated process for the detection.
+    - name: FilePath
+      type: keyword
+      description: |
+        Path of the executable associated with the detection.
+    - name: CommandLine
+      type: keyword
+      description: |
+        Executable path with command line arguments.
+    - name: SHA1String
+      type: keyword
+      description: |
+        SHA1 sum of the executable associated with the detection.
+    - name: SHA256String
+      type: keyword
+      description: |
+        SHA256 sum of the executable associated with the detection.
+    - name: MD5String
+      type: keyword
+      description: |
+        MD5 sum of the executable associated with the detection.
+    - name: MachineDomain
+      type: keyword
+      description: |
+        Domain for the machine associated with the detection.
+    - name: FalconHostLink
+      type: keyword
+      description: |
+        URL to view the detection in Falcon.
+    - name: SensorId
+      type: keyword
+      description: |
+        Unique ID associated with the Falcon sensor.
+    - name: DetectId
+      type: keyword
+      description: |
+        Unique ID associated with the detection.
+    - name: LocalIP
+      type: keyword
+      description: |
+        IP address of the host associated with the detection.
+    - name: MACAddress
+      type: keyword
+      description: |
+        MAC address of the host associated with the detection.
+    - name: Tactic
+      type: keyword
+      description: |
+        MITRE tactic category of the detection.
+    - name: Technique
+      type: keyword
+      description: |
+        MITRE technique category of the detection.
+    - name: Objective
+      type: keyword
+      description: |
+        Method of detection.
+    - name: PatternDispositionDescription
+      type: keyword
+      description: |
+        Action taken by Falcon.
+    - name: PatternDispositionValue
+      type: integer
+      description: |
+        Unique ID associated with action taken.
+    - name: PatternDispositionFlags
+      type: group
+      description: |
+        Flags indicating actions taken.
+      fields:
+        - name: Detect
+          type: boolean
+        - name: InddetMask
+          type: boolean
+        - name: Indicator
+          type: boolean
+        - name: KillParent
+          type: boolean
+        - name: KillProcess
+          type: boolean
+        - name: KillSubProcess
+          type: boolean
+        - name: OperationBlocked
+          type: boolean
+        - name: PolicyDisabled
+          type: boolean
+        - name: ProcessBlocked
+          type: boolean
+        - name: QuarantineFile
+          type: boolean
+        - name: QuarantineMachine
+          type: boolean
+        - name: Rooting
+          type: boolean
+        - name: SensorOnly
+          type: boolean
+        - name: BootupSafeguardEnabled
+          type: boolean
+        - name: CriticalProcessDisabled
+          type: boolean
+        - name: FsOperationBlocked
+          type: boolean
+        - name: RegistryOperationBlocked
+          type: boolean
+    - name: State
+      type: keyword
+      description: |
+        Whether the incident summary is open and ongoing or closed.
+    - name: IncidentStartTime
+      type: date
+      description: |
+        Start time for the incident in UTC UNIX format.
+    - name: IncidentEndTime
+      type: date
+      description: |
+        End time for the incident in UTC UNIX format.
+    - name: FineScore
+      type: float
+      description: |
+        Score for incident.
+    - name: UserId
+      type: keyword
+      description: |
+        Email address or user ID associated with the event.
+    - name: UserIp
+      type: keyword
+      description: |
+        IP address associated with the user.
+    - name: OperationName
+      type: keyword
+      description: |
+        Event subtype.
+    - name: ServiceName
+      type: keyword
+      description: |
+        Service associated with this event.
+    - name: Success
+      type: boolean
+      description: |
+        Indicator of whether or not this event was successful.
+    - name: UTCTimestamp
+      type: date
+      description: |
+        Timestamp associated with this event in UTC UNIX format.
+    - name: AuditKeyValues
+      type: nested
+      description: |
+        Fields that were changed in this event.
+    - name: ExecutablesWritten
+      type: nested
+      description: |
+        Detected executables written to disk by a process.
+    - name: SessionId
+      type: keyword
+      description: |
+        Session ID of the remote response session.
+    - name: HostnameField
+      type: keyword
+      description: |
+        Host name of the machine for the remote session.
+    - name: StartTimestamp
+      type: date
+      description: |
+        Start time for the remote session in UTC UNIX format.
+    - name: EndTimestamp
+      type: date
+      description: |
+        End time for the remote session in UTC UNIX format.
+    - name: LateralMovement
+      type: long
+      description: |
+        Lateral movement field for incident.
+    - name: ParentImageFileName
+      type: keyword
+      description: |
+        Path to the parent process.
+    - name: ParentCommandLine
+      type: keyword
+      description: |
+        Parent process command line arguments.
+    - name: GrandparentImageFileName
+      type: keyword
+      description: |
+        Path to the grandparent process.
+    - name: GrandparentCommandLine
+      type: keyword
+      description: |
+        Grandparent process command line arguments.
+    - name: IOCType
+      type: keyword
+      description: |
+        CrowdStrike type for indicator of compromise.
+    - name: IOCValue
+      type: keyword
+      description: |
+        CrowdStrike value for indicator of compromise.
+    - name: CustomerId
+      type: keyword
+      description: |
+        Customer identifier.
+    - name: DeviceId
+      type: keyword
+      description: |
+        Device on which the event occurred.
+    - name: Ipv
+      type: keyword
+      description: |
+        Protocol for network request.
+    - name: ConnectionDirection
+      type: keyword
+      description: |
+        Direction for network connection.
+    - name: EventType
+      type: keyword
+      description: |
+        CrowdStrike provided event type.
+    - name: HostName
+      type: keyword
+      description: |
+        Host name of the local machine.
+    - name: ICMPCode
+      type: keyword
+      description: |
+        RFC2780 ICMP Code field.
+    - name: ICMPType
+      type: keyword
+      description: |
+        RFC2780 ICMP Type field.
+    - name: ImageFileName
+      type: keyword
+      description: |
+        File name of the associated process for the detection.
+    - name: PID
+      type: long
+      description: |
+        Associated process id for the detection.
+    - name: LocalAddress
+      type: ip
+      description: |
+        IP address of local machine.
+    - name: LocalPort
+      type: long
+      description: |
+        Port of local machine.
+    - name: RemoteAddress
+      type: ip
+      description: |
+        IP address of remote machine.
+    - name: RemotePort
+      type: long
+      description: |
+        Port of remote machine.
+    - name: RuleAction
+      type: keyword
+      description: |
+        Firewall rule action.
+    - name: RuleDescription
+      type: keyword
+      description: |
+        Firewall rule description.
+    - name: RuleFamilyID
+      type: keyword
+      description: |
+        Firewall rule family id.
+    - name: RuleGroupName
+      type: keyword
+      description: |
+        Firewall rule group name.
+    - name: RuleName
+      type: keyword
+      description: |
+        Firewall rule name.
+    - name: RuleId
+      type: keyword
+      description: |
+        Firewall rule id.
+    - name: MatchCount
+      type: long
+      description: |
+        Number of firewall rule matches.
+    - name: MatchCountSinceLastReport
+      type: long
+      description: |
+        Number of firewall rule matches since the last report.
+    - name: Timestamp
+      type: date
+      description: |
+        Firewall rule triggered timestamp.
+    - name: Flags.Audit
+      type: boolean
+      description: |
+        CrowdStrike audit flag.
+    - name: Flags.Log
+      type: boolean
+      description: |
+        CrowdStrike log flag.
+    - name: Flags.Monitor
+      type: boolean
+      description: |
+        CrowdStrike monitor flag.
+    - name: Protocol
+      type: keyword
+      description: |
+        CrowdStrike provided protocol.
+    - name: NetworkProfile
+      type: keyword
+      description: |
+        CrowdStrike network profile.
+    - name: PolicyName
+      type: keyword
+      description: |
+        CrowdStrike policy name.
+    - name: PolicyID
+      type: keyword
+      description: |
+        CrowdStrike policy id.
+    - name: Status
+      type: keyword
+      description: |
+        CrowdStrike status.
+    - name: TreeID
+      type: keyword
+      description: |
+        CrowdStrike tree id.
+    - name: Commands
+      type: keyword
+      description: |
+        Commands run in a remote session.
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/manifest.yml b/packages/crowdstrike/1.2.7/data_stream/falcon/manifest.yml
new file mode 100755
index 0000000000..29fc804f02
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/manifest.yml
@@ -0,0 +1,42 @@
+type: logs
+title: Crowdstrike falcon logs
+streams:
+  - input: logfile
+    vars:
+      - name: paths
+        type: text
+        title: Paths
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - /var/log/crowdstrike/falconhoseclient/output
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - crowdstrike-falcon
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: log.yml.hbs
+    title: Crowdstrike falcon logs (log)
+    description: Collect Crowdstrike falcon logs using log input
diff --git a/packages/crowdstrike/1.2.7/data_stream/falcon/sample_event.json b/packages/crowdstrike/1.2.7/data_stream/falcon/sample_event.json
new file mode 100755
index 0000000000..f0fb683bfc
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/falcon/sample_event.json
@@ -0,0 +1,109 @@
+{
+    "@timestamp": "2020-02-12T21:29:10.710Z",
+    "agent": {
+        "ephemeral_id": "9060b4e5-b568-47b0-9a7b-62121df53ec9",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "crowdstrike": {
+        "event": {
+            "AuditKeyValues": [
+                {
+                    "Key": "APIClientID",
+                    "ValueString": "1234567890abcdefghijklmnopqr"
+                },
+                {
+                    "Key": "partition",
+                    "ValueString": "0"
+                },
+                {
+                    "Key": "offset",
+                    "ValueString": "-1"
+                },
+                {
+                    "Key": "appId",
+                    "ValueString": "siem-connector-v2.0.0"
+                },
+                {
+                    "Key": "eventType",
+                    "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]"
+                }
+            ],
+            "OperationName": "streamStarted",
+            "ServiceName": "Crowdstrike Streaming API",
+            "Success": true,
+            "UTCTimestamp": "2020-02-12T21:29:10.000Z",
+            "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz",
+            "UserIp": "10.10.0.8"
+        },
+        "metadata": {
+            "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
+            "eventCreationTime": "2020-02-12T21:29:10.710Z",
+            "eventType": "AuthActivityAuditEvent",
+            "offset": 0,
+            "version": "1.0"
+        }
+    },
+    "data_stream": {
+        "dataset": "crowdstrike.falcon",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": [
+            "authentication"
+        ],
+        "dataset": "crowdstrike.falcon",
+        "ingested": "2021-12-30T05:13:25Z",
+        "kind": "event",
+        "original": "{\n    \"metadata\": {\n        \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n        \"offset\": 0,\n        \"eventType\": \"AuthActivityAuditEvent\",\n        \"eventCreationTime\": 1581542950710,\n        \"version\": \"1.0\"\n    },\n    \"event\": {\n        \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n        \"UserIp\": \"10.10.0.8\",\n        \"OperationName\": \"streamStarted\",\n        \"ServiceName\": \"Crowdstrike Streaming API\",\n        \"Success\": true,\n        \"UTCTimestamp\": 1581542950,\n        \"AuditKeyValues\": [\n            {\n                \"Key\": \"APIClientID\",\n                \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n            },\n            {\n                \"Key\": \"partition\",\n                \"ValueString\": \"0\"\n            },\n            {\n                \"Key\": \"offset\",\n                \"ValueString\": \"-1\"\n            },\n            {\n                \"Key\": \"appId\",\n                \"ValueString\": \"siem-connector-v2.0.0\"\n            },\n            {\n                \"Key\": \"eventType\",\n                \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n            }\n        ]\n    }\n}",
+        "outcome": "success",
+        "type": [
+            "change"
+        ]
+    },
+    "event.action": "stream_started",
+    "input": {
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/falcon-audit-events.log"
+        },
+        "flags": [
+            "multiline"
+        ],
+        "offset": 910
+    },
+    "message": "Crowdstrike Streaming API",
+    "related": {
+        "ip": [
+            "10.10.0.8"
+        ],
+        "user": [
+            "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
+        ]
+    },
+    "source": {
+        "ip": "10.10.0.8"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "crowdstrike-falcon"
+    ],
+    "user": {
+        "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
+    }
+}
\ No newline at end of file
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/1.2.7/data_stream/fdr/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..bd89d34816
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,57 @@
+queue_url: {{queue_url}}
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if endpoint}}
+endpoint: {{endpoint}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if fips_enabled}}
+fips_enabled: {{fips_enabled}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+{{#if is_fdr_queue}}
+sqs.notification_parsing_script.source: {{fdr_parsing_script}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{else}}
+{{#if preserve_original_event}}
+tags:
+{{/if}}
+{{/if}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/agent/stream/stream.yml.hbs b/packages/crowdstrike/1.2.7/data_stream/fdr/agent/stream/stream.yml.hbs
new file mode 100755
index 0000000000..51174aef53
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/agent/stream/stream.yml.hbs
@@ -0,0 +1,26 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+{{#if tags.length}}
+tags:
+{{else}}
+{{#if preserve_original_event}}
+tags:
+{{/if}}
+{{/if}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+  - add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.2.7/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f32974173f
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1298 @@
+---
+description: Pipeline for processing sample logs
+processors:
+  ## Message decoding.
+  - rename:
+      tag: message-to-original
+      field: message
+      target_field: event.original
+  - json:
+      tag: json-decoding
+      description: Decodes original JSON into `crowdstrike` field.
+      field: event.original
+      target_field: crowdstrike
+  - date:
+      tag: date-timestamp
+      description: Parse timestamp from event.
+      field: crowdstrike.timestamp
+      target_field: event.created
+      formats:
+        - UNIX_MS
+      ignore_failure: true
+  - date:
+      tag: date-event-created
+      description: Parse timestamp from event.
+      field: crowdstrike.CreationTimeStamp
+      target_field: event.created
+      formats:
+        - UNIX
+      ignore_failure: true
+      if: ctx?.event?.created == null
+  - set:
+      tag: set-timestamp
+      field: "@timestamp"
+      copy_from: event.created
+      if: ctx?.event?.created != null && (ctx?.crowdstrike?.ContextTimeStamp == null || ctx?.crowdstrike?.ContextTimeStamp == "")
+  - date:
+      tag: date-context-timestamp
+      field: crowdstrike.ContextTimeStamp
+      formats:
+        - UNIX
+      ignore_failure: true
+  - rename:
+      tag: rename-message
+      field: crowdstrike.message
+      target_field: message
+      ignore_missing: true
+
+  ## ECS fields.
+  - set:
+      field: ecs.version
+      value: "8.0.0"
+
+  ## Categorization.
+  - script:
+      tag: script-categorize-events
+      description: Categorize events.
+      lang: painless
+      source: |-
+        def c = [
+          "AcUninstallConfirmation":["category":["package"],"type":["deletion"],"kind":"state","outcome":"success"],
+          "AcUnloadConfirmation":["category":["package"],"type":["deletion"],"kind":"state","outcome":"success"],
+          "AgentConnect":["category":["network","session"],"type":["connection","info"],"kind":"event","outcome":"success"],
+          "AgentOnline":["category":["configuration","package","host"],"type":["change","installation","start"],"kind":"state","outcome":"success"],
+          "AmsiRegistrationStatus":["category":["host"],"type":["info"],"kind":"state","outcome":"success"],
+          "AsepFileChange":["category":["file"],"type":["creation","change"],"kind":"event","outcome":"success"],
+          "AsepKeyUpdate":["category":["registry"],"type":["change"],"kind":"event","outcome":"success"],
+          "AsepValueUpdate":["category":["registry"],"type":["change"],"kind":"event","outcome":"success"],
+          "AssociateIndicator":["category":["malware"],"type":["info"],"kind":"alert","outcome":"unknown"],
+          "AssociateTreeIdWithRoot":["category":["malware"],"type":["info"],"kind":"alert","outcome":"success"],          
+          "BITSJobCreated":["category":["network","file"],"type":["connection","creation"],"kind":"event","outcome":"success"],
+          "BZip2FileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "BehaviorWhitelisted":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "BrowserInjectedThread":["category":["process"],"type":["access","change"],"kind":"event","outcome":"success"],
+          "CloudAssociateTreeIdWithRoot":["category":["malware"],"type":["deletion"],"kind":"alert","outcome":"success"],
+          "CommandHistory":["category":["process"],"type":["end","info"],"kind":"event","outcome":"success"],
+          "ConfigStateUpdate":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "CrashNotification":["category":["host"],"type":["info"],"kind":"event","outcome":"failure"],
+          "CreateProcessArgs":["category":["process"],"type":["start"],"kind":"state","outcome":"success"],
+          "CreateService":["category":["host"],"type":["change"],"kind":"event","outcome":"success"],
+          "CreateThreadNoStartImage":["category":["process"],"type":["start"],"kind":"event","outcome":"success"],
+          "CreateThreadReflectiveDll":["category":["process"],"type":["change"],"kind":"event","outcome":"success"],
+          "CriticalEnvironmentVariableChanged":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"],
+          "CriticalFileAccessed":["category":["file"],"type":["access"],"kind":"alert","outcome":"success"],
+          "CriticalFileModified":["category":["file"],"type":["change"],"kind":"alert","outcome":"success"],
+          "CurrentSystemTags":["category":["host"],"type":["info"],"kind":"state","outcome":"success"],
+          "CustomIOABasicProcessDetectionInfoEvent":["category":["malware"],"type":["info"],"kind":"alert","outcome":"unknown"],
+          "DCSyncAttempted":["category":["configuration","iam"],"type":["access"],"kind":"event","outcome":"unknown"],
+          "DcOffline":["category":["iam"],"type":["info"],"kind":"event","outcome":"success"],
+          "DcOnline":["category":["iam"],"type":["info"],"kind":"event","outcome":"success"],
+          "DcStatus":["category":["iam"],"type":["info"],"kind":"state","outcome":"success"],
+          "DetectAnalysis":["category":["malware"],"type":["info"],"kind":"alert","outcome":"success"],
+          "DetectionExcluded":["category":["configuration","malware"],"type":["change","info"],"kind":"alert","outcome":"success"],
+          "DirectoryCreate":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "DllInjection":["category":["process"],"type":["change"],"kind":"event","outcome":"success"],
+          "DmpFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "DnsRequest":["category":["network"],"type":["protocol"],"kind":"event","outcome":"success"],
+          "DocumentProgramInjectedThread":["category":["process"],"type":["access","change"],"kind":"event","outcome":"success"],
+          "DriverLoad":["category":["driver"],"type":["start"],"kind":"event","outcome":"success"],
+          "DwgFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "EarlyExploitPivotDetect":["category":["malware"],"type":["info"],"kind":"event","outcome":"unknown"],
+          "EndOfProcess":["category":["process"],"type":["end"],"kind":"event","outcome":"success"],
+          "ErrorEvent":["category":["package"],"type":["info"],"kind":"alert","outcome":"failure"],
+          "EtwErrorEvent":["category":["package","host"],"type":["info"],"kind":"event","outcome":"failure"],
+          "ExecutableDeleted":["category":["file"],"type":["deletion"],"kind":"event","outcome":"success"],
+          "FalconHostRegTamperingInfo":["category":["registry"],"type":["change"],"kind":"alert","outcome":"unknown"],
+          "FalconServiceStatus":["category":["package"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "FileCreateInfo":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "FileDeleteInfo":["category":["file"],"type":["deletion"],"kind":"event","outcome":"success"],
+          "FileDetectInfo":["category":["file"],"type":["info"],"kind":"alert","outcome":"unknown"],
+          "FileInfo":["category":["file"],"type":["info"],"kind":"event","outcome":"unknown"],
+          "FileOpenInfo":["category":["file"],"type":["access"],"kind":"event","outcome":"success"],
+          "FileRenameInfo":["category":["file"],"type":["change"],"kind":"event","outcome":"success"],
+          "FileSystemOperationBlocked":["category":["file"],"type":["change","deletion"],"kind":"event","outcome":"failure"],
+          "FileSystemOperationDetectInfo":["category":["file"],"type":["change","deletion"],"kind":"alert","outcome":"unknown"],
+          "FileTimestampsModified":["category":["file"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallChangeOption":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallDeleteRule":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallDeleteRuleIP4":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallDeleteRuleIP6":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallDisabled":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallEnabled":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallSetRule":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallSetRuleIP4":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirewallSetRuleIP6":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "FirmwareAnalysisErrorEvent":["category":["host"],"type":["info"],"kind":"state","outcome":"failure"],
+          "FirmwareAnalysisHardwareData":["category":["host"],"type":["info"],"kind":"state","outcome":"success"],
+          "FirmwareAnalysisStatus":["category":["host"],"type":["info"],"kind":"state","outcome":"success"],
+          "FlashThreadCreateProcess":["category":["process"],"type":["start"],"kind":"event","outcome":"success"],
+          "FsPostOpenSnapshotFile":["category":["file"],"type":["access"],"kind":"event","outcome":"success"],
+          "FsVolumeMounted":["category":["host"],"type":["change"],"kind":"event","outcome":"success"],
+          "FsVolumeUnmounted":["category":["host"],"type":["change"],"kind":"event","outcome":"success"],	
+          "HostInfo":["category":["host"],"type":["info"],"kind":"event","outcome":"success"],
+          "HostedServiceStarted":["category":["package"],"type":["start"],"kind":"event","outcome":"success"],
+          "HostedServiceStopped":["category":["package"],"type":["end"],"kind":"event","outcome":"success"],
+          "HostnameChanged":["category":["host"],"type":["change"],"kind":"event","outcome":"success"],
+          "HttpRequestDetect":["category":["network","session"],"type":["connection","start"],"kind":"event","outcome":"success"],
+          "HttpVisibilityStatus":["category":["session"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "IOServiceRegister":["category":["package"],"type":["change"],"kind":"event","outcome":"success"],
+          "ImageHash":["category":["process"],"type":["change"],"kind":"event","outcome":"success"],
+          "InjectedThread":["category":["process"],"type":["change"],"kind":"event","outcome":"success"],
+          "InjectedThreadFromUnsignedModule":["category":["process"],"type":["change"],"kind":"alert","outcome":"success"],
+          "InstallBundleDownloadComplete":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "InstallServiceDownloadComplete":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "InstalledApplication":["category":["package"],"type":["installation"],"kind":"event","outcome":"success"],
+          "InstalledUpdates":["category":["host","package"],"type":["change","installation"],"kind":"event","outcome":"success"],
+          "InstanceMetadata":["category":["host"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "IoSessionConnected":["category":["session"],"type":["start"],"kind":"event","outcome":"success"],
+          "IoSessionLoggedOn":["category":["session"],"type":["end"],"kind":"event","outcome":"success"],
+          "JarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "JavaClassFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "JavaInjectedThread":["category":["process"],"type":["change"],"kind":"event","outcome":"success"],
+          "KernelModeLoadImage":["category":["driver"],"type":["start"],"kind":"event","outcome":"success"],
+          "KextLoad":["category":["driver"],"type":["start"],"kind":"event","outcome":"success"],
+          "KextUnload":["category":["driver"],"type":["end"],"kind":"event","outcome":"success"],
+          "LFODownloadConfirmation":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "LfoUploadDataComplete":["category":["file"],"type":["change"],"kind":"event","outcome":"success"],
+          "LfoUploadDataFailed":["category":["file"],"type":["change"],"kind":"event","outcome":"failure"],
+          "LfoUploadDataUnneeded":["category":["file"],"type":["change"],"kind":"event","outcome":"failure"],			
+          "LocalIpAddressIP4":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"],
+          "LocalIpAddressIP6":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"],
+          "LocalIpAddressRemovedIP4":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"],
+          "LocalIpAddressRemovedIP6":["category":["configuration","host"],"type":["change"],"kind":"state","outcome":"success"],
+          "LsassHandleFromUnsignedModule":["category":["process"],"type":["change"],"kind":"alert","outcome":"unknown"],
+          "MachOFileWritten":["category":["file"],"type":["change"],"kind":"event","outcome":"success"],
+          "ManifestDownloadComplete":["category":["configuration","file"],"type":["change","creation"],"kind":"event","outcome":"success"],
+          "ModifyServiceBinary":["category":["file"],"type":["change"],"kind":"alert","outcome":"unknown"],
+          "ModuleBlockedEvent":["category":["process","malware"],"type":["info","denied"],"kind":"alert","outcome":"success"],
+          "ModuleBlockedEventWithPatternId":["category":["process","malware"],"type":["info"],"kind":"event","outcome":"unknown"],
+          "ModuleDetectInfo":["category":["process","malware"],"type":["info"],"kind":"event","outcome":"unknown"],
+          "NeighborListIP4":["category":["host","network"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "NeighborListIP6":["category":["host","network"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "NetShareAdd":["category":["host"],"type":["change"],"kind":"event","outcome":"success"],
+          "NetShareDelete":["category":["host"],"type":["change"],"kind":"event","outcome":"success"],
+          "NetShareSecurityModify":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "NetworkCloseIP4":["category":["network"],"type":["end","connection"],"kind":"event","outcome":"unknown"],
+          "NetworkCloseIP6":["category":["network"],"type":["end","connection"],"kind":"event","outcome":"unknown"],
+          "NetworkConnectIP4":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"unknown"],
+          "NetworkConnectIP6":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"unknown"],
+          "NetworkListenIP4":["category":["network"],"type":["start"],"kind":"event","outcome":"success"],
+          "NetworkListenIP6":["category":["network"],"type":["start"],"kind":"event","outcome":"success"],
+          "NetworkReceiveAcceptIP4":["category":["network"],"type":["allowed","access","connection"],"kind":"event","outcome":"unknown"],
+          "NetworkReceiveAcceptIP6":["category":["network"],"type":["allowed","access","connection"],"kind":"event","outcome":"unknown"],
+          "NewExecutableRenamed":["category":["file"],"type":["change"],"kind":"event","outcome":"success"],
+          "NewExecutableWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "NewScriptWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "OciContainerTelemetry":["category":["host"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "OleFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "OoxmlFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "OsVersionInfo":["category":["host"],"type":["info"],"kind":"event","outcome":"success"],			
+          "PackedExecutableWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "PdfFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "PeFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "PeVersionInfo":["category":["file"],"type":["info"],"kind":"event","outcome":"success"],
+          "PrivilegedProcessHandleFromUnsignedModule":["category":["process"],"type":["access"],"kind":"alert","outcome":"success"],
+          "ProcessBlocked":["category":["process"],"type":["access"],"kind":"alert","outcome":"failure"],
+          "ProcessExecOnPackedExecutable":["category":["process","file"],"type":["access"],"kind":"alert","outcome":"success"],
+          "ProcessExecOnSMBFile":["category":["process","file","network"],"type":["access"],"kind":"alert","outcome":"success"],
+          "ProcessHandleOpDetectInfo":["category":["process","malware"],"type":["info"],"kind":"alert","outcome":"success"],
+          "ProcessInjection":["category":["process"],"type":["change"],"kind":"event","outcome":"success"],
+          "ProcessRollup2":["category":["process"],"type":["start"],"kind":"event","outcome":"success"],
+          "ProcessRollup2Stats":["category":["process"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "ProcessSelfDeleted":["category":["process"],"type":["end"],"kind":"event","outcome":"success"],
+          "PromiscuousBindIP4":["category":["host"],"type":["change"],"kind":"state","outcome":"success"],
+          "PtyCreated":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "QuarantineActionResult":["category":["file"],"type":["info"],"kind":"alert","outcome":"unknown"],
+          "QuarantinedFile":["category":["file"],"type":["change"],"kind":"alert","outcome":"unknown"],
+          "QuarantinedFileState":["category":["file"],"type":["info"],"kind":"alert","outcome":"unknown"],
+          "QueueApcEtw":["category":["file"],"type":["creation"],"kind":"alert","outcome":"success"],
+          "RansomwareCreateFile":["category":["file"],"type":["creation"],"kind":"alert","outcome":"success"],
+          "RansomwareFileAccessPattern":["category":["file"],"type":["access"],"kind":"alert","outcome":"success"],
+          "RansomwareOpenFile":["category":["file"],"type":["access"],"kind":"alert","outcome":"success"],
+          "RarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "RawBindIP4":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"success"],
+          "RawBindIP6":["category":["network"],"type":["start","connection"],"kind":"event","outcome":"success"],
+          "ReflectiveDllOpenProcess":["category":["process"],"type":["access"],"kind":"alert","outcome":"success"],
+          "RegGenericValueUpdate":["category":["registry"],"type":["change"],"kind":"event","outcome":"success"],
+          "RegSystemConfigValueUpdate":["category":["registry","host","configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "RegisterRawInputDevicesEtw":["category":["host","configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "RegistryOperationDetectInfo":["category":["malware","registry"],"type":["info"],"kind":"alert","outcome":"success"],
+          "RemoteBruteForceDetectInfo":["category":["malware","authentication"],"type":["info"],"kind":"alert","outcome":"success"],	
+          "RemovableDiskModuleLoadAttempt":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"],
+          "RemovableMediaVolumeMounted":["category":["configuration","host"],"type":["change"],"kind":"event","outcome":"success"],
+          "RtfFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "SAMHashDumpFromUnsignedModule":["category":["registry","file"],"type":["access","creation"],"kind":"alert","outcome":"success"],
+          "ScheduledTaskDeleted":["category":["configuration"],"type":["deletion"],"kind":"event","outcome":"success"],
+          "ScheduledTaskModified":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "ScheduledTaskRegistered":["category":["configuration"],"type":["creation"],"kind":"event","outcome":"success"],
+          "ScreenshotTakenEtw":["category":["process"],"type":["access"],"kind":"event","outcome":"success"],
+          "ScriptControlBlocked":["category":["malware","file"],"type":["info"],"kind":"alert","outcome":"success"],
+          "ScriptControlDetectInfo":["category":["malware","file"],"type":["info"],"kind":"alert","outcome":"success"],
+          "ScriptControlErrorEvent":["category":["malware","file"],"type":["info"],"kind":"alert","outcome":"failure"],
+          "ScriptControlScanInfo":["category":["malware","file"],"type":["info"],"kind":"state","outcome":"success"],
+          "ScriptControlScanTelemetry":["category":["malware","file"],"type":["info"],"kind":"state","outcome":"success"],
+          "SensitiveWmiQuery":["category":["malware","process"],"type":["info"],"kind":"alert","outcome":"success"],
+          "SensorHeartbeat":["category":["package"],"type":["info"],"kind":"event","outcome":"success"],
+          "ServiceStarted":["category":["process"],"type":["start"],"kind":"event","outcome":"success"],
+          "SetWinEventHookEtw":["category":["host","configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "SevenZipFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "SignInfoError":["category":["file"],"type":["info"],"kind":"state","outcome":"failure"],
+          "SignInfoWithCertAndContext":["category":["file"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "SignInfoWithContext":["category":["file"],"type":["info"],"kind":"state","outcome":"unknown"],
+          "SmbClientNamedPipeConnectEtw":["category":["network"],"type":["connection"],"kind":"event","outcome":"success"],
+          "SmbClientShareClosedEtw":["category":["network"],"type":["connection","end"],"kind":"event","outcome":"success"],
+          "SmbClientShareOpenedEtw":["category":["network"],"type":["connection","start"],"kind":"event","outcome":"success"],
+          "SmbServerShareOpenedEtw":["category":["network"],"type":["connection","start"],"kind":"event","outcome":"success"],
+          "SmbServerV1AuditEtw":["category":["network"],"type":["connection"],"kind":"state","outcome":"unknown"],
+          "SnapshotVolumeMounted":["category":["host","configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "SuspiciousCreateSymbolicLink":["category":["malware","file"],"type":["creation","info"],"kind":"alert","outcome":"success"],
+          "SuspiciousDnsRequest":["category":["network"],"type":["start","protocol"],"kind":"alert","outcome":"success"],
+          "SuspiciousEseFileWritten":["category":["malware","file"],"type":["creation","info"],"kind":"alert","outcome":"success"],
+          "SuspiciousRegAsepUpdate":["category":["malware","registry","configuration"],"type":["change","info"],"kind":"alert","outcome":"success"],
+          "SuspiciousUserRemoteAPCAttempt":["category":["malware","process"],"type":["info"],"kind":"alert","outcome":"success"],
+          "SyntheticProcessRollup2":["category":["process"],"type":["start"],"kind":"event","outcome":"success"],
+          "SystemCapacity":["category":["host"],"type":["info"],"kind":"state","outcome":"success"],
+          "TarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "TelemetryCounters2":["category":["host"],"type":["info"],"kind":"state","outcome":"success"],
+          "TelemetryNetworkConnections":["category":["network"],"type":["connection"],"kind":"state","outcome":"success"],
+          "TelemetryStats":["category":["host"],"type":["info"],"kind":"state","outcome":"success"],
+          "TerminateProcess":["category":["process"],"type":["end"],"kind":"event","outcome":"success"],
+          "TokenImpersonated":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"],
+          "UACCOMElevation":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"],
+          "UACExeElevation":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"],
+          "UACMSIElevation":["category":["process","authentication"],"type":["info","change"],"kind":"event","outcome":"success"],
+          "UmppaErrorEvent":["category":["package"],"type":["info"],"kind":"event","outcome":"failure"],
+          "UnsignedModuleLoad":["category":["process"],"type":["change"],"kind":"alert","outcome":"success"],
+          "UpdateManifestDownloadComplete":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "UserAccountAddedToGroup":["category":["configuration","iam"],"type":["change","group"],"kind":"event","outcome":"success"],
+          "UserAccountCreated":["category":["configuration","iam"],"type":["creation"],"kind":"event","outcome":"success"],
+          "UserAccountDeleted":["category":["configuration","iam"],"type":["deletion"],"kind":"event","outcome":"success"],
+          "UserExceptionDEP":["category":["process","malware"],"type":["info"],"kind":"alert","outcome":"success"],
+          "UserFontLoad":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "UserIdentity":["category":["authentication","iam"],"type":["info","user"],"kind":"event","outcome":"success"],
+          "UserLogoff":["category":["authentication"],"type":["end"],"kind":"event","outcome":"success"],
+          "UserLogon":["category":["authentication"],"type":["start"],"kind":"event","outcome":"success"],
+          "UserLogonFailed":["category":["authentication"],"type":["start"],"kind":"event","outcome":"failure"],
+          "UserLogonFailed2":["category":["authentication"],"type":["start"],"kind":"event","outcome":"failure"],
+          "VolumeSnapshotCreated":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "VolumeSnapshotDeleted":["category":["file"],"type":["deletion"],"kind":"event","outcome":"success"],
+          "WfpFilterTamperingFilterAdded":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "WfpFilterTamperingFilterDeleted":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "WmiCreateProcess":["category":["process"],"type":["start"],"kind":"event","outcome":"success"],
+          "WmiFilterConsumerBindingEtw":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "WmiProviderRegistrationEtw":["category":["configuration"],"type":["change"],"kind":"event","outcome":"success"],
+          "WroteExeAndGeneratedServiceEvent":["category":["process"],"type":["access"],"kind":"alert","outcome":"success"],
+          "XarFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"],
+          "ZipFileWritten":["category":["file"],"type":["creation"],"kind":"event","outcome":"success"]
+        ];
+
+        def v = c.get(ctx?.crowdstrike?.event_simpleName);
+        if (v != null) {
+          for (def entry : v.entrySet()) {
+            ctx.event[entry.getKey().toString()] = entry.getValue();
+          }
+        }
+
+  ## Event fields.
+  - rename:
+      field: crowdstrike.id
+      target_field: event.id
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.event_simpleName
+      target_field: event.action
+      ignore_missing: true
+
+## Prepare data.
+  - script:
+      description: Convert all count fields to number.
+      lang: painless
+      source: |-
+        for (entry in ctx.crowdstrike.entrySet()) {
+          def key = entry.getKey().toString();
+          if (key.contains("Count") || key.contains("Port")) {
+            try {
+              ctx.crowdstrike[key] = Long.parseLong(entry.getValue().toString());
+            } catch (Exception e) {
+            }
+          }
+        }
+  - script:
+      description: Remove all 0's hashes.
+      lang: painless
+      params:
+        MD5HashData: md5
+        SHA1HashData: sha1
+        SHA256HashData: sha256
+      source: |-
+        def hashIsEmpty(String hash) {
+          if (hash == null || hash == "") {
+            return true;
+          }
+          
+          Pattern emptyHashRegex = /^0*$/;
+          def matcher = emptyHashRegex.matcher(hash);
+          
+          return matcher.matches(); 
+        }
+
+        def hashes = new HashMap();
+        def related = [
+          "hash": new ArrayList()
+        ];
+        for (entry in params.entrySet()) {
+          def key = entry.getKey().toString();
+          def value = ctx.crowdstrike[key];
+          ctx.crowdstrike.remove(key);
+          if (hashIsEmpty(value)) {
+            continue;
+          }
+
+          hashes[entry.getValue().toString()] = value;
+          related.hash.add(value);
+        }
+
+        ctx._temp = new HashMap();
+        ctx._temp.hashes = hashes;
+        if (related.hash.length > 0) {
+          ctx.related = related;
+        }
+  
+  ## Observer fields.
+  - rename:
+      field: crowdstrike.aid
+      target_field: observer.serial_number
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.aip
+      type: ip
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.aip
+      target_field: observer.ip
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: observer.address
+      copy_from: observer.ip
+      ignore_empty_value: true
+  - rename:
+      field: crowdstrike.AgentVersion
+      target_field: observer.version
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.ConfigBuild
+      target_field: observer.version
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: observer.vendor
+      value: crowdstrike
+  - set:
+      field: observer.type
+      value: agent
+  - append:
+      field: related.ip
+      value: "{{observer.ip}}"
+      allow_duplicates: false
+      if: ctx?.observer?.ip != null && ctx.observer.ip != ""
+  - append:
+      field: related.hosts
+      value: "{{observer.ip}}"
+      allow_duplicates: false
+      if: ctx?.observer?.ip != null && ctx.observer.ip != ""
+  
+  ## Host fields.
+  - rename:
+      field: crowdstrike.ComputerName
+      target_field: host.hostname
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: host.name
+      copy_from: host.hostname
+      ignore_empty_value: true
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: "{{host.name}}"
+      allow_duplicates: false
+      if: ctx.host?.name != null
+  - rename:
+      field: crowdstrike.City
+      target_field: host.geo.city_name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.Continent
+      target_field: host.geo.continent_name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.Country
+      target_field: host.geo.country_name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.Timezone
+      target_field: host.geo.timezone
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.MachineDomain
+      target_field: host.domain
+      ignore_missing: true
+      ignore_failure: true
+
+  ## IP Geolocation Lookup
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+  
+  ## IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+
+  ## OS fields.
+  - set:
+      field: os.type
+      value: linux
+      if: ctx?.crowdstrike?.event_platform != null && ctx?.crowdstrike?.event_platform == "Lin"
+  - set:
+      field: os.type
+      value: macos
+      if: ctx?.crowdstrike?.event_platform != null && ctx?.crowdstrike?.event_platform == "Mac"
+  - set:
+      field: os.type
+      value: windows
+      if: ctx?.crowdstrike?.event_platform != null && ctx?.crowdstrike?.event_platform == "Win"
+  - rename:
+      field: crowdstrike.OSVersionString
+      target_field: os.version
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.Version
+      target_field: os.version
+      ignore_missing: true
+      ignore_failure: true
+
+  ## Process fields.
+  - rename:
+      field: crowdstrike.CommandLine
+      target_field: process.command_line
+      ignore_missing: true
+  - script:
+      description: Implements Windows-like SplitCommandLine
+      lang: painless
+      if: ctx?.process?.command_line != null && ctx.process.command_line != "" && ctx?.os?.type != null
+      source: |-
+        // appendBSBytes appends n '\\' bytes to b and returns the resulting slice.
+        def appendBSBytes(StringBuilder b, int n) {
+            for (; n > 0; n--) {
+                b.append('\\');
+            }
+            return b;
+        }
+
+        // readNextArg splits command line string cmd into next
+        // argument and command line remainder.
+        def readNextArg(String cmd) {
+            def b = new StringBuilder();
+            boolean inquote;
+            int nslash;
+            for (; cmd.length() > 0; cmd = cmd.substring(1)) {
+                def c = cmd.charAt(0);
+                if (c == (char)' ' || c == (char)0x09) {
+                    if (!inquote) {
+                        return [
+                            "arg":  appendBSBytes(b, nslash).toString(),
+                            "rest": cmd.substring(1)
+                        ];
+                    }
+                } else if (c == (char)'"') {
+                    b = appendBSBytes(b, nslash/2);
+                    if (nslash%2 == 0) {
+                        // use "Prior to 2008" rule from
+                        // http://daviddeley.com/autohotkey/parameters/parameters.htm
+                        // section 5.2 to deal with double double quotes
+                        if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') {
+                            b.append(c);
+                            cmd = cmd.substring(1);
+                        }
+                        inquote = !inquote;
+                    } else {
+                        b.append(c);
+                    }
+                    nslash = 0;
+                    continue;
+                } else if (c == (char)'\\') {
+                    nslash++;
+                    continue;
+                }
+                b = appendBSBytes(b, nslash);
+                nslash = 0;
+                b.append(c);
+            }
+            return [
+                "arg":  appendBSBytes(b, nslash).toString(), 
+                "rest": ''
+            ];
+        }
+
+        // commandLineToArgv splits a command line into individual argument
+        // strings, following the Windows conventions documented
+        // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV
+        // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1
+        def commandLineToArgv(String cmd) {
+            def args = new ArrayList();
+            while (cmd.length() > 0) {
+                if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) {
+                    cmd = cmd.substring(1);
+                    continue;
+                }
+                def next = readNextArg(cmd);
+                cmd = next.rest;
+                args.add(next.arg);
+            }
+            return args;
+        }
+
+        ctx.process.args = commandLineToArgv(ctx.process.command_line);
+        ctx.process.args_count = ctx.process.args.length;
+ 
+  - rename:
+      field: crowdstrike.ImageFileName
+      target_field: process.executable
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.ExitCode
+      type: long
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.ExitCode
+      target_field: process.exit_code
+      ignore_missing: true
+  - script:
+      lang: painless
+      description: Calculate process.uptime
+      source: |-
+        def d1 = Float.parseFloat(ctx?.crowdstrike?.ProcessStartTime);
+        def d2 = Float.parseFloat(ctx?.crowdstrike?.ProcessEndTime);
+        if (ctx?.process == null) {
+          ctx.process = [];
+        }
+        ctx.process.uptime = (long) ((d2-d1)/1000);
+      if: ctx?.crowdstrike?.ProcessStartTime != null && ctx?.crowdstrike?.ProcessStartTime != "" && ctx?.crowdstrike?.ProcessEndTime != null && ctx?.crowdstrike?.ProcessEndTime != ""
+  - date:
+      field: crowdstrike.ProcessStartTime
+      target_field: crowdstrike.ProcessStartTime
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.ProcessStartTime != null && ctx?.crowdstrike?.ProcessStartTime != ""
+  - rename:
+      field: crowdstrike.ProcessStartTime
+      target_field: process.start
+      ignore_missing: true
+      if: ctx?.crowdstrike?.ProcessStartTime != ""
+  - date:
+      field: crowdstrike.ProcessEndTime
+      target_field: crowdstrike.ProcessEndTime
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.ProcessEndTime != null && ctx?.crowdstrike?.ProcessEndTime != ""
+  - rename:
+      field: crowdstrike.ProcessEndTime
+      target_field: process.end
+      ignore_missing: true
+      if: ctx?.crowdstrike?.ProcessEndTime != ""
+  - convert:
+      field: crowdstrike.RawProcessId
+      type: long
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.RawProcessId
+      target_field: process.pid
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.TargetProcessId
+      target_field: process.entity_id
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.ParentProcessId
+      target_field: process.parent.entity_id
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.ParentBaseFileName
+      target_field: process.parent.name
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.ProcessGroupId
+      type: long
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.ProcessGroupId
+      target_field: process.pgid
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.ContextProcessId
+      target_field: process.entity_id
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.process?.entity_id == null
+  - convert:
+      field: crowdstrike.ContextThreadId
+      type: long
+      ignore_missing: true
+      if: ctx?.process?.thread?.id == null
+  - rename:
+      field: crowdstrike.ContextThreadId
+      target_field: process.thread.id
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.process?.thread?.id == null
+  - convert:
+      field: crowdstrike.EtwRawProcessId
+      type: long
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.EtwRawProcessId
+      target_field: process.pid
+      ignore_missing: true
+      if: ctx?.process?.pid == null
+  - convert:
+      field: crowdstrike.EtwRawThreadId
+      type: long
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.EtwRawThreadId
+      target_field: process.thread.id
+      ignore_missing: true
+      if: ctx?.process?.thread?.id == null
+  - rename:
+      field: crowdstrike.ServiceDisplayName
+      target_field: process.title
+      ignore_missing: true
+  - rename:
+      field: _temp.hashes
+      target_field: process.hash
+      if: ctx?.event?.action != null && (ctx.event.action.contains("Process") || ctx.event.action.contains("Service")) && ctx?._temp?.hashes != null && ctx?._temp?.hashes.size() > 0
+
+  ## User fields.
+  - rename:
+      field: crowdstrike.UID
+      target_field: user.id
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.GID
+      target_field: user.group.id
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.UserSid
+      target_field: user.id
+      ignore_missing: true
+      if: ctx?.user?.id == null || ctx.user.id == ""
+  - append:
+      field: user.roles
+      value: admin
+      if: ctx?.crowdstrike?.UserIsAdmin == "1"
+  - rename:
+      field: crowdstrike.UserName
+      target_field: user.name
+      ignore_missing: true
+  - split:
+      field: crowdstrike.UserPrincipal
+      target_field: "_temp.user_parts"
+      separator: '@'
+      if: ctx?.crowdstrike?.UserPrincipal != null
+  - rename:
+      field: crowdstrike.UserPrincipal
+      target_field: user.email
+      ignore_missing: true
+  - set:
+      field: user.domain
+      value: "{{_temp.user_parts.1}}"
+      ignore_failure: true
+      ignore_empty_value: true
+      if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
+  - set:
+      field: user.full_name
+      value: "{{_temp.user_parts.0}}"
+      ignore_failure: true
+      ignore_empty_value: true
+      if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
+  - append:
+      field: related.user
+      value: "{{user.name}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx?.user?.name != null
+  - append:
+      field: related.user
+      value: "{{user.full_name}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx?.user?.full_name != null
+
+  ## Networking fields.
+  - convert:
+      field: crowdstrike.LocalAddressIP4
+      type: ip
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.LocalAddressIP4
+      target_field: source.ip
+      ignore_missing: true
+  - set:
+      field: source.address
+      copy_from: source.ip
+      ignore_empty_value: true
+  - convert:
+      field: crowdstrike.LocalAddressIP6
+      type: ip
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.LocalAddressIP6
+      target_field: source.ip
+      ignore_missing: true
+  - set:
+      field: source.address
+      copy_from: source.ip
+      ignore_empty_value: true
+  - rename:
+      field: crowdstrike.LocalPort
+      target_field: source.port
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.RemoteAddressIP4
+      type: ip
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.RemoteAddressIP4
+      target_field: destination.ip
+      ignore_missing: true
+  - set:
+      field: destination.address
+      copy_from: destination.ip
+      ignore_empty_value: true
+  - convert:
+      field: crowdstrike.RemoteAddressIP6
+      type: ip
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.RemoteAddressIP6
+      target_field: destination.ip
+      ignore_missing: true
+  - set:
+      field: destination.address
+      copy_from: destination.ip
+      ignore_empty_value: true
+  - rename:
+      field: crowdstrike.RemotePort
+      target_field: destination.port
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.Protocol
+      target_field: network.iana_number
+      ignore_missing: true
+  - script:
+      lang: painless
+      ignore_failure: true
+      if: ctx?.network?.iana_number != null
+      source: |
+        def iana_number = ctx.network.iana_number;
+        if (iana_number == '0') {
+            ctx.network.transport = 'hopopt';
+        } else if (iana_number == '1') {
+            ctx.network.transport = 'icmp';
+        } else if (iana_number == '2') {
+            ctx.network.transport = 'igmp';
+        } else if (iana_number == '6') {
+            ctx.network.transport = 'tcp';
+        } else if (iana_number == '8') {
+            ctx.network.transport = 'egp';
+        } else if (iana_number == '17') {
+            ctx.network.transport = 'udp';
+        } else if (iana_number == '47') {
+            ctx.network.transport = 'gre';
+        } else if (iana_number == '50') {
+            ctx.network.transport = 'esp';
+        } else if (iana_number == '58') {
+            ctx.network.transport = 'ipv6-icmp';
+        } else if (iana_number == '112') {
+            ctx.network.transport = 'vrrp';
+        } else if (iana_number == '132') {
+            ctx.network.transport = 'sctp';
+        }
+  - set:
+      field: network.direction
+      value: outbound
+      if: ctx?.crowdstrike?.ConnectionDirection == "0"
+  - set:
+      field: network.direction
+      value: inbound
+      if: ctx?.crowdstrike?.ConnectionDirection == "1"
+  - set:
+      field: network.direction
+      value: unknown
+      if: ctx?.network?.direction == null && ctx?.crowdstrike?.ConnectionDirection != null && ctx.crowdstrike.ConnectionDirection != ""
+  - community_id:
+      ignore_missing: true
+      ignore_failure: true
+  - append:
+      field: related.ip
+      value: "{{source.ip}}"
+      allow_duplicates: false
+      if: ctx?.source?.ip != null && ctx.source.ip != ""
+  - append:
+      field: related.ip
+      value: "{{destination.ip}}"
+      allow_duplicates: false
+      if: ctx?.destination?.ip != null && ctx.destination.ip != ""
+  - append:
+      field: related.hosts
+      value: "{{source.ip}}"
+      allow_duplicates: false
+      if: ctx?.source?.ip != null && ctx.source.ip != ""
+  - append:
+      field: related.hosts
+      value: "{{destination.ip}}"
+      allow_duplicates: false
+      if: ctx?.destination?.ip != null && ctx.destination.ip != ""
+  - rename:
+      field: crowdstrike.PhysicalAddress
+      target_field: source.mac
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.DownloadServer
+      target_field: server.address
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.DownloadPath
+      target_field: url.path
+      ignore_missing: true
+
+  ## URL fields.
+  - set:
+      field: url.path
+      value: "/{{url.path}}"
+      if: ctx.url?.path != null && !ctx.url.path.startsWith("/")
+  - registered_domain:
+      field: server.address
+      target_field: server
+      ignore_missing: true
+  - set:
+      field: url.scheme
+      value: https
+      if: ctx?.crowdstrike?.DownloadPort == 443
+  - set:
+      field: url.scheme
+      value: http
+      if: ctx?.crowdstrike?.DownloadPort != 443
+  - set:
+      field: url.full
+      value: "{{url.scheme}}://{{server.address}}{{url.path}}"
+      if: ctx?.url?.scheme != null && ctx?.server?.address != null && ctx?.url?.path != null
+  - uri_parts:
+      field: url.full
+      ignore_failure: true
+      if: ctx.url?.full != null
+  - registered_domain:
+      field: url.domain
+      target_field: url
+      ignore_missing: true
+      ignore_failure: true
+      
+  ## IP Geolocation Lookup
+  - geoip:
+      field: observer.ip
+      target_field: observer.geo
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+  
+  ## IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+
+  ## DNS fields.
+  - set:
+      field: dns.type
+      value: query
+      if: ctx?.event?.action == "DnsRequest"
+  - registered_domain:
+      field: crowdstrike.DomainName
+      target_field: dns.question
+      ignore_missing: true
+      if: ctx?.event?.action == "DnsRequest"
+  - rename:
+      field: dns.question.domain
+      target_field: dns.question.name
+      ignore_missing: true
+      if: ctx?.event?.action == "DnsRequest"
+  - script:
+      description: Map decimal DNS request type to its name.
+      lang: painless
+      source: |-
+        def conversions = ["1": "A", "2": "NS", "5": "CNAME", "6": "SOA", "12": "PTR",
+        "13": "HINFO", "15": "MX", "16": "TXT", "17": "RP",
+        "18": "AFSDB", "24": "SIG", "25": "KEY", "28": "AAAA", "29": "LOC",
+        "33": "SRV", "35": "NAPTR", "36": "KX", "37": "CERT", "39": "DNAME",
+        "42": "APL", "43": "DS", "44": "SSHFP", "45": "IPSECKEY",
+        "46": "RRSIG", "47": "NSEC", "48": "DNSKEY", "49": "DHCID", "50": "NSEC3",
+        "51": "NSEC3PARAM", "52": "TLSA", "53": "SMIMEA", "55": "HIP", "59": "CDS",
+        "60": "CDNSKEY", "61": "OPENPGPKEY", "62": "CSYNC", "63": "ZONEMD",
+        "64": "SVCB", "65": "HTTPS", "108": "EUI48", "109": "EUI64", "249": "TKEY",
+        "250": "TSIG", "256": "URI", "257": "CAA", "32768": "TA", "32769": "DLV"];
+        def t = conversions[ctx.crowdstrike.RequestType];
+        if (t != null) {
+          if (ctx.dns?.question == null) {
+            ctx.dns.question = new HashMap();
+          }
+          ctx.dns.question.type = t;
+          ctx.crowdstrike.remove("RequestType");
+        }
+      if: ctx?.event?.action == "DnsRequest" && ctx?.crowdstrike?.RequestType != null && ctx.crowdstrike.RequestType != ""
+
+  ## File fields.
+  - convert:
+      field: crowdstrike.Size
+      type: long
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.Size
+      target_field: file.size
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.FileIdentifier
+      target_field: file.inode
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.SourceFileName
+      target_field: file.path
+      ignore_missing: true
+  - rename:
+      field: crowdstrike.TargetFileName
+      target_field: file.path
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: crowdstrike.DiskParentDeviceInstanceId
+      target_field: file.device
+      ignore_missing: true
+  - set:
+      field: file.type
+      value: file
+      if: ctx.file?.path != null && !ctx.event.action.contains("Directory")
+  - set:
+      field: file.type
+      value: dir
+      if: ctx.file?.path != null && (ctx.event.action.contains("Directory") || ctx.file.path.endsWith("\\") || ctx.file.path.endsWith("/"))
+  - script:
+      description: Adds file information.
+      lang: painless
+      if: ctx?.file?.path != null && ctx.file.path.length() > 1
+      source: |-
+        def removeSuffix(String s, String suffix) {
+          if (s != null && suffix != null && s.endsWith(suffix)) {
+            return s.substring(0, s.length() - suffix.length());
+          }
+          return s;
+        }
+
+        def path = removeSuffix(ctx.file.path, "/");
+        path = removeSuffix(path, "\\");
+        def idx = path.lastIndexOf("\\");
+        if (idx == -1) {
+          idx = path.lastIndexOf("/");
+        }
+        if (idx > -1) {
+            if (ctx?.file == null) {
+                ctx.file = new HashMap();
+            }
+            ctx.file.name = path.substring(idx+1);
+            ctx.file.directory = path.substring(0, idx);
+
+            def extIdx = ctx.file.name.lastIndexOf(".");
+            if (extIdx > -1 && ctx.file.type == "file") {
+                ctx.file.extension = ctx.file.name.substring(extIdx+1);
+            }
+        }
+        if (path.charAt(1) == ":") {
+          ctx.file.drive_letter = path.charAt(0).toUpperCase();
+        }
+  - rename:
+      field: _temp.hashes
+      target_field: file.hash
+      if: ctx?.event?.action != null && (ctx.event.action.contains("File") || ctx.event.action.contains("Directory") || ctx.event.action.contains("Executable")) && ctx?._temp?.hashes != null && ctx?._temp?.hashes.size() > 0
+
+  ## Crowdstrike fields.
+  - split:
+      field: crowdstrike.FalconGroupingTags
+      separator: ",\\s?"
+      ignore_missing: true
+      ignore_failure: true
+  - split:
+      field: crowdstrike.SensorGroupingTags
+      separator: ",\\s?"
+      ignore_missing: true
+      ignore_failure: true
+  - split:
+      field: crowdstrike.Tags
+      separator: ",\\s?"
+      ignore_missing: true
+      ignore_failure: true
+  - split:
+      field: crowdstrike.CallStackModuleNames
+      separator: "\\|"
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: crowdstrike.UserTime
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.KernelTime
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.CycleTime
+      type: long
+      ignore_missing: true
+  - append:
+      field: related.hash
+      value: "{{crowdstrike.ConfigStateHash}}"
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx?.crowdstrike?.ConfigStateHash != null && ctx.crowdstrike.ConfigStateHash != ""
+  - trim:
+      field: crowdstrike.BootArgs
+      ignore_missing: true
+  - split:
+      field: crowdstrike.BootArgs
+      separator: '\s+'
+      ignore_missing: true
+  - date:
+      field: crowdstrike.LogonTime
+      target_field: crowdstrike.LogonTime
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.LogonTime != null && ctx?.crowdstrike?.LogonTime != ""
+  - date:
+      field: crowdstrike.LogoffTime
+      target_field: crowdstrike.LogoffTime
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.LogoffTime != null && ctx?.crowdstrike?.LogoffTime != ""
+  - date:
+      field: crowdstrike.ConnectTime
+      target_field: crowdstrike.ConnectTime
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.ConnectTime != null && ctx?.crowdstrike?.ConnectTime != ""
+  - date:
+      field: crowdstrike.PreviousConnectTime
+      target_field: crowdstrike.PreviousConnectTime
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.PreviousConnectTime != null && ctx?.crowdstrike?.PreviousConnectTime != ""
+  - date:
+      field: crowdstrike.AgentLocalTime
+      target_field: crowdstrike.AgentLocalTime
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.AgentLocalTime != null && ctx?.crowdstrike?.AgentLocalTime != ""
+  - date:
+      field: crowdstrike.FirstSeen
+      target_field: crowdstrike.FirstSeen
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.FirstSeen != null && ctx?.crowdstrike?.FirstSeen != ""
+  - date:
+      field: crowdstrike.Time
+      target_field: crowdstrike.Time
+      formats:
+        - UNIX
+      if: ctx?.crowdstrike?.Time != null && ctx?.crowdstrike?.Time != ""
+  - date:
+      field: crowdstrike.BiosReleaseDate
+      target_field: crowdstrike.BiosReleaseDate
+      formats:
+        - MM/dd/yyyy
+        - strict_date_optional_time
+      if: ctx?.crowdstrike?.BiosReleaseDate != null && ctx?.crowdstrike?.BiosReleaseDate != ""
+  - convert:
+      field: crowdstrike.AgentTimeOffset
+      target_field: crowdstrike.AgentTimeOffset
+      type: float
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.Timeout
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.PhysicalAddressLength
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.InterfaceIndex
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.NetLuidIndex
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.AttemptNumber
+      type: long
+      ignore_missing: true
+  - convert:
+      field: crowdstrike.SystemTableIndex
+      type: long
+      ignore_missing: true
+  - split:
+      field: crowdstrike.NeighborList
+      separator: '\|'
+      ignore_missing: true
+  - split:
+      field: crowdstrike.ConfigStateData
+      separator: '\|'
+      ignore_missing: true
+  - append:
+      field: related.hosts
+      value: "{{crowdstrike.LogonServer}}"
+      allow_duplicates: false
+      if: ctx?.crowdstrike?.LogonServer != null
+  - append:
+      field: related.hosts
+      value: "{{crowdstrike.ClientComputerName}}"
+      allow_duplicates: false
+      if: ctx?.crowdstrike?.ClientComputerName != null
+
+  ## Cleanup.
+  - remove:
+      field: crowdstrike.event_platform
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx?.os?.type != null
+  - remove:
+      field:
+        - _temp
+        - crowdstrike.timestamp
+        - crowdstrike._time
+        - crowdstrike.ContextTimeStamp
+        - crowdstrike.CreationTimeStamp
+        - crowdstrike.DomainName
+        - crowdstrike.ConnectionDirection
+        - crowdstrike.UserIsAdmin
+        - crowdstrike.TargetDirectoryName
+      ignore_missing: true
+      ignore_failure: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+  - script:
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |
+        void handleMap(Map map) {
+          for (def x : map.values()) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+          }
+          map.values().removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+        }
+        void handleList(List list) {
+          for (def x : list) {
+              if (x instanceof Map) {
+                  handleMap(x);
+              } else if (x instanceof List) {
+                  handleList(x);
+              }
+          }
+          list.removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+        }
+        handleMap(ctx);
+on_failure:
+  - set:
+      field: error.message
+      value: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message {{ _ingest.on_failure_message }}"
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/fields/base-fields.yml b/packages/crowdstrike/1.2.7/data_stream/fdr/fields/base-fields.yml
new file mode 100755
index 0000000000..b701d8325a
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/fields/base-fields.yml
@@ -0,0 +1,24 @@
+- name: input.type
+  type: keyword
+- name: log.offset
+  type: long
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: crowdstrike
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: crowdstrike.fdr
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/1.2.7/data_stream/fdr/fields/ecs.yml
new file mode 100755
index 0000000000..809cf186c6
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/fields/ecs.yml
@@ -0,0 +1,506 @@
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: |-
+    The name being queried.
+    If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+  name: dns.question.name
+  type: keyword
+- description: |-
+    The highest registered domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: dns.question.registered_domain
+  type: keyword
+- description: |-
+    The subdomain is all of the labels under the registered_domain.
+    If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: dns.question.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: dns.question.top_level_domain
+  type: keyword
+- description: The type of record being queried.
+  name: dns.question.type
+  type: keyword
+- description: |-
+    The type of DNS event captured, query or answer.
+    If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
+    If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+  name: dns.type
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+  name: event.timezone
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: Device that is the source of the file.
+  name: file.device
+  type: keyword
+- description: Directory where the file is located. It should include the drive letter, when appropriate.
+  name: file.directory
+  type: keyword
+- description: |-
+    File extension, excluding the leading dot.
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: file.extension
+  type: keyword
+- description: SHA256 hash.
+  name: file.hash.sha256
+  type: keyword
+- description: Inode representing the file in the filesystem.
+  name: file.inode
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    File size in bytes.
+    Only relevant when `file.type` is "file".
+  name: file.size
+  type: long
+- description: File type (file, dir, or symlink).
+  name: file.type
+  type: keyword
+- description: City name.
+  name: host.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: host.geo.continent_name
+  type: keyword
+- description: Country name.
+  name: host.geo.country_name
+  type: keyword
+- description: The time zone of the location, such as IANA time zone name.
+  name: host.geo.timezone
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: |-
+    Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+    If the event wasn't read from a log file, do not populate this field.
+  name: log.file.path
+  type: keyword
+- description: |-
+    A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+    Learn more at https://github.com/corelight/community-id-spec.
+  name: network.community_id
+  type: keyword
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+  name: network.iana_number
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: City name.
+  name: observer.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: observer.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: observer.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: observer.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: observer.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: observer.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: observer.geo.region_name
+  type: keyword
+- description: IP addresses of the observer.
+  name: observer.ip
+  type: ip
+- description: Observer serial number.
+  name: observer.serial_number
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: Observer version.
+  name: observer.version
+  type: keyword
+- description: |-
+    Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+    One of these following values should be used (lowercase): linux, macos, unix, windows.
+    If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+  name: os.type
+  type: keyword
+- description: Operating system version as a raw string.
+  name: os.version
+  type: keyword
+- description: |-
+    Array of process arguments, starting with the absolute path to the executable.
+    May be filtered to protect sensitive information.
+  name: process.args
+  type: keyword
+- description: |-
+    Length of the process.args array.
+    This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+  name: process.args_count
+  type: long
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.command_line
+  type: wildcard
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: |-
+    The exit code of the process, if this is a termination event.
+    The field should be absent if there is no exit code for the event (e.g. process start).
+  name: process.exit_code
+  type: long
+- description: MD5 hash.
+  name: process.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: process.hash.sha256
+  type: keyword
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.parent.entity_id
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.name
+  type: keyword
+- description: Identifier of the group of processes the process belongs to.
+  name: process.pgid
+  type: long
+- description: Process id.
+  name: process.pid
+  type: long
+- description: The time the process started.
+  name: process.start
+  type: date
+- description: Thread ID.
+  name: process.thread.id
+  type: long
+- description: |-
+    Process title.
+    The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.title
+  type: keyword
+- description: Seconds the process has been up.
+  name: process.uptime
+  type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: |-
+    Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: server.address
+  type: keyword
+- description: |-
+    The domain name of the server system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: server.domain
+  type: keyword
+- description: |-
+    The highest registered server domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: server.registered_domain
+  type: keyword
+- description: |-
+    The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: server.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: server.top_level_domain
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    MAC address of the source.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: source.mac
+  type: keyword
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    The field contains the file extension from the original request url, excluding the leading dot.
+    The file extension is only set if it exists, as not every url has a file extension.
+    The leading period must not be included. For example, the value must be "png", not ".png".
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: url.extension
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: |-
+    The highest registered url domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: url.registered_domain
+  type: keyword
+- description: |-
+    Scheme of the request, such as "https".
+    Note: The `:` is not part of the scheme.
+  name: url.scheme
+  type: keyword
+- description: |-
+    The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: url.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: url.top_level_domain
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.group.id
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/1.2.7/data_stream/fdr/fields/fields.yml
new file mode 100755
index 0000000000..859c5e6f2b
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/fields/fields.yml
@@ -0,0 +1,597 @@
+- name: observer.address
+  type: keyword
+- name: crowdstrike
+  type: group
+  fields:
+    - name: AgentTimeOffset
+      type: float
+    - name: AllocateVirtualMemoryCount
+      type: long
+    - name: ApiReturnValue
+      type: keyword
+    - name: ArchiveFileWrittenCount
+      type: long
+    - name: AsepWrittenCount
+      type: long
+    - name: AuthenticationId
+      type: keyword
+    - name: AuthenticationPackage
+      type: keyword
+    - name: BinaryExecutableWrittenCount
+      type: long
+    - name: BootArgs
+      type: keyword
+    - name: BundleID
+      type: keyword
+    - name: CLICreationCount
+      type: long
+    - name: CallStackModuleNames
+      type: keyword
+    - name: CallStackModuleNamesVersion
+      type: version
+    - name: ClientComputerName
+      type: keyword
+    - name: CompletionEventId
+      type: keyword
+    - name: ConfigBuild
+      type: keyword
+    - name: ConHostId
+      type: keyword
+    - name: ConHostProcessId
+      type: keyword
+    - name: ConfigStateHash
+      type: keyword
+    - name: ConnectionFlags
+      type: keyword
+    - name: ContextProcessId
+      type: keyword
+    - name: CreateProcessCount
+      type: long
+    - name: CreateProcessType
+      type: keyword
+    - name: CycleTime
+      type: long
+    - name: DesiredAccess
+      type: keyword
+    - name: DirectoryCreatedCount
+      type: long
+    - name: DirectoryEnumeratedCount
+      type: long
+    - name: DnsRequestCount
+      type: long
+    - name: DocumentFileWrittenCount
+      type: long
+    - name: DownloadPath
+      type: keyword
+    - name: DownloadPort
+      type: long
+    - name: DownloadServer
+      type: keyword
+    - name: DualRequest
+      type: keyword
+    - name: EffectiveTransmissionClass
+      type: keyword
+    - name: EnabledPrivilegesBitmask
+      type: keyword
+    - name: Entitlements
+      type: keyword
+    - name: ExeAndServiceCount
+      type: long
+    - name: ExecutableDeletedCount
+      type: long
+    - name: FalconGroupingTags
+      type: keyword
+    - name: FileAttributes
+      type: keyword
+    - name: FileDeletedCount
+      type: long
+    - name: FileEcpBitmask
+      type: keyword
+    - name: FileObject
+      type: keyword
+    - name: FirstSeen
+      type: date
+    - name: Flags
+      type: keyword
+    - name: GenericFileWrittenCount
+      type: long
+    - name: GrandParentBaseFileName
+      type: keyword
+    - name: HostHiddenStatus
+      type: keyword
+    - name: ImageSubsystem
+      type: keyword
+    - name: InContext
+      type: keyword
+    - name: Information
+      type: keyword
+    - name: InjectedDllCount
+      type: long
+    - name: InjectedThreadCount
+      type: long
+    - name: IntegrityLevel
+      type: keyword
+    - name: InterfaceGuid
+      type: keyword
+    - name: InterfaceIndex
+      type: long
+    - name: InterfaceVersion
+      type: keyword
+    - name: IrpFlags
+      type: keyword
+    - name: IsOnNetwork
+      type: keyword
+    - name: IsOnRemovableDisk
+      type: keyword
+    - name: IsTransactedFile
+      type: keyword
+    - name: KernelTime
+      type: long
+    - name: LogoffTime
+      type: date
+    - name: LogonDomain
+      type: keyword
+    - name: LogonId
+      type: keyword
+    - name: LogonServer
+      type: keyword
+    - name: LogonTime
+      type: date
+    - name: LogonType
+      type: keyword
+    - name: MachOSubType
+      type: keyword
+    - name: MajorFunction
+      type: keyword
+    - name: MaxThreadCount
+      type: long
+    - name: MinorFunction
+      type: keyword
+    - name: ModuleLoadCount
+      type: long
+    - name: NDRoot
+      type: keyword
+    - name: NetworkBindCount
+      type: long
+    - name: NetworkCapableAsepWriteCount
+      type: long
+    - name: NetworkCloseCount
+      type: long
+    - name: NetworkConnectCount
+      type: long
+    - name: NetworkConnectCountUdp
+      type: long
+    - name: NetworkListenCount
+      type: long
+    - name: NetworkModuleLoadCount
+      type: long
+    - name: NetworkRecvAcceptCount
+      type: long
+    - name: NewExecutableWrittenCount
+      type: long
+    - name: NewFileIdentifier
+      type: keyword
+    - name: OperationFlags
+      type: keyword
+    - name: Options
+      type: keyword
+    - name: OU
+      type: keyword
+    - name: ParentAuthenticationId
+      type: keyword
+    - name: PasswordLastSet
+      type: keyword
+    - name: PhysicalAddressLength
+      type: long
+    - name: PointerSize
+      type: keyword
+    - name: PrivilegedProcessHandleCount
+      type: long
+    - name: PrivilegesBitmask
+      type: keyword
+    - name: ProcessCreateFlags
+      type: keyword
+    - name: ProcessParameterFlags
+      type: keyword
+    - name: ProcessSxsFlags
+      type: keyword
+    - name: ProductType
+      type: keyword
+    - name: ProtectVirtualMemoryCount
+      type: long
+    - name: QueueApcCount
+      type: long
+    - name: RGID
+      type: keyword
+    - name: RUID
+      type: keyword
+    - name: RegKeySecurityDecreasedCount
+      type: long
+    - name: RemoteAccount
+      type: keyword
+    - name: RemovableDiskFileWrittenCount
+      type: long
+    - name: RequestType
+      type: keyword
+    - name: RpcClientProcessId
+      type: keyword
+    - name: RpcClientThreadId
+      type: keyword
+    - name: RpcNestingLevel
+      type: keyword
+    - name: RpcOpNum
+      type: keyword
+    - name: RunDllInvocationCount
+      type: long
+    - name: SVGID
+      type: keyword
+    - name: SVUID
+      type: keyword
+    - name: ScreenshotsTakenCount
+      type: long
+    - name: ScriptEngineInvocationCount
+      type: long
+    - name: SensorGroupingTags
+      type: keyword
+    - name: ServiceDisplayName
+      type: keyword
+    - name: ServiceEventCount
+      type: long
+    - name: ServicePackMajor
+      type: keyword
+    - name: SessionId
+      type: keyword
+    - name: SessionProcessId
+      type: keyword
+    - name: SetThreadContextCount
+      type: long
+    - name: ShareAccess
+      type: keyword
+    - name: Size
+      type: long
+    - name: SiteName
+      type: keyword
+    - name: SnapshotFileOpenCount
+      type: long
+    - name: SourceFileName
+      type: keyword
+    - name: SourceProcessId
+      type: keyword
+    - name: SourceThreadId
+      type: keyword
+    - name: Status
+      type: keyword
+    - name: SubStatus
+      type: keyword
+    - name: SuspectStackCount
+      type: long
+    - name: SuspiciousCredentialModuleLoadCount
+      type: long
+    - name: SuspiciousDnsRequestCount
+      type: long
+    - name: SuspiciousFontLoadCount
+      type: long
+    - name: SuspiciousRawDiskReadCount
+      type: long
+    - name: Tags
+      type: keyword
+    - name: TargetThreadId
+      type: keyword
+    - name: Time
+      type: date
+    - name: Timeout
+      type: long
+    - name: TokenType
+      type: keyword
+    - name: UnixMode
+      type: keyword
+    - name: UnsignedModuleLoadCount
+      type: long
+    - name: UserFlags
+      type: keyword
+    - name: UserGroupsBitmask
+      type: keyword
+    - name: UserLogoffType
+      type: keyword
+    - name: UserLogonFlags
+      type: keyword
+    - name: UserMemoryAllocateExecutableCount
+      type: long
+    - name: UserMemoryAllocateExecutableRemoteCount
+      type: long
+    - name: UserMemoryProtectExecutableCount
+      type: long
+    - name: UserMemoryProtectExecutableRemoteCount
+      type: long
+    - name: UserTime
+      type: long
+    - name: VnodeModificationType
+      type: keyword
+    - name: VnodeType
+      type: keyword
+    - name: VolumeDeviceCharacteristics
+      type: keyword
+    - name: VolumeDeviceObjectFlags
+      type: keyword
+    - name: VolumeDeviceType
+      type: keyword
+    - name: VolumeDriveLetter
+      type: keyword
+    - name: VolumeFileSystemDevice
+      type: keyword
+    - name: VolumeFileSystemDriver
+      type: keyword
+    - name: VolumeFileSystemType
+      type: keyword
+    - name: VolumeIsEncrypted
+      type: keyword
+    - name: VolumeIsNetwork
+      type: keyword
+    - name: VolumeMountPoint
+      type: keyword
+    - name: VolumeName
+      type: keyword
+    - name: VolumeRealDeviceName
+      type: keyword
+    - name: VolumeSectorSize
+      type: keyword
+    - name: cid
+      type: keyword
+    - name: name
+      type: keyword
+    - name: AgentLoadFlags
+      type: keyword
+    - name: AgentLocalTime
+      type: date
+    - name: AgentVersion
+      type: keyword
+    - name: AttemptNumber
+      type: long
+    - name: AuthenticationUuid
+      type: keyword
+    - name: AuthenticationUuidAsString
+      type: keyword
+    - name: BiosManufacturer
+      type: keyword
+    - name: BiosReleaseDate
+      type: date
+    - name: BiosVersion
+      type: keyword
+    - name: BootTimeFunctionalityLevel
+      type: keyword
+    - name: BoundedCount
+      type: long
+    - name: ChannelDiffStatus
+      type: keyword
+    - name: ChannelId
+      type: keyword
+    - name: ChannelVersion
+      type: keyword
+    - name: ChannelVersionRequired
+      type: keyword
+    - name: ChasisManufacturer
+      type: keyword
+    - name: ChassisType
+      type: keyword
+    - name: ConfigIDBase
+      type: keyword
+    - name: ConfigIDBuild
+      type: keyword
+    - name: ConfigIDPlatform
+      type: keyword
+    - name: ConfigStateData
+      type: keyword
+    - name: ConfigurationVersion
+      type: keyword
+    - name: ConnectTime
+      type: date
+    - name: ConnectType
+      type: keyword
+    - name: CpuClockSpeed
+      type: keyword
+    - name: CpuFeaturesMask
+      type: keyword
+    - name: CpuProcessorName
+      type: keyword
+    - name: CpuSignature
+      type: keyword
+    - name: CpuVendor
+      type: keyword
+    - name: CurrentFunctionalityLevel
+      type: keyword
+    - name: DeviceId
+      type: keyword
+    - name: ELFSubType
+      type: keyword
+    - name: ErrorCode
+      type: keyword
+    - name: ErrorStatus
+      type: keyword
+    - name: EtwRawThreadId
+      type: long
+    - name: FXFileSize
+      type: keyword
+    - name: Facility
+      type: keyword
+    - name: FailedConnectCount
+      type: long
+    - name: FeatureExtractionVersion
+      type: keyword
+    - name: FeatureVector
+      type: keyword
+    - name: File
+      type: keyword
+    - name: FirmwareAnalysisEclConsumerInterfaceVersion
+      type: keyword
+    - name: FirmwareAnalysisEclControlInterfaceVersion
+      type: keyword
+    - name: IOServiceClass
+      type: keyword
+    - name: IOServiceName
+      type: keyword
+    - name: IOServicePath
+      type: keyword
+    - name: InDiscards
+      type: keyword
+    - name: InErrors
+      type: keyword
+    - name: InMulticastPkts
+      type: keyword
+    - name: InOctets
+      type: keyword
+    - name: InUcastPkts
+      type: keyword
+    - name: InUnknownProtos
+      type: keyword
+    - name: InterfaceAlias
+      type: keyword
+    - name: InterfaceType
+      type: keyword
+    - name: LfoUploadFlags
+      type: keyword
+    - name: LightningLatencyState
+      type: keyword
+    - name: Line
+      type: keyword
+    - name: LogicalCoreCount
+      type: long
+    - name: LoginSessionId
+      type: keyword
+    - name: MLModelVersion
+      type: keyword
+    - name: MajorVersion
+      type: keyword
+    - name: Malicious
+      type: keyword
+    - name: MemoryTotal
+      type: keyword
+    - name: MicrocodeSignature
+      type: keyword
+    - name: MinorVersion
+      type: keyword
+    - name: MoboManufacturer
+      type: keyword
+    - name: MoboProductName
+      type: keyword
+    - name: ModelPrediction
+      type: keyword
+    - name: NeighborList
+      type: keyword
+    - name: NetLuidIndex
+      type: long
+    - name: NetworkContainmentState
+      type: keyword
+    - name: OSVersionFileData
+      type: keyword
+    - name: OSVersionFileName
+      type: keyword
+    - name: OutErrors
+      type: keyword
+    - name: OutMulticastPkts
+      type: keyword
+    - name: OutOctets
+      type: keyword
+    - name: OutUcastPkts
+      type: keyword
+    - name: Parameter1
+      type: keyword
+    - name: Parameter2
+      type: keyword
+    - name: Parameter3
+      type: keyword
+    - name: PciAttachmentState
+      type: keyword
+    - name: PhysicalCoreCount
+      type: long
+    - name: PreviousConnectTime
+      type: date
+    - name: ProcessCount
+      type: long
+    - name: ProcessorPackageCount
+      type: long
+    - name: ProvisionState
+      type: keyword
+    - name: PupAdwareConfidence
+      type: keyword
+    - name: PupAdwareDecisionValue
+      type: keyword
+    - name: RFMState
+      type: keyword
+    - name: ReasonOfFunctionalityLevel
+      type: keyword
+    - name: SensorStateBitMap
+      type: keyword
+    - name: SuppressType
+      type: keyword
+    - name: SyntheticPR2Flags
+      type: keyword
+    - name: SystemManufacturer
+      type: keyword
+    - name: SystemProductName
+      type: keyword
+    - name: SystemSerialNumber
+      type: keyword
+    - name: SystemSku
+      type: keyword
+    - name: SystemTableIndex
+      type: long
+    - name: TargetFileName
+      type: keyword
+    - name: USN
+      type: keyword
+    - name: UploadId
+      type: keyword
+    - name: UserSid
+      type: keyword
+    - name: VerifiedCertificate
+      type: keyword
+    - name: VolumeAppearanceTime
+      type: keyword
+    - name: VolumeBusName
+      type: keyword
+    - name: VolumeBusPath
+      type: keyword
+    - name: VolumeDeviceInternal
+      type: keyword
+    - name: VolumeDeviceModel
+      type: keyword
+    - name: VolumeDevicePath
+      type: keyword
+    - name: VolumeDeviceProtocol
+      type: keyword
+    - name: VolumeDeviceRevision
+      type: keyword
+    - name: VolumeMediaBSDMajor
+      type: keyword
+    - name: VolumeMediaBSDMinor
+      type: keyword
+    - name: VolumeMediaBSDName
+      type: keyword
+    - name: VolumeMediaBSDUnit
+      type: keyword
+    - name: VolumeMediaContent
+      type: keyword
+    - name: VolumeMediaEjectable
+      type: keyword
+    - name: VolumeMediaName
+      type: keyword
+    - name: VolumeMediaPath
+      type: keyword
+    - name: VolumeMediaRemovable
+      type: keyword
+    - name: VolumeMediaSize
+      type: keyword
+    - name: VolumeMediaUUID
+      type: keyword
+    - name: VolumeMediaWhole
+      type: keyword
+    - name: VolumeMediaWritable
+      type: keyword
+    - name: VolumeType
+      type: keyword
+    - name: VolumeUUID
+      type: keyword
+    - name: WindowFlags
+      type: keyword
+- name: process.end
+  type: date
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/manifest.yml b/packages/crowdstrike/1.2.7/data_stream/fdr/manifest.yml
new file mode 100755
index 0000000000..755618e931
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/manifest.yml
@@ -0,0 +1,183 @@
+title: "Falcon Data Replicator"
+type: logs
+streams:
+  - input: aws-s3
+    template_path: aws-s3.yml.hbs
+    title: Falcon Data Replicator logs
+    description: Collect Falcon Data Replicator logs using s3 input
+    vars:
+      - name: access_key_id
+        type: text
+        title: Access Key ID
+        multi: false
+        required: false
+        show_user: true
+      - name: secret_access_key
+        type: text
+        title: Secret Access Key
+        multi: false
+        required: false
+        show_user: true
+      - name: session_token
+        type: text
+        title: Session Token
+        multi: false
+        required: false
+        show_user: true
+      - name: queue_url
+        type: text
+        title: Queue URL
+        multi: false
+        required: true
+        show_user: true
+        description: URL of the AWS SQS queue that messages will be received from.
+      - name: is_fdr_queue
+        type: bool
+        title: Is FDR queue
+        multi: false
+        required: true
+        show_user: true
+        description: |
+          By default the FDR queue is expected. This option must be set to `false` if you are using your own queue.
+        default: true
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: shared_credential_file
+        type: text
+        title: Shared Credential File
+        multi: false
+        required: false
+        show_user: false
+        description: Directory of the shared credentials file
+      - name: credential_profile_name
+        type: text
+        title: Credential Profile Name
+        multi: false
+        required: false
+        show_user: false
+      - name: role_arn
+        type: text
+        title: Role ARN
+        multi: false
+        required: false
+        show_user: false
+      - name: endpoint
+        type: text
+        title: Endpoint
+        multi: false
+        required: false
+        show_user: false
+        default: "amazonaws.com"
+        description: URL of the entry point for an AWS web service
+      - name: visibility_timeout
+        type: text
+        title: Visibility Timeout
+        multi: false
+        required: false
+        show_user: false
+        description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request.  The maximum is 12 hours.
+      - name: api_timeout
+        type: text
+        title: API Timeout
+        multi: false
+        required: false
+        show_user: false
+        description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
+      - name: fips_enabled
+        type: bool
+        title: Enable S3 FIPS
+        default: false
+        multi: false
+        required: false
+        show_user: false
+        description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+      - name: proxy_url
+        type: text
+        title: Proxy URL
+        multi: false
+        required: false
+        show_user: false
+        description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+      - name: fdr_parsing_script
+        type: yaml
+        title: FDR Notification Parsing Script
+        multi: false
+        required: true
+        show_user: false
+        description: The JS script used to parse the custom format of SQS FDR notifications.
+        default: |
+          function parse(n) {
+            var m = JSON.parse(n);
+            var evts = [];
+            var files = m.files;
+            var bucket = m.bucket;
+            if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") {
+              return evts;
+            }
+            files.forEach(function(f){
+              var evt = new S3EventV2();
+              evt.SetS3BucketName(bucket);
+              evt.SetS3ObjectKey(f.path);
+              evts.push(evt);
+            });
+            return evts;
+          }
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - crowdstrike-fdr
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+  - input: logfile
+    title: Falcon Data Replicator logs
+    description: Collect Falcon Data Replicator logs using a log file
+    vars:
+      - name: paths
+        type: text
+        title: Paths
+        multi: true
+        default:
+          - /var/log/falcon_data_replicator.log
+        show_user: true
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - crowdstrike-fdr
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/crowdstrike/1.2.7/data_stream/fdr/sample_event.json b/packages/crowdstrike/1.2.7/data_stream/fdr/sample_event.json
new file mode 100755
index 0000000000..efc1ec886b
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/data_stream/fdr/sample_event.json
@@ -0,0 +1,121 @@
+{
+    "@timestamp": "2020-11-08T09:58:32.519Z",
+    "agent": {
+        "ephemeral_id": "33b3f217-19d7-4071-bb17-5dd3176d549d",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "crowdstrike": {
+        "ConfigStateHash": "1763245019",
+        "DesiredAccess": "1179785",
+        "EffectiveTransmissionClass": "3",
+        "Entitlements": "15",
+        "FileAttributes": "0",
+        "FileObject": "18446670458156489088",
+        "Information": "1",
+        "IrpFlags": "2180",
+        "MajorFunction": "0",
+        "MinorFunction": "0",
+        "OperationFlags": "0",
+        "Options": "16777312",
+        "ShareAccess": "5",
+        "Status": "0",
+        "cid": "ffffffff30a3407dae27d0503611022d",
+        "name": "RansomwareOpenFileV4"
+    },
+    "data_stream": {
+        "dataset": "crowdstrike.fdr",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "RansomwareOpenFile",
+        "agent_id_status": "verified",
+        "category": [
+            "file"
+        ],
+        "created": "2020-11-08T17:07:22.091Z",
+        "dataset": "crowdstrike.fdr",
+        "id": "ffffffff-1111-11eb-9756-06fe7f8f682f",
+        "ingested": "2021-12-30T05:14:09Z",
+        "kind": "alert",
+        "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}",
+        "outcome": "success",
+        "timezone": "+00:00",
+        "type": [
+            "access"
+        ]
+    },
+    "file": {
+        "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads",
+        "extension": "pptx",
+        "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00",
+        "name": "file.pptx",
+        "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx",
+        "type": "file"
+    },
+    "input": {
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/fdr-sample.log"
+        },
+        "offset": 95203
+    },
+    "observer": {
+        "address": "67.43.156.14",
+        "geo": {
+            "continent_name": "Asia",
+            "country_iso_code": "BT",
+            "country_name": "Bhutan",
+            "location": {
+                "lat": 27.5,
+                "lon": 90.5
+            }
+        },
+        "ip": "67.43.156.14",
+        "serial_number": "ffffffffac4148947ed68497e89f3308",
+        "type": "agent",
+        "vendor": "crowdstrike",
+        "version": "1007.3.0011603.1"
+    },
+    "os": {
+        "type": "windows"
+    },
+    "process": {
+        "entity_id": "1016182570608",
+        "thread": {
+            "id": 37343520154472
+        }
+    },
+    "related": {
+        "hash": [
+            "1763245019"
+        ],
+        "hosts": [
+            "67.43.156.14"
+        ],
+        "ip": [
+            "67.43.156.14"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "crowdstrike-fdr"
+    ],
+    "url": {
+        "scheme": "http"
+    }
+}
\ No newline at end of file
diff --git a/packages/crowdstrike/1.2.7/docs/README.md b/packages/crowdstrike/1.2.7/docs/README.md
new file mode 100755
index 0000000000..3f992b94e5
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/docs/README.md
@@ -0,0 +1,1013 @@
+# CrowdStrike Integration
+
+This integration is for CrowdStrike products. It includes the
+following datasets for receiving logs:
+
+- `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from Falcon SIEM Connector.
+- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR).
+
+## Compatibility
+
+This integration supports CrowdStrike Falcon SIEM-Connector-v2.0.
+
+## Logs
+
+### Falcon
+
+Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |
+| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword |
+| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| crowdstrike.event.AuditKeyValues | Fields that were changed in this event. | nested |
+| crowdstrike.event.CommandLine | Executable path with command line arguments. | keyword |
+| crowdstrike.event.Commands | Commands run in a remote session. | keyword |
+| crowdstrike.event.ComputerName | Name of the computer where the detection occurred. | keyword |
+| crowdstrike.event.ConnectionDirection | Direction for network connection. | keyword |
+| crowdstrike.event.CustomerId | Customer identifier. | keyword |
+| crowdstrike.event.DetectDescription | Description of the detection. | keyword |
+| crowdstrike.event.DetectId | Unique ID associated with the detection. | keyword |
+| crowdstrike.event.DetectName | Name of the detection. | keyword |
+| crowdstrike.event.DeviceId | Device on which the event occurred. | keyword |
+| crowdstrike.event.EndTimestamp | End time for the remote session in UTC UNIX format. | date |
+| crowdstrike.event.EventType | CrowdStrike provided event type. | keyword |
+| crowdstrike.event.ExecutablesWritten | Detected executables written to disk by a process. | nested |
+| crowdstrike.event.FalconHostLink | URL to view the detection in Falcon. | keyword |
+| crowdstrike.event.FileName | File name of the associated process for the detection. | keyword |
+| crowdstrike.event.FilePath | Path of the executable associated with the detection. | keyword |
+| crowdstrike.event.FineScore | Score for incident. | float |
+| crowdstrike.event.Flags.Audit | CrowdStrike audit flag. | boolean |
+| crowdstrike.event.Flags.Log | CrowdStrike log flag. | boolean |
+| crowdstrike.event.Flags.Monitor | CrowdStrike monitor flag. | boolean |
+| crowdstrike.event.GrandparentCommandLine | Grandparent process command line arguments. | keyword |
+| crowdstrike.event.GrandparentImageFileName | Path to the grandparent process. | keyword |
+| crowdstrike.event.HostName | Host name of the local machine. | keyword |
+| crowdstrike.event.HostnameField | Host name of the machine for the remote session. | keyword |
+| crowdstrike.event.ICMPCode | RFC2780 ICMP Code field. | keyword |
+| crowdstrike.event.ICMPType | RFC2780 ICMP Type field. | keyword |
+| crowdstrike.event.IOCType | CrowdStrike type for indicator of compromise. | keyword |
+| crowdstrike.event.IOCValue | CrowdStrike value for indicator of compromise. | keyword |
+| crowdstrike.event.ImageFileName | File name of the associated process for the detection. | keyword |
+| crowdstrike.event.IncidentEndTime | End time for the incident in UTC UNIX format. | date |
+| crowdstrike.event.IncidentStartTime | Start time for the incident in UTC UNIX format. | date |
+| crowdstrike.event.Ipv | Protocol for network request. | keyword |
+| crowdstrike.event.LateralMovement | Lateral movement field for incident. | long |
+| crowdstrike.event.LocalAddress | IP address of local machine. | ip |
+| crowdstrike.event.LocalIP | IP address of the host associated with the detection. | keyword |
+| crowdstrike.event.LocalPort | Port of local machine. | long |
+| crowdstrike.event.MACAddress | MAC address of the host associated with the detection. | keyword |
+| crowdstrike.event.MD5String | MD5 sum of the executable associated with the detection. | keyword |
+| crowdstrike.event.MachineDomain | Domain for the machine associated with the detection. | keyword |
+| crowdstrike.event.MatchCount | Number of firewall rule matches. | long |
+| crowdstrike.event.MatchCountSinceLastReport | Number of firewall rule matches since the last report. | long |
+| crowdstrike.event.NetworkProfile | CrowdStrike network profile. | keyword |
+| crowdstrike.event.Objective | Method of detection. | keyword |
+| crowdstrike.event.OperationName | Event subtype. | keyword |
+| crowdstrike.event.PID | Associated process id for the detection. | long |
+| crowdstrike.event.ParentCommandLine | Parent process command line arguments. | keyword |
+| crowdstrike.event.ParentImageFileName | Path to the parent process. | keyword |
+| crowdstrike.event.ParentProcessId | Parent process ID related to the detection. | integer |
+| crowdstrike.event.PatternDispositionDescription | Action taken by Falcon. | keyword |
+| crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.Detect |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.FsOperationBlocked |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.InddetMask |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.Indicator |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.KillParent |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.KillProcess |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.KillSubProcess |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.OperationBlocked |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.PolicyDisabled |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.ProcessBlocked |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.QuarantineFile |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.QuarantineMachine |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.Rooting |  | boolean |
+| crowdstrike.event.PatternDispositionFlags.SensorOnly |  | boolean |
+| crowdstrike.event.PatternDispositionValue | Unique ID associated with action taken. | integer |
+| crowdstrike.event.PolicyID | CrowdStrike policy id. | keyword |
+| crowdstrike.event.PolicyName | CrowdStrike policy name. | keyword |
+| crowdstrike.event.ProcessEndTime | The process termination time in UTC UNIX_MS format. | date |
+| crowdstrike.event.ProcessId | Process ID related to the detection. | integer |
+| crowdstrike.event.ProcessStartTime | The process start time in UTC UNIX_MS format. | date |
+| crowdstrike.event.Protocol | CrowdStrike provided protocol. | keyword |
+| crowdstrike.event.RemoteAddress | IP address of remote machine. | ip |
+| crowdstrike.event.RemotePort | Port of remote machine. | long |
+| crowdstrike.event.RuleAction | Firewall rule action. | keyword |
+| crowdstrike.event.RuleDescription | Firewall rule description. | keyword |
+| crowdstrike.event.RuleFamilyID | Firewall rule family id. | keyword |
+| crowdstrike.event.RuleGroupName | Firewall rule group name. | keyword |
+| crowdstrike.event.RuleId | Firewall rule id. | keyword |
+| crowdstrike.event.RuleName | Firewall rule name. | keyword |
+| crowdstrike.event.SHA1String | SHA1 sum of the executable associated with the detection. | keyword |
+| crowdstrike.event.SHA256String | SHA256 sum of the executable associated with the detection. | keyword |
+| crowdstrike.event.SensorId | Unique ID associated with the Falcon sensor. | keyword |
+| crowdstrike.event.ServiceName | Service associated with this event. | keyword |
+| crowdstrike.event.SessionId | Session ID of the remote response session. | keyword |
+| crowdstrike.event.Severity | Severity score of the detection. | integer |
+| crowdstrike.event.SeverityName | Severity score text. | keyword |
+| crowdstrike.event.StartTimestamp | Start time for the remote session in UTC UNIX format. | date |
+| crowdstrike.event.State | Whether the incident summary is open and ongoing or closed. | keyword |
+| crowdstrike.event.Status | CrowdStrike status. | keyword |
+| crowdstrike.event.Success | Indicator of whether or not this event was successful. | boolean |
+| crowdstrike.event.Tactic | MITRE tactic category of the detection. | keyword |
+| crowdstrike.event.Technique | MITRE technique category of the detection. | keyword |
+| crowdstrike.event.Timestamp | Firewall rule triggered timestamp. | date |
+| crowdstrike.event.TreeID | CrowdStrike tree id. | keyword |
+| crowdstrike.event.UTCTimestamp | Timestamp associated with this event in UTC UNIX format. | date |
+| crowdstrike.event.UserId | Email address or user ID associated with the event. | keyword |
+| crowdstrike.event.UserIp | IP address associated with the user. | keyword |
+| crowdstrike.event.UserName | User name associated with the detection. | keyword |
+| crowdstrike.metadata.customerIDString | Customer identifier | keyword |
+| crowdstrike.metadata.eventCreationTime | The time this event occurred on the endpoint in UTC UNIX_MS format. | date |
+| crowdstrike.metadata.eventType | DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent | keyword |
+| crowdstrike.metadata.offset | Offset number that tracks the location of the event in stream. This is used to identify unique detection events. | integer |
+| crowdstrike.metadata.version | Schema version | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.description | The description of the rule generating the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword |
+| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+
+
+An example event for `falcon` looks as following:
+
+```json
+{
+    "@timestamp": "2020-02-12T21:29:10.710Z",
+    "agent": {
+        "ephemeral_id": "9060b4e5-b568-47b0-9a7b-62121df53ec9",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "crowdstrike": {
+        "event": {
+            "AuditKeyValues": [
+                {
+                    "Key": "APIClientID",
+                    "ValueString": "1234567890abcdefghijklmnopqr"
+                },
+                {
+                    "Key": "partition",
+                    "ValueString": "0"
+                },
+                {
+                    "Key": "offset",
+                    "ValueString": "-1"
+                },
+                {
+                    "Key": "appId",
+                    "ValueString": "siem-connector-v2.0.0"
+                },
+                {
+                    "Key": "eventType",
+                    "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]"
+                }
+            ],
+            "OperationName": "streamStarted",
+            "ServiceName": "Crowdstrike Streaming API",
+            "Success": true,
+            "UTCTimestamp": "2020-02-12T21:29:10.000Z",
+            "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz",
+            "UserIp": "10.10.0.8"
+        },
+        "metadata": {
+            "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
+            "eventCreationTime": "2020-02-12T21:29:10.710Z",
+            "eventType": "AuthActivityAuditEvent",
+            "offset": 0,
+            "version": "1.0"
+        }
+    },
+    "data_stream": {
+        "dataset": "crowdstrike.falcon",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": [
+            "authentication"
+        ],
+        "dataset": "crowdstrike.falcon",
+        "ingested": "2021-12-30T05:13:25Z",
+        "kind": "event",
+        "original": "{\n    \"metadata\": {\n        \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n        \"offset\": 0,\n        \"eventType\": \"AuthActivityAuditEvent\",\n        \"eventCreationTime\": 1581542950710,\n        \"version\": \"1.0\"\n    },\n    \"event\": {\n        \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n        \"UserIp\": \"10.10.0.8\",\n        \"OperationName\": \"streamStarted\",\n        \"ServiceName\": \"Crowdstrike Streaming API\",\n        \"Success\": true,\n        \"UTCTimestamp\": 1581542950,\n        \"AuditKeyValues\": [\n            {\n                \"Key\": \"APIClientID\",\n                \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n            },\n            {\n                \"Key\": \"partition\",\n                \"ValueString\": \"0\"\n            },\n            {\n                \"Key\": \"offset\",\n                \"ValueString\": \"-1\"\n            },\n            {\n                \"Key\": \"appId\",\n                \"ValueString\": \"siem-connector-v2.0.0\"\n            },\n            {\n                \"Key\": \"eventType\",\n                \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n            }\n        ]\n    }\n}",
+        "outcome": "success",
+        "type": [
+            "change"
+        ]
+    },
+    "event.action": "stream_started",
+    "input": {
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/falcon-audit-events.log"
+        },
+        "flags": [
+            "multiline"
+        ],
+        "offset": 910
+    },
+    "message": "Crowdstrike Streaming API",
+    "related": {
+        "ip": [
+            "10.10.0.8"
+        ],
+        "user": [
+            "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
+        ]
+    },
+    "source": {
+        "ip": "10.10.0.8"
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "crowdstrike-falcon"
+    ],
+    "user": {
+        "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz"
+    }
+}
+```
+
+### FDR
+
+The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike 
+managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is 
+available in S3.
+
+This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed 
+SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket 
+and the integration can read from there.
+
+In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic 
+Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time.
+
+#### Use with CrowdStrike managed S3/SQS
+
+This is the simplest way to setup the integration, and also the default.
+
+You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR.
+Ensure the `Is FDR queue` option is enabled.
+
+#### Use with FDR tool and data replicated to a self-managed S3 bucket
+
+This option can be used if you want to archive the raw CrowdStrike data.
+
+You need to follow the steps below:
+
+- Create a S3 bucket to receive the logs.
+- Create a SQS queue.
+- Configure your S3 bucket to send object created notifications to your SQS queue.
+- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket.
+- Configure the integration to read from your self-managed SQS topic.
+- Disable the `Is FDR queue` option in the integration.
+
+**NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files.**
+
+#### Configuration for the S3 input
+
+AWS credentials are required for running this integration if you want to use the S3 input. 
+
+##### Configuration parameters
+* *access_key_id*: first part of access key.
+* *secret_access_key*: second part of access key.
+* *session_token*: required when using temporary security credentials.
+* *credential_profile_name*: profile name in shared credentials file.
+* *shared_credential_file*: directory of the shared credentials file.
+* *endpoint*: URL of the entry point for an AWS web service.
+* *role_arn*: AWS IAM Role to assume.
+
+##### Credential Types
+There are three types of AWS credentials can be used: access keys, temporary
+security credentials and IAM role ARN.
+
+##### Access keys
+
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys.
+They are long-term credentials for an IAM user, or the AWS account root user.
+Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys)
+for more details.
+
+##### Temporary security credentials
+
+Temporary security credentials has a limited lifetime and consists of an
+access key ID, a secret access key, and a security token which typically returned
+from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code
+while calling `GetSessionToken`. `default_region` identifies the AWS Region
+whose servers you want to send your first API request to by default. This is
+typically the Region closest to you, but it can be any Region. Please see
+[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
+for more details.
+
+`sts get-session-token` AWS CLI can be used to generate temporary credentials. 
+For example. with MFA-enabled:
+```js
+aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456
+```
+
+Because temporary security credentials are short term, after they expire, the 
+user needs to generate new ones and manually update the package configuration in
+order to continue collecting `aws` metrics. This will cause data loss if the 
+configuration is not updated with new credentials before the old ones expire. 
+
+##### IAM role ARN
+
+An IAM role is an IAM identity that you can create in your account that has
+specific permissions that determine what the identity can and cannot do in AWS.
+A role does not have standard long-term credentials such as a password or access
+keys associated with it. Instead, when you assume a role, it provides you with 
+temporary security credentials for your role session. IAM role Amazon Resource 
+Name (ARN) can be used to specify which AWS IAM role to assume to generate 
+temporary credentials. Please see 
+[AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
+for more details.
+
+##### Supported Formats
+1. Use access keys: Access keys include `access_key_id`, `secret_access_key` 
+and/or `session_token`.
+2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume 
+for generating temporary credentials. If `role_arn` is given, the package will 
+check if access keys are given. If not, the package will check for credential 
+profile name. If neither is given, default credential profile will be used. 
+Please make sure credentials are given under either a credential profile or 
+access keys.
+3. Use `credential_profile_name` and/or `shared_credential_file`: 
+If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then
+the package will check for `credential_profile_name`. If you use different 
+credentials for different tools or applications, you can use profiles to 
+configure multiple access keys in the same configuration file. If there is 
+no `credential_profile_name` given, the default profile will be used.
+`shared_credential_file` is optional to specify the directory of your shared
+credentials file. If it's empty, the default directory will be used.
+In Windows, shared credentials file is at `C:\Users\<yourUserName>\.aws\credentials`.
+For Linux, macOS or Unix, the file locates at `~/.aws/credentials`. Please see
+[Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html)
+for more details.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| crowdstrike.AgentLoadFlags |  | keyword |
+| crowdstrike.AgentLocalTime |  | date |
+| crowdstrike.AgentTimeOffset |  | float |
+| crowdstrike.AgentVersion |  | keyword |
+| crowdstrike.AllocateVirtualMemoryCount |  | long |
+| crowdstrike.ApiReturnValue |  | keyword |
+| crowdstrike.ArchiveFileWrittenCount |  | long |
+| crowdstrike.AsepWrittenCount |  | long |
+| crowdstrike.AttemptNumber |  | long |
+| crowdstrike.AuthenticationId |  | keyword |
+| crowdstrike.AuthenticationPackage |  | keyword |
+| crowdstrike.AuthenticationUuid |  | keyword |
+| crowdstrike.AuthenticationUuidAsString |  | keyword |
+| crowdstrike.BinaryExecutableWrittenCount |  | long |
+| crowdstrike.BiosManufacturer |  | keyword |
+| crowdstrike.BiosReleaseDate |  | date |
+| crowdstrike.BiosVersion |  | keyword |
+| crowdstrike.BootArgs |  | keyword |
+| crowdstrike.BootTimeFunctionalityLevel |  | keyword |
+| crowdstrike.BoundedCount |  | long |
+| crowdstrike.BundleID |  | keyword |
+| crowdstrike.CLICreationCount |  | long |
+| crowdstrike.CallStackModuleNames |  | keyword |
+| crowdstrike.CallStackModuleNamesVersion |  | version |
+| crowdstrike.ChannelDiffStatus |  | keyword |
+| crowdstrike.ChannelId |  | keyword |
+| crowdstrike.ChannelVersion |  | keyword |
+| crowdstrike.ChannelVersionRequired |  | keyword |
+| crowdstrike.ChasisManufacturer |  | keyword |
+| crowdstrike.ChassisType |  | keyword |
+| crowdstrike.ClientComputerName |  | keyword |
+| crowdstrike.CompletionEventId |  | keyword |
+| crowdstrike.ConHostId |  | keyword |
+| crowdstrike.ConHostProcessId |  | keyword |
+| crowdstrike.ConfigBuild |  | keyword |
+| crowdstrike.ConfigIDBase |  | keyword |
+| crowdstrike.ConfigIDBuild |  | keyword |
+| crowdstrike.ConfigIDPlatform |  | keyword |
+| crowdstrike.ConfigStateData |  | keyword |
+| crowdstrike.ConfigStateHash |  | keyword |
+| crowdstrike.ConfigurationVersion |  | keyword |
+| crowdstrike.ConnectTime |  | date |
+| crowdstrike.ConnectType |  | keyword |
+| crowdstrike.ConnectionFlags |  | keyword |
+| crowdstrike.ContextProcessId |  | keyword |
+| crowdstrike.CpuClockSpeed |  | keyword |
+| crowdstrike.CpuFeaturesMask |  | keyword |
+| crowdstrike.CpuProcessorName |  | keyword |
+| crowdstrike.CpuSignature |  | keyword |
+| crowdstrike.CpuVendor |  | keyword |
+| crowdstrike.CreateProcessCount |  | long |
+| crowdstrike.CreateProcessType |  | keyword |
+| crowdstrike.CurrentFunctionalityLevel |  | keyword |
+| crowdstrike.CycleTime |  | long |
+| crowdstrike.DesiredAccess |  | keyword |
+| crowdstrike.DeviceId |  | keyword |
+| crowdstrike.DirectoryCreatedCount |  | long |
+| crowdstrike.DirectoryEnumeratedCount |  | long |
+| crowdstrike.DnsRequestCount |  | long |
+| crowdstrike.DocumentFileWrittenCount |  | long |
+| crowdstrike.DownloadPath |  | keyword |
+| crowdstrike.DownloadPort |  | long |
+| crowdstrike.DownloadServer |  | keyword |
+| crowdstrike.DualRequest |  | keyword |
+| crowdstrike.ELFSubType |  | keyword |
+| crowdstrike.EffectiveTransmissionClass |  | keyword |
+| crowdstrike.EnabledPrivilegesBitmask |  | keyword |
+| crowdstrike.Entitlements |  | keyword |
+| crowdstrike.ErrorCode |  | keyword |
+| crowdstrike.ErrorStatus |  | keyword |
+| crowdstrike.EtwRawThreadId |  | long |
+| crowdstrike.ExeAndServiceCount |  | long |
+| crowdstrike.ExecutableDeletedCount |  | long |
+| crowdstrike.FXFileSize |  | keyword |
+| crowdstrike.Facility |  | keyword |
+| crowdstrike.FailedConnectCount |  | long |
+| crowdstrike.FalconGroupingTags |  | keyword |
+| crowdstrike.FeatureExtractionVersion |  | keyword |
+| crowdstrike.FeatureVector |  | keyword |
+| crowdstrike.File |  | keyword |
+| crowdstrike.FileAttributes |  | keyword |
+| crowdstrike.FileDeletedCount |  | long |
+| crowdstrike.FileEcpBitmask |  | keyword |
+| crowdstrike.FileObject |  | keyword |
+| crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion |  | keyword |
+| crowdstrike.FirmwareAnalysisEclControlInterfaceVersion |  | keyword |
+| crowdstrike.FirstSeen |  | date |
+| crowdstrike.Flags |  | keyword |
+| crowdstrike.GenericFileWrittenCount |  | long |
+| crowdstrike.GrandParentBaseFileName |  | keyword |
+| crowdstrike.HostHiddenStatus |  | keyword |
+| crowdstrike.IOServiceClass |  | keyword |
+| crowdstrike.IOServiceName |  | keyword |
+| crowdstrike.IOServicePath |  | keyword |
+| crowdstrike.ImageSubsystem |  | keyword |
+| crowdstrike.InContext |  | keyword |
+| crowdstrike.InDiscards |  | keyword |
+| crowdstrike.InErrors |  | keyword |
+| crowdstrike.InMulticastPkts |  | keyword |
+| crowdstrike.InOctets |  | keyword |
+| crowdstrike.InUcastPkts |  | keyword |
+| crowdstrike.InUnknownProtos |  | keyword |
+| crowdstrike.Information |  | keyword |
+| crowdstrike.InjectedDllCount |  | long |
+| crowdstrike.InjectedThreadCount |  | long |
+| crowdstrike.IntegrityLevel |  | keyword |
+| crowdstrike.InterfaceAlias |  | keyword |
+| crowdstrike.InterfaceGuid |  | keyword |
+| crowdstrike.InterfaceIndex |  | long |
+| crowdstrike.InterfaceType |  | keyword |
+| crowdstrike.InterfaceVersion |  | keyword |
+| crowdstrike.IrpFlags |  | keyword |
+| crowdstrike.IsOnNetwork |  | keyword |
+| crowdstrike.IsOnRemovableDisk |  | keyword |
+| crowdstrike.IsTransactedFile |  | keyword |
+| crowdstrike.KernelTime |  | long |
+| crowdstrike.LfoUploadFlags |  | keyword |
+| crowdstrike.LightningLatencyState |  | keyword |
+| crowdstrike.Line |  | keyword |
+| crowdstrike.LogicalCoreCount |  | long |
+| crowdstrike.LoginSessionId |  | keyword |
+| crowdstrike.LogoffTime |  | date |
+| crowdstrike.LogonDomain |  | keyword |
+| crowdstrike.LogonId |  | keyword |
+| crowdstrike.LogonServer |  | keyword |
+| crowdstrike.LogonTime |  | date |
+| crowdstrike.LogonType |  | keyword |
+| crowdstrike.MLModelVersion |  | keyword |
+| crowdstrike.MachOSubType |  | keyword |
+| crowdstrike.MajorFunction |  | keyword |
+| crowdstrike.MajorVersion |  | keyword |
+| crowdstrike.Malicious |  | keyword |
+| crowdstrike.MaxThreadCount |  | long |
+| crowdstrike.MemoryTotal |  | keyword |
+| crowdstrike.MicrocodeSignature |  | keyword |
+| crowdstrike.MinorFunction |  | keyword |
+| crowdstrike.MinorVersion |  | keyword |
+| crowdstrike.MoboManufacturer |  | keyword |
+| crowdstrike.MoboProductName |  | keyword |
+| crowdstrike.ModelPrediction |  | keyword |
+| crowdstrike.ModuleLoadCount |  | long |
+| crowdstrike.NDRoot |  | keyword |
+| crowdstrike.NeighborList |  | keyword |
+| crowdstrike.NetLuidIndex |  | long |
+| crowdstrike.NetworkBindCount |  | long |
+| crowdstrike.NetworkCapableAsepWriteCount |  | long |
+| crowdstrike.NetworkCloseCount |  | long |
+| crowdstrike.NetworkConnectCount |  | long |
+| crowdstrike.NetworkConnectCountUdp |  | long |
+| crowdstrike.NetworkContainmentState |  | keyword |
+| crowdstrike.NetworkListenCount |  | long |
+| crowdstrike.NetworkModuleLoadCount |  | long |
+| crowdstrike.NetworkRecvAcceptCount |  | long |
+| crowdstrike.NewExecutableWrittenCount |  | long |
+| crowdstrike.NewFileIdentifier |  | keyword |
+| crowdstrike.OSVersionFileData |  | keyword |
+| crowdstrike.OSVersionFileName |  | keyword |
+| crowdstrike.OU |  | keyword |
+| crowdstrike.OperationFlags |  | keyword |
+| crowdstrike.Options |  | keyword |
+| crowdstrike.OutErrors |  | keyword |
+| crowdstrike.OutMulticastPkts |  | keyword |
+| crowdstrike.OutOctets |  | keyword |
+| crowdstrike.OutUcastPkts |  | keyword |
+| crowdstrike.Parameter1 |  | keyword |
+| crowdstrike.Parameter2 |  | keyword |
+| crowdstrike.Parameter3 |  | keyword |
+| crowdstrike.ParentAuthenticationId |  | keyword |
+| crowdstrike.PasswordLastSet |  | keyword |
+| crowdstrike.PciAttachmentState |  | keyword |
+| crowdstrike.PhysicalAddressLength |  | long |
+| crowdstrike.PhysicalCoreCount |  | long |
+| crowdstrike.PointerSize |  | keyword |
+| crowdstrike.PreviousConnectTime |  | date |
+| crowdstrike.PrivilegedProcessHandleCount |  | long |
+| crowdstrike.PrivilegesBitmask |  | keyword |
+| crowdstrike.ProcessCount |  | long |
+| crowdstrike.ProcessCreateFlags |  | keyword |
+| crowdstrike.ProcessParameterFlags |  | keyword |
+| crowdstrike.ProcessSxsFlags |  | keyword |
+| crowdstrike.ProcessorPackageCount |  | long |
+| crowdstrike.ProductType |  | keyword |
+| crowdstrike.ProtectVirtualMemoryCount |  | long |
+| crowdstrike.ProvisionState |  | keyword |
+| crowdstrike.PupAdwareConfidence |  | keyword |
+| crowdstrike.PupAdwareDecisionValue |  | keyword |
+| crowdstrike.QueueApcCount |  | long |
+| crowdstrike.RFMState |  | keyword |
+| crowdstrike.RGID |  | keyword |
+| crowdstrike.RUID |  | keyword |
+| crowdstrike.ReasonOfFunctionalityLevel |  | keyword |
+| crowdstrike.RegKeySecurityDecreasedCount |  | long |
+| crowdstrike.RemoteAccount |  | keyword |
+| crowdstrike.RemovableDiskFileWrittenCount |  | long |
+| crowdstrike.RequestType |  | keyword |
+| crowdstrike.RpcClientProcessId |  | keyword |
+| crowdstrike.RpcClientThreadId |  | keyword |
+| crowdstrike.RpcNestingLevel |  | keyword |
+| crowdstrike.RpcOpNum |  | keyword |
+| crowdstrike.RunDllInvocationCount |  | long |
+| crowdstrike.SVGID |  | keyword |
+| crowdstrike.SVUID |  | keyword |
+| crowdstrike.ScreenshotsTakenCount |  | long |
+| crowdstrike.ScriptEngineInvocationCount |  | long |
+| crowdstrike.SensorGroupingTags |  | keyword |
+| crowdstrike.SensorStateBitMap |  | keyword |
+| crowdstrike.ServiceDisplayName |  | keyword |
+| crowdstrike.ServiceEventCount |  | long |
+| crowdstrike.ServicePackMajor |  | keyword |
+| crowdstrike.SessionId |  | keyword |
+| crowdstrike.SessionProcessId |  | keyword |
+| crowdstrike.SetThreadContextCount |  | long |
+| crowdstrike.ShareAccess |  | keyword |
+| crowdstrike.SiteName |  | keyword |
+| crowdstrike.Size |  | long |
+| crowdstrike.SnapshotFileOpenCount |  | long |
+| crowdstrike.SourceFileName |  | keyword |
+| crowdstrike.SourceProcessId |  | keyword |
+| crowdstrike.SourceThreadId |  | keyword |
+| crowdstrike.Status |  | keyword |
+| crowdstrike.SubStatus |  | keyword |
+| crowdstrike.SuppressType |  | keyword |
+| crowdstrike.SuspectStackCount |  | long |
+| crowdstrike.SuspiciousCredentialModuleLoadCount |  | long |
+| crowdstrike.SuspiciousDnsRequestCount |  | long |
+| crowdstrike.SuspiciousFontLoadCount |  | long |
+| crowdstrike.SuspiciousRawDiskReadCount |  | long |
+| crowdstrike.SyntheticPR2Flags |  | keyword |
+| crowdstrike.SystemManufacturer |  | keyword |
+| crowdstrike.SystemProductName |  | keyword |
+| crowdstrike.SystemSerialNumber |  | keyword |
+| crowdstrike.SystemSku |  | keyword |
+| crowdstrike.SystemTableIndex |  | long |
+| crowdstrike.Tags |  | keyword |
+| crowdstrike.TargetFileName |  | keyword |
+| crowdstrike.TargetThreadId |  | keyword |
+| crowdstrike.Time |  | date |
+| crowdstrike.Timeout |  | long |
+| crowdstrike.TokenType |  | keyword |
+| crowdstrike.USN |  | keyword |
+| crowdstrike.UnixMode |  | keyword |
+| crowdstrike.UnsignedModuleLoadCount |  | long |
+| crowdstrike.UploadId |  | keyword |
+| crowdstrike.UserFlags |  | keyword |
+| crowdstrike.UserGroupsBitmask |  | keyword |
+| crowdstrike.UserLogoffType |  | keyword |
+| crowdstrike.UserLogonFlags |  | keyword |
+| crowdstrike.UserMemoryAllocateExecutableCount |  | long |
+| crowdstrike.UserMemoryAllocateExecutableRemoteCount |  | long |
+| crowdstrike.UserMemoryProtectExecutableCount |  | long |
+| crowdstrike.UserMemoryProtectExecutableRemoteCount |  | long |
+| crowdstrike.UserSid |  | keyword |
+| crowdstrike.UserTime |  | long |
+| crowdstrike.VerifiedCertificate |  | keyword |
+| crowdstrike.VnodeModificationType |  | keyword |
+| crowdstrike.VnodeType |  | keyword |
+| crowdstrike.VolumeAppearanceTime |  | keyword |
+| crowdstrike.VolumeBusName |  | keyword |
+| crowdstrike.VolumeBusPath |  | keyword |
+| crowdstrike.VolumeDeviceCharacteristics |  | keyword |
+| crowdstrike.VolumeDeviceInternal |  | keyword |
+| crowdstrike.VolumeDeviceModel |  | keyword |
+| crowdstrike.VolumeDeviceObjectFlags |  | keyword |
+| crowdstrike.VolumeDevicePath |  | keyword |
+| crowdstrike.VolumeDeviceProtocol |  | keyword |
+| crowdstrike.VolumeDeviceRevision |  | keyword |
+| crowdstrike.VolumeDeviceType |  | keyword |
+| crowdstrike.VolumeDriveLetter |  | keyword |
+| crowdstrike.VolumeFileSystemDevice |  | keyword |
+| crowdstrike.VolumeFileSystemDriver |  | keyword |
+| crowdstrike.VolumeFileSystemType |  | keyword |
+| crowdstrike.VolumeIsEncrypted |  | keyword |
+| crowdstrike.VolumeIsNetwork |  | keyword |
+| crowdstrike.VolumeMediaBSDMajor |  | keyword |
+| crowdstrike.VolumeMediaBSDMinor |  | keyword |
+| crowdstrike.VolumeMediaBSDName |  | keyword |
+| crowdstrike.VolumeMediaBSDUnit |  | keyword |
+| crowdstrike.VolumeMediaContent |  | keyword |
+| crowdstrike.VolumeMediaEjectable |  | keyword |
+| crowdstrike.VolumeMediaName |  | keyword |
+| crowdstrike.VolumeMediaPath |  | keyword |
+| crowdstrike.VolumeMediaRemovable |  | keyword |
+| crowdstrike.VolumeMediaSize |  | keyword |
+| crowdstrike.VolumeMediaUUID |  | keyword |
+| crowdstrike.VolumeMediaWhole |  | keyword |
+| crowdstrike.VolumeMediaWritable |  | keyword |
+| crowdstrike.VolumeMountPoint |  | keyword |
+| crowdstrike.VolumeName |  | keyword |
+| crowdstrike.VolumeRealDeviceName |  | keyword |
+| crowdstrike.VolumeSectorSize |  | keyword |
+| crowdstrike.VolumeType |  | keyword |
+| crowdstrike.VolumeUUID |  | keyword |
+| crowdstrike.WindowFlags |  | keyword |
+| crowdstrike.cid |  | keyword |
+| crowdstrike.name |  | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.device | Device that is the source of the file. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| host.geo.city_name | City name. | keyword |
+| host.geo.continent_name | Name of the continent. | keyword |
+| host.geo.country_name | Country name. | keyword |
+| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| input.type |  | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.offset |  | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.address |  | keyword |
+| observer.geo.city_name | City name. | keyword |
+| observer.geo.continent_name | Name of the continent. | keyword |
+| observer.geo.country_iso_code | Country ISO code. | keyword |
+| observer.geo.country_name | Country name. | keyword |
+| observer.geo.location | Longitude and latitude. | geo_point |
+| observer.geo.region_iso_code | Region ISO code. | keyword |
+| observer.geo.region_name | Region name. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.serial_number | Observer serial number. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| os.version | Operating system version as a raw string. | keyword |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.end |  | date |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text |
+| process.pgid | Identifier of the group of processes the process belongs to. | long |
+| process.pid | Process id. | long |
+| process.start | The time the process started. | date |
+| process.thread.id | Thread ID. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.title.text | Multi-field of `process.title`. | match_only_text |
+| process.uptime | Seconds the process has been up. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+
+
+An example event for `fdr` looks as following:
+
+```json
+{
+    "@timestamp": "2020-11-08T09:58:32.519Z",
+    "agent": {
+        "ephemeral_id": "33b3f217-19d7-4071-bb17-5dd3176d549d",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "crowdstrike": {
+        "ConfigStateHash": "1763245019",
+        "DesiredAccess": "1179785",
+        "EffectiveTransmissionClass": "3",
+        "Entitlements": "15",
+        "FileAttributes": "0",
+        "FileObject": "18446670458156489088",
+        "Information": "1",
+        "IrpFlags": "2180",
+        "MajorFunction": "0",
+        "MinorFunction": "0",
+        "OperationFlags": "0",
+        "Options": "16777312",
+        "ShareAccess": "5",
+        "Status": "0",
+        "cid": "ffffffff30a3407dae27d0503611022d",
+        "name": "RansomwareOpenFileV4"
+    },
+    "data_stream": {
+        "dataset": "crowdstrike.fdr",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "RansomwareOpenFile",
+        "agent_id_status": "verified",
+        "category": [
+            "file"
+        ],
+        "created": "2020-11-08T17:07:22.091Z",
+        "dataset": "crowdstrike.fdr",
+        "id": "ffffffff-1111-11eb-9756-06fe7f8f682f",
+        "ingested": "2021-12-30T05:14:09Z",
+        "kind": "alert",
+        "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}",
+        "outcome": "success",
+        "timezone": "+00:00",
+        "type": [
+            "access"
+        ]
+    },
+    "file": {
+        "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads",
+        "extension": "pptx",
+        "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00",
+        "name": "file.pptx",
+        "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx",
+        "type": "file"
+    },
+    "input": {
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/fdr-sample.log"
+        },
+        "offset": 95203
+    },
+    "observer": {
+        "address": "67.43.156.14",
+        "geo": {
+            "continent_name": "Asia",
+            "country_iso_code": "BT",
+            "country_name": "Bhutan",
+            "location": {
+                "lat": 27.5,
+                "lon": 90.5
+            }
+        },
+        "ip": "67.43.156.14",
+        "serial_number": "ffffffffac4148947ed68497e89f3308",
+        "type": "agent",
+        "vendor": "crowdstrike",
+        "version": "1007.3.0011603.1"
+    },
+    "os": {
+        "type": "windows"
+    },
+    "process": {
+        "entity_id": "1016182570608",
+        "thread": {
+            "id": 37343520154472
+        }
+    },
+    "related": {
+        "hash": [
+            "1763245019"
+        ],
+        "hosts": [
+            "67.43.156.14"
+        ],
+        "ip": [
+            "67.43.156.14"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "crowdstrike-fdr"
+    ],
+    "url": {
+        "scheme": "http"
+    }
+}
+```
diff --git a/packages/crowdstrike/1.2.7/img/fdr-overview.png b/packages/crowdstrike/1.2.7/img/fdr-overview.png
new file mode 100755
index 0000000000..a960bc3781
Binary files /dev/null and b/packages/crowdstrike/1.2.7/img/fdr-overview.png differ
diff --git a/packages/crowdstrike/1.2.7/img/logo-integrations-crowdstrike.svg b/packages/crowdstrike/1.2.7/img/logo-integrations-crowdstrike.svg
new file mode 100755
index 0000000000..1b2195a224
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/img/logo-integrations-crowdstrike.svg
@@ -0,0 +1 @@
+<svg height="1675" viewBox="-.3 3.8 900.3 599.8" width="2500" xmlns="http://www.w3.org/2000/svg"><g fill="#da1b1b"><path d="m59 5.5c0 1.7 12.6 27.2 14.1 28.5.3.3 1.6 2.3 2.9 4.5s3.5 5.1 4.7 6.5c1.3 1.4 2.3 2.8 2.3 3.1s.9 1.7 2.1 3c1.1 1.3 4.4 5.1 7.2 8.4 12.9 15 31.5 32.4 51.2 47.8.6.4 2.1 1.6 3.4 2.7s2.7 2 3 2 1.8 1 3.1 2.2c3.6 3.2 7.2 5.7 26.1 18.3 17.5 11.6 17.8 11.9 24.9 16.1 2.5 1.5 5.1 3.4 5.8 4.1s1.8 1.3 2.3 1.3c.7 0 10.8 5.7 15.9 9 .8.6 2.6 1.6 4 2.2 3.6 1.8 23.6 13.9 29.5 17.9 17 11.4 38.5 30.9 45 40.6 2.7 4.1 4.5 5.4 4.5 3.2 0-1.3-4.1-8.8-5.7-10.7-.7-.7-1.3-1.8-1.3-2.3 0-1.1-6-10.9-7.8-12.8-.7-.8-2.1-2.6-3-4-2.7-4.1-6-7.8-16.2-18.1-12.3-12.2-13.7-13.3-31-26.2-8-5.9-14.9-11.1-15.5-11.6-.5-.4-2.8-1.9-5-3.2s-4.2-2.7-4.5-3-2.3-1.7-4.5-3-8.5-5.3-14-8.9c-11.1-7.3-13-8.5-16.2-10.2-1.3-.7-2.3-1.6-2.3-2.1 0-.4-.5-.8-1-.8-.6 0-3-1.4-5.3-3.1-3.9-2.8-15.9-11.3-20-14.1-1.1-.7-2.8-2.1-3.9-3.1-1.2-.9-2.4-1.7-2.7-1.7s-1.7-1-3.1-2.3c-1.4-1.2-5.3-4.4-8.7-7s-6.8-5.3-7.5-6-3.8-3.2-6.8-5.6c-12.9-10.1-56.9-52.3-61.3-58.8-1.9-2.8-4.7-4.5-4.7-2.8z"/><path d="m152.8 23.6c-.8.8.3 4.4 1.3 4.4.5 0 .9.5.9 1.2 0 1.5 7.2 15.9 8.8 17.6.6.7 1.2 1.7 1.2 2.2 0 1.3 8.6 13.7 12.8 18.4 10 11.2 28.2 28.1 35.2 32.7 1.4.9 3.9 2.9 5.5 4.3 1.7 1.5 4.8 3.9 7 5.4s4.9 3.5 5.9 4.4c1.1 1 3.8 3 6 4.5 2.3 1.6 5 3.6 6 4.5 1.1 1 3.8 3 6 4.5 2.3 1.5 4.3 3 4.6 3.3s3.7 3 7.5 6c3.9 3 7.5 5.9 8.1 6.5.6.5 4.6 4.1 8.9 8 14.6 13.1 25.8 25.3 32.6 35.5 6.6 10 9.2 14.4 15.1 25.8 3.1 6.2 7.7 14.4 10 18.3 2.4 3.9 5.4 8.9 6.7 11.2s3 4.8 3.8 5.5c.7.7 1.3 1.8 1.3 2.3s.5 1.5 1 2.2c.6.7 5.3 7.7 10.6 15.7 16.9 25.6 40.1 46 62.9 55.1 10.8 4.3 33.4 6 63 4.7 20.6-.8 44.2-.2 48.3 1.3 1.3.5 4.2.9 6.5.9 2.3.1 6 .7 8.2 1.5s4.9 1.5 6 1.5 3.3.7 4.9 1.5c1.5.8 3.5 1.5 4.3 1.5 1.6 0 7.1 2.4 19.8 8.6 18.3 9.1 33.1 19.9 48.7 35.6 10.4 10.5 10.8 10.8 11.4 8.2.8-3.1-.2-13.7-1.5-16.1-.5-1-2-4.1-3.3-6.8-2.5-5.6-7.2-12.3-14.2-20.4-2.7-3.3-4.6-6.5-4.6-7.9 0-4.1-3.9-10.5-8.5-13.9-5.8-4.3-23.6-13.3-26.3-13.3-.5 0-2.3-.7-3.8-1.5-1.6-.8-3.7-1.5-4.7-1.5-.9 0-2.5-.4-3.5-.9-.9-.5-5.1-1.9-9.2-3.1-13.7-4.1-22.5-7.2-25.6-9.1-3.3-2-6.4-7.2-6.4-10.7 0-2.6 3.8-14.4 5-15.6.6-.6 1-1.7 1-2.5 0-.9.6-2.8 1.4-4.3.8-1.4 1.9-5.8 2.6-9.7 3.3-19.4-7.2-31.8-41-48.7-4.5-2.2-12.7-5.9-16.5-7.5-1.1-.4-4.1-1.7-6.7-2.8-2.6-1.2-5.4-2.1-6.2-2.1s-1.8-.5-2.1-1c-.3-.6-1.3-1-2.2-1-.8 0-2.9-.6-4.6-1.4-1.8-.8-10.4-3.8-19.2-6.6-8.8-2.9-16.7-5.6-17.6-6-.9-.5-3.4-1.2-5.5-1.6-2.2-.3-4.3-1-4.9-1.4-.5-.4-2.6-1.1-4.5-1.4-1.9-.4-4.4-1.1-5.5-1.6-1.1-.4-4-1.3-6.5-2-2.5-.6-6.3-1.6-8.5-2.1-2.2-.6-4.9-1.5-6-1.9-1.1-.5-3.6-1.2-5.5-1.6-1.9-.3-4.1-1-5-1.4-.8-.4-4.9-1.8-9-3s-8.2-2.5-9-2.9c-.9-.5-3.1-1.2-5-1.6s-3.9-1-4.5-1.4c-.5-.4-4.4-1.8-8.5-3.1-4.1-1.2-7.9-2.6-8.5-3-.5-.4-3.9-1.7-7.5-3s-6.9-2.7-7.4-3.2c-.6-.4-1.6-.8-2.4-.8-2 0-11.4-4.3-35.2-15.9-16.7-8.2-32.1-16.6-35.5-19.3-.5-.4-4.6-3.1-9-6s-8.4-5.6-9-6c-.5-.4-5.2-3.9-10.4-7.8-18.1-13.5-44.4-38.8-55.5-53.5-2.1-2.8-3.9-5.1-4-5.3-.2-.1-.5.1-.8.4zm447.2 303c10.2 3.4 13.5 6 15.9 12.1 2.4 5.9-1.6 7.3-6.5 2.2-1.6-1.7-4.5-4-6.4-5.2s-4.1-2.7-4.8-3.4-1.9-1.3-2.7-1.3c-1.3 0-2.5-2.1-2.5-4.6 0-1.8 1.4-1.8 7 .2zm-519-240c0 1.1 8.5 17.9 10 19.7.6.7 2.7 3.4 4.7 6.2 7.3 9.8 18.7 21.5 33.9 34.5 3.8 3.3 14.2 11.1 17.5 13.2 1.4.9 3.2 2.3 4 3 .8.8 3.2 2.5 5.4 3.8s4.2 2.7 4.5 3c.6.8 30.1 18.3 39.5 23.5 7.4 4.2 15.4 8.2 43.5 21.9 16.5 8.1 19.6 9.7 31.7 17 9.1 5.5 23.7 16.9 31 24.2 4.1 4.1 7.6 7.4 7.8 7.4.3 0-.1-1.1-.7-2.5s-1.5-2.5-2-2.5c-.4 0-.8-.6-.8-1.3 0-.8-.9-2.5-2-3.8s-2.3-2.9-2.7-3.4c-7.3-9.6-13.3-15.4-31.7-31-2.5-2.2-19-13.4-26.7-18.2-6.1-3.9-18.4-10.8-30.9-17.5-3-1.7-5.9-3.4-6.5-3.8-.9-.7-5.2-3-19.5-10.8-9-4.8-31.8-18.9-35.5-21.9-.5-.5-2.8-2-5-3.3s-4.4-2.8-5-3.2c-.5-.4-5.9-4.4-12-8.9-6-4.5-11.2-8.5-11.5-8.8-.3-.4-2.7-2.4-5.5-4.5-5.6-4.2-12.8-10.8-26.2-24-5.1-5-9.3-8.6-9.3-8zm113.6 179.1c-1 1 15.8 16.6 26.9 24.9 5.5 4.1 10.5 7.8 11 8.2 2.6 2 11.6 7.2 12.4 7.2.5 0 1.6.6 2.3 1.2.7.7 2.9 2 4.8 3 13.3 6.3 19 8.8 20.4 8.8.8 0 1.7.4 2 .8.8 1.3 32.3 11.2 35.8 11.2 1 0 2.6.4 3.6 1 .9.5 3.7 1.4 6.2 1.9 8.7 1.9 13.5 3.1 15.5 4 1.1.5 5.4 1.9 9.5 3.2s7.9 2.6 8.5 3.1c.5.4 1.5.8 2.3.8s2.8.6 4.5 1.4c16.4 7.1 20.8 8.8 21.4 8.3.3-.4-.7-1.7-2.3-2.9-2.5-2-6.9-5.9-16.4-14.8-1.5-1.4-4.2-3.8-6-5.4-5-4.3-26-19.9-30.5-22.6-2.2-1.3-4.2-2.7-4.5-3-.3-.4-1.2-1-2-1.4s-4.2-2.2-7.5-4.1c-6.2-3.6-18.9-9.9-26-12.9-2.2-.9-4.7-2.1-5.5-2.5-.9-.5-3-1.2-4.8-1.5-1.7-.4-3.4-1.2-3.7-1.7-.4-.5-1.6-.9-2.8-.9-2.2.1-2.2.1-.2 1.2 1.1.6 2.2 1.4 2.5 1.8.3.3 2.5 1.8 5 3.3 5.3 3.1 15 11.7 15 13.3 0 .6-.7 1.7-1.5 2.4-1.2 1-4.1.9-14.5-.4-7.2-.9-14.1-2.1-15.3-2.6-1.2-.4-4.7-1.6-7.7-2.5-15.6-4.7-47-22.1-56.1-31-.9-.8-1.9-1.2-2.3-.8z"/><path d="m365.5 317.3c18.7 17.2 66.6 66.1 69.6 70.9 1.2 1.8-.2 3.8-2.5 3.8-1.1-.1-3.9-.9-6.1-2s-4.3-1.9-4.7-2c-1.3 0-11.2-6.3-13.8-8.7-3-2.8-4.6-3-2.8-.4 2.9 4.2 17.4 18.5 26.5 26.3 4.1 3.5 15 11 18.7 12.8 6 3 6.6 3.5 6.6 5.4 0 1.7-.5 1.8-5.5 1.2-3-.3-5.5-.3-5.5.2 0 .7 5.9 3.6 13 6.3 5.2 2.1 19.7 1.8 23.8-.4 1.8-1 4.3-1.7 5.4-1.5 2.2.3 2.4.6 5.5 7.3 3.8 8.2 12.6 19.5 15.1 19.5.5 0 1.5.6 2.1 1.4 1.2 1.4 14.9 5.1 15.7 4.3.3-.3-1.6-2.1-4.1-4.1-7-5.3-10.4-10.3-10.5-15.2 0-5.3 2.2-9.6 6.8-13.2 6.7-5.1 10.8-6.5 20.6-6.6 8 0 9.6.2 13.1 2.4 2.2 1.3 4.6 3.1 5.3 4 1.9 2.3 5.2 9.9 5.2 12.1 0 3.4 1.9 2 2.6-1.9 1.4-7.6 1-15.8-.9-18-2.7-3-10-4.9-21.2-5.7-19.1-1.2-28.8-4.4-37.4-12.2-8.9-8-8.5-8.9 4.2-9.5 9-.5 16.7-2.1 23.2-4.8 1.1-.5 4.3-1.9 7-3 2.8-1.2 8.6-3.9 13-6 16.8-8 27.1-10.4 44.3-10.4 12.5 0 15.8-.7 11.2-2.1-1.1-.3-2-1.1-2-1.6s-.4-.9-.9-.9c-.8 0-9.4-5.2-12.7-7.7-1.5-1.2-7.1-4.2-14.9-8-3.8-1.9-7.8-3.9-8.7-4.4-1-.5-2.2-.9-2.7-.9s-2.2-.5-3.8-1.2c-4.1-1.7-10.8-3.6-18.8-5.5-10.2-2.4-48.5-2.3-65.5 0-25.3 3.5-29.7 3.9-41.5 3.4-12.1-.5-16.5-1.3-28.5-4.9-7.3-2.2-8.6-2.7-15.1-5.7-2.5-1.1-4.9-2.1-5.2-2.1-.4 0-3.6-1.8-7.2-4s-6.8-4-7-4c-.5 0-8.9-5.7-14.1-9.7-6.8-5.1-4.3-1.7 5.1 7zm-336.1 206.6c-5.8 1.5-12.9 5.5-17.6 9.9-4.5 4.2-9.8 13.2-9.8 16.6 0 .8-.4 1.8-1 2.1-1.2.8-1.3 19.2-.1 19.9.4.3 1.1 2.1 1.4 4 1.5 9.1 13.7 21.7 24.2 24.9 6.1 1.9 21 2.3 22 .7.3-.5 1.5-1 2.6-1 4 0 15.9-7.3 15.9-9.7 0-2-1.9-1.6-5.4 1-1.7 1.3-4.7 3.1-6.6 4-4 1.9-15.8 4.7-17.4 4.2-.6-.2-3.6-.9-6.7-1.5-13.8-2.7-24.7-14.9-26.9-30-2.2-15.6 3.8-29.8 15.8-37.4 4.5-2.8 13.7-5.6 18.5-5.6 5.3 0 15.6 2.9 19.9 5.6 3.9 2.5 6.8 3.1 6.8 1.4 0-1.3-7-5.7-12.2-7.5-5.1-1.8-19-2.8-23.4-1.6zm177.1-.3c-12.9 3.4-22.8 10.9-27.9 21.4-.9 1.9-2.3 6.7-3.2 10.6-1.3 6.4-1.3 8 .1 14.5.9 4.1 2.5 9.4 3.7 11.8 4 8.2 16.9 19.1 22.8 19.1 1 0 2.2.4 2.5 1 .8 1.3 17.2 1.3 18 0 .3-.6 1.5-1 2.6-1 6 0 19.7-11.4 23.3-19.3 4.6-10 5.5-20.1 2.7-30.5-1.4-5.1-2.5-7.3-7.1-13.2-5.1-6.6-5.5-6.9-18.3-13.2-2.1-1-16.3-1.9-19.2-1.2zm16.3 4c10.7 3.1 18.7 10.1 23.8 20.9 1.5 3.1 1.9 6.2 1.9 14.5 0 9.5-.3 11.1-2.8 16.1-3.2 6.4-10.5 14.2-15.8 16.9-2 1.1-6.5 2.6-10.1 3.4-5.8 1.3-7.1 1.3-12.4 0-3.2-.8-7.4-2.2-9.3-3.1-5.3-2.4-13.4-11.1-16.6-17.8-2.6-5.4-2.9-7-2.9-16 0-9.4.2-10.3 3.3-16 1.8-3.3 4.3-7.1 5.4-8.3 4.1-4.4 11.3-9.1 15.6-10.1 2.3-.5 4.5-1.2 4.8-1.5 1.2-1.2 9.6-.6 15.1 1zm277.6-2.3c-2.8 1.4-6 3.7-7.2 5.3s-2.6 3.4-3.1 4c-1.5 1.8-2.3 9.1-1.6 13.5.8 4.7 6.6 11.2 12.5 14.1 1.9.9 7 3.3 11.3 5.3s8.6 4.4 9.5 5.3c2.9 2.9 5.2 7 5.2 9.2 0 1.9-2.2 6.2-4.5 8.6-1.9 2-7.8 4.4-10.9 4.4-5.2 0-15.6-4.4-17.7-7.4-1.1-1.4-3.4-.1-5.8 3.2l-2.1 3 4.9 3.1c2.7 1.6 6.5 3.3 8.5 3.7 2 .3 3.9 1 4.2 1.5.7 1.2 15.1 1.2 15.9 0 .3-.5 1.8-1.2 3.4-1.6 5.3-1.2 11.4-8.3 12.6-14.9 2-10.3-2.9-18.3-14.3-23.6-15-7.1-17.2-8.3-20.6-11.6-4-3.9-4.4-6.4-2-11.2 2.3-4.7 6.9-7.5 13.1-8 4.5-.4 6.3 0 11.9 2.8 3.6 1.7 6.7 3 6.8 2.8.2-.1 1.1-1.7 1.9-3.4 1.5-2.9 1.5-3.3-.1-4.6-4.1-3.5-8.9-5-17.7-5.5-8-.4-9.6-.1-14.1 2zm-399.6-.6c-1.7.4-1.8 3.1-1.8 38.4 0 35.2.1 38 1.7 37.7 1.5-.3 1.6-1.9 1.4-16-.2-14.8-.1-15.7 1.8-16.7 2.1-1.2 18.5-1.4 21.3-.3.9.4 2.9 2.9 4.4 5.7 3.4 6.2 9.5 17.6 12.5 23.2 2.2 4.2 5.9 6 5.9 2.8 0-.8-.4-1.5-.9-1.5s-1.4-1.2-2-2.8c-.6-1.5-3.1-6.3-5.6-10.7s-5-9.2-5.6-10.8c-.6-1.5-1.5-2.7-2-2.7s-.9-1.1-.9-2.5c0-1.8.7-2.8 2.4-3.5 7.3-2.7 12-10.5 12-20 0-5.3-.5-7.3-2.6-10.5-3.4-5.4-5.9-7.5-10.5-8.8-3.9-1.1-28.4-1.9-31.5-1zm34.4 6.6c6 4.6 8.2 11.3 6.2 18.9-1.5 6-6.4 11.4-11.7 12.9-4.8 1.4-25 1.2-26.5-.3-1.7-1.7-1.7-31.9 0-33.6.8-.8 5.5-1.2 14.4-1.2h13.2zm184.9-3.2c-1.1 2.2-2.2 5.4-2.6 7.2-.3 1.8-1 4.1-1.5 5.2-.4 1.1-1.3 4-2 6.5-.6 2.5-1.7 6.7-2.5 9.5-3.1 11-4.7 17.2-5.7 21.5-.5 2.5-1.4 4.9-1.9 5.4-.5.6-.9 2-.9 3.2 0 1.3-.5 3.5-1.1 5.1l-1.1 2.8-2.4-2.8c-1.3-1.5-2.4-4-2.4-5.5s-.5-4.3-1.1-6.2-1.7-6-2.4-9c-.8-3-2.1-8.2-3-11.5-1.6-6-3.5-13.5-5.9-23-.7-2.8-1.6-5.8-1.9-6.8-.4-.9-.9-2.4-1.2-3.2-.7-2.4-2.5-1.7-2.5.9 0 1.3.9 5.2 2 8.6s2 7.1 2 8.1c0 1.1.4 2.7 1 3.7.5.9 1.4 3.9 2 6.7 2.6 11.2 3.5 15 4.1 16 .4.5.9 2.8 1.3 5s1.1 5.3 1.6 7c.6 1.6 2 6.5 3.2 10.7 1.6 5.7 2.6 7.8 3.8 7.8 2.5 0 4.7-3 5.5-7.5.4-2.2 1-4.5 1.5-5 .4-.6 1.2-3 1.8-5.5s1.7-7 2.6-10c.8-3 2-7.5 2.6-10s1.5-5.2 1.9-6c.5-.9 1.2-3.6 1.6-6s1.1-5.1 1.6-6c.4-.8 1.1-3.6 1.4-6.2.7-5.3 1.6-6.4 4.2-4.9 1.1.6 2.2 3.2 2.9 7.3 1.3 7.1 3.2 14.3 4.4 17.3.5 1.1 1.4 4 2 6.5s1.8 7 2.6 10c.9 3 2 7.3 2.5 9.5s1.4 4.9 1.9 6c.6 1.1 1.3 3.8 1.8 6 .7 3.5 1.2 4 3.8 4.3 2.8.3 3 0 4.1-4.5.6-2.6 1.9-7.4 2.7-10.5.9-3.2 2.3-8.3 3.1-11.3 1.5-5.4 2.9-10.6 6.1-22.3.8-3.1 2-7.7 2.5-10.2s1.4-5.2 1.9-6.1c1.5-2.8 2.3-10.9 1.1-10.9-1.7 0-4.2 7.1-7.2 21-.6 2.5-1.4 5.4-1.9 6.5s-1.3 4-1.9 6.5c-.5 2.5-1.7 7-2.5 10s-2.1 8-2.9 11c-2.2 8.5-4.1 13.5-5.1 13.5s-3.2-5.5-5.3-13.5c-.8-3-2-7.8-2.8-10.5-.7-2.8-1.9-7-2.5-9.5s-1.5-5.4-2-6.5c-.8-2-2.3-7.5-4.2-15.5-.6-2.5-1.4-5-1.8-5.5-.4-.6-1.1-2.4-1.4-4.2-1.1-4.8-3.3-4.9-5.5-.2zm81.2-3.4-2.3.4v76.1l19.3-.4c17.7-.4 19.5-.6 23.7-2.7 4.7-2.5 15-12.3 15-14.4 0-.7.8-2.6 1.7-4.2 1.4-2.4 1.7-5.6 1.7-16 .1-15.2-1.2-19.2-9.1-27.6-5.5-5.9-10.4-8.5-19.3-10.5-6-1.3-25.3-1.7-30.7-.7zm35.2 5.2c12.7 4.5 21.5 18 21.5 33.1s-8.2 28.3-20.7 33.3c-6 2.4-29.6 3.7-33.1 1.8-2.2-1.2-2.2-1.3-2.2-34.4 0-24.6.3-33.6 1.2-34.5.8-.8 5.5-1.2 14.5-1.2 10.6 0 14.5.4 18.8 1.9zm118.3-2.9c-.2 1.6 0 3.4.6 4s6.2 1 13.2 1c10.2 0 12.3.3 12.8 1.6.3.9.6 16.4.6 34.5v33l4.6-.3 4.6-.3-.1-33c-.1-18.2.2-33.5.7-34.2.5-.8 4.9-1.3 13.7-1.5l13-.3v-7l-31.6-.3-31.7-.2zm88 34.7c-.2 24.4.1 38.1.7 38.5s2.7.8 4.8.8h3.7v-13.6c0-7.4.5-14.4 1-15.5.9-1.6 2.2-1.9 9-1.9h7.9l2.6 3.7c1.4 2.1 2.5 4.3 2.5 4.9 0 .7.3 1.4.8 1.6.4.1 2.6 4.1 5 8.8 6 11.9 6.1 12 11.6 12 2.5 0 4.6-.4 4.6-1 0-.5-1.4-3.3-3.1-6.2s-3.4-6-3.9-6.8-2.5-4.6-4.5-8.5c-2-3.8-4.1-7.3-4.7-7.6-1.2-.8-.1-4.9 1.3-4.9.5 0 2.6-1.6 4.8-3.5 4.1-3.7 7.1-10.7 7.1-16.6 0-4.9-3.2-12.7-6.5-15.8-5.4-5-10.3-6.1-28.3-6.1h-16.2zm34-28c4.8 2.8 7.2 7.2 7.2 13.3 0 6.4-2.5 10.8-7.8 13.6-4.6 2.5-21.7 2.8-23.2.4-1.1-1.6-1.3-23.1-.4-26.8.6-2.1 1.1-2.2 10.9-2.2 7.9 0 11 .4 13.3 1.7zm49.9-9c-.4.3-.7 17.7-.7 38.5v37.8h10v-77h-4.3c-2.4 0-4.7.3-5 .7zm44.3-.2v75.5c0 1 4.9 1.4 7.2.5 1-.4 1.2-3.9 1-16.6-.2-11.4 0-16.4.9-17.5 1.2-1.5 10.5-2 12.5-.6 1.3.9 10.4 15.9 10.4 17.2 0 .5.6 1.5 1.3 2.2.8.7 2 2.5 2.8 4 .8 1.4 2.5 4.7 3.8 7.2 2.4 4.5 2.6 4.6 7.2 4.6 5.2 0 6.7-1.1 4.5-3.2-.7-.8-1.7-2.4-2-3.6-.4-1.2-1.1-2.2-1.6-2.2-.4 0-1.3-1.2-1.9-2.8-.7-1.5-1.7-3.6-2.4-4.7s-3.4-5.8-6.2-10.3c-8.7-14.4-8.5-12-1.9-23 3.2-5.3 6.1-9.9 6.6-10 .4-.2.8-.9.8-1.5s2-4.1 4.5-7.8 4.5-7 4.5-7.3-2.1-.6-4.8-.6c-3.5 0-5.2.5-6.5 2-.9 1.1-1.7 2.3-1.7 2.6 0 1.1-7.3 12.9-8.2 13.2-.4.2-.8.9-.8 1.5 0 .7-1.8 4-4 7.4l-3.9 6.3h-5.5c-9.1 0-8.6.9-8.6-17.1v-15.9h-4c-2.2 0-4 .2-4 .5zm81 38v38.5h48v-7h-18.3c-12.9 0-18.7-.4-19.5-1.2s-1.2-5-1.2-12.4c0-14.9-.4-14.5 15.3-14.3 11.5.1 12.1 0 12.9-2 1.7-4.6.5-5.1-13.3-5.1-11.7 0-12.9-.2-13.9-1.9-1.2-2.3-1.4-22-.2-23.8.6-.9 5.6-1.3 17.2-1.5l16.5-.3.3-3.8.3-3.7h-44.1z"/></g></svg>
\ No newline at end of file
diff --git a/packages/crowdstrike/1.2.7/img/siem-alerts-cs.jpg b/packages/crowdstrike/1.2.7/img/siem-alerts-cs.jpg
new file mode 100755
index 0000000000..b74edfe229
Binary files /dev/null and b/packages/crowdstrike/1.2.7/img/siem-alerts-cs.jpg differ
diff --git a/packages/crowdstrike/1.2.7/img/siem-events-cs.jpg b/packages/crowdstrike/1.2.7/img/siem-events-cs.jpg
new file mode 100755
index 0000000000..9839f73821
Binary files /dev/null and b/packages/crowdstrike/1.2.7/img/siem-events-cs.jpg differ
diff --git a/packages/crowdstrike/1.2.7/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json b/packages/crowdstrike/1.2.7/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json
new file mode 100755
index 0000000000..a8960ff152
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json
@@ -0,0 +1,117 @@
+{
+  "attributes": {
+    "description": "Summarised overview for Crowdstrike FDR events.",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"0307e118-9fac-4923-ad6e-b588a8bd939f\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"observer.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"4c8af7e5-4ec6-43de-84ea-8df092cea5f8\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"6b7c69d1-9248-4af3-b437-0abcef344b67\\\",\\\"label\\\":\\\"Agent locations\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"0314931e-5e8d-4609-be8a-b478a6afed11\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#494193\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"1b3c966b-6756-41dc-8875-a936e36dd0c2\\\",\\\"label\\\":\\\"Connections\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15M\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":25.7461,\"lon\":0,\"zoom\":0.73},\"openTOCDetails\":[]},\"gridData\":{\"h\":17,\"i\":\"26961648-cc31-4ed6-a378-698523307b21\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"26961648-cc31-4ed6-a378-698523307b21\",\"title\":\"Agents and connections\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1928976e-020d-48bd-9887-d9fd1925f69e\":{\"columnOrder\":[\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"5ec733a8-d11d-472d-9328-3c48b41a17ac\"],\"columns\":{\"5ec733a8-d11d-472d-9328-3c48b41a17ac\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7aaadac8-55b7-4979-9bf1-b02a9673b502\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top events\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":true,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"isTransposed\":false,\"summaryRow\":\"none\"}],\"layerId\":\"1928976e-020d-48bd-9887-d9fd1925f69e\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"w\":10,\"x\":16,\"y\":0},\"panelIndex\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"085f4952-432b-4bd3-9740-e99f42a7877b\":{\"columnOrder\":[\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"0a3ada5d-923b-461b-8885-e7fdcd948034\"],\"columns\":{\"0a3ada5d-923b-461b-8885-e7fdcd948034\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"DnsRequest\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"DnsRequest\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"isTransposed\":false}],\"layerId\":\"085f4952-432b-4bd3-9740-e99f42a7877b\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"w\":9,\"x\":26,\"y\":9},\"panelIndex\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"title\":\"Top DNS queries\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"880420b9-97fb-4f5a-8dd2-36f95cb02182\":{\"columnOrder\":[\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"c90d7c88-034f-42f4-94d2-605ae294940e\"],\"columns\":{\"45f3413c-e658-43ec-bf3a-ad25977fb32c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"c90d7c88-034f-42f4-94d2-605ae294940e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"isTransposed\":false},{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"hidden\":false,\"isTransposed\":false}],\"layerId\":\"880420b9-97fb-4f5a-8dd2-36f95cb02182\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"title\":\"Top users\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\":{\"columnOrder\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\",\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\"],\"columns\":{\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of dns.question.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\"},\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\"],\"layerId\":\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"legendDisplay\":\"default\",\"metric\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"757dd906-982e-437f-aac0-b090310b9288\",\"w\":9,\"x\":26,\"y\":20},\"panelIndex\":\"757dd906-982e-437f-aac0-b090310b9288\",\"title\":\"DNS query types\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8088761-74a6-433a-a405-f26c709cebe3\":{\"columnOrder\":[\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\"],\"columns\":{\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"file.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"file.name\"},\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"isTransposed\":false},{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"isTransposed\":false}],\"layerId\":\"c8088761-74a6-433a-a405-f26c709cebe3\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"w\":13,\"x\":35,\"y\":12},\"panelIndex\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"911bafb0-aeb7-4830-8a40-6166c96fb123\":{\"columnOrder\":[\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\",\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"columns\":{\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"layerId\":\"911bafb0-aeb7-4830-8a40-6166c96fb123\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"w\":26,\"x\":0,\"y\":17},\"panelIndex\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\":{\"columnOrder\":[\"b00df131-3742-4fa3-8645-032847f0266b\",\"b89debc2-4203-43c7-ba15-6612030f67bd\"],\"columns\":{\"b00df131-3742-4fa3-8645-032847f0266b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top alerts\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"b89debc2-4203-43c7-ba15-6612030f67bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b00df131-3742-4fa3-8645-032847f0266b\",\"isTransposed\":false},{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"isTransposed\":false}],\"layerId\":\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"w\":9,\"x\":26,\"y\":0},\"panelIndex\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "[Crowdstrike] FDR Overview",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f",
+  "migrationVersion": {
+    "dashboard": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "26961648-cc31-4ed6-a378-698523307b21:layer_1_source_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "26961648-cc31-4ed6-a378-698523307b21:layer_2_source_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:filter-index-pattern-0",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/crowdstrike/1.2.7/manifest.yml b/packages/crowdstrike/1.2.7/manifest.yml
new file mode 100755
index 0000000000..3b40a3c6f4
--- /dev/null
+++ b/packages/crowdstrike/1.2.7/manifest.yml
@@ -0,0 +1,42 @@
+name: crowdstrike
+title: CrowdStrike Logs
+version: 1.2.7
+description: Collect and parse falcon logs from Crowdstrike products with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/logo-integrations-crowdstrike.svg
+    title: CrowdStrike
+    size: 216x216
+    type: image/svg+xml
+screenshots:
+  - src: /img/siem-alerts-cs.jpg
+    title: CrowdStrike SIEM Alerts
+    size: 3360x1776
+    type: image/jpg
+  - src: /img/siem-events-cs.jpg
+    title: CrowdStrike SIEM Events
+    size: 3360x1776
+    type: image/jpg
+  - src: /img/fdr-overview.png
+    title: CrowdStrike FDR Overview
+    size: 1535x626
+    type: image/png
+policy_templates:
+  - name: crowdstrike
+    title: CrowdStrike
+    description: Collect logs from CrowdStrike Falcon and FDR
+    inputs:
+      - type: logfile
+        title: "Collect CrowdStrike Falcon and FDR logs (input: logfile)"
+        description: "Collecting logs from CrowdStrike Falcon and FDR (input: logfile)"
+      - type: aws-s3
+        title: "Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3)"
+        description: "Collecting logs from CrowdStrike Falcon Data Replicator (input: aws-s3)"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/github/0.3.4/changelog.yml b/packages/github/0.3.4/changelog.yml
new file mode 100755
index 0000000000..44ce5aae1e
--- /dev/null
+++ b/packages/github/0.3.4/changelog.yml
@@ -0,0 +1,51 @@
+# newer versions go on top
+- version: "0.3.4"
+  changes:
+    - description: Fix typo in config template for ignoring host enrichment
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3092
+- version: "0.3.3"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.3.2"
+  changes:
+    - description: Fix date format used in queries.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2732
+- version: "0.3.1"
+  changes:
+    - description: Resolve invalid query operator
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2664
+- version: "0.3.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2407
+- version: "0.2.2"
+  changes:
+    - description: Removes saved search used for testing
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2554
+- version: "0.2.1"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2259
+- version: "0.1.1"
+  changes:
+    - description: Update Title and Description.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1997
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/1760
diff --git a/packages/github/0.3.4/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/github/0.3.4/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..9dbed92e60
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,69 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{api_url}}/orgs/{{organization}}/audit-log
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+
+{{!-- https://github.community/t/new-feature-audit-log-rest-api-check-it-out/161512 --}}
+request.transforms:
+  - set:
+      target: header.Authorization
+      value: "Bearer {{access_token}}"
+  - set:
+      target: header.Accept
+      value: "application/vnd.github.v3+json"
+  - set:
+      target: url.params.phrase
+      value: '[[sprintf "created:>=%s" (formatDate .cursor.last_timestamp "2006-01-02T15:04:05-07:00")]]'
+      default: '[[sprintf "created:>=%s" (formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05-07:00")]]'
+  - set:
+      target: url.params.per_page
+      value: 100
+  - set:
+      target: url.params.include
+      value: all
+  - set:
+      target: url.params.order
+      value: asc
+
+request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]'
+request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]'
+request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]'
+
+response.pagination:
+  - set:
+      target: url.value
+      value: '[[ getRFC5988Link "next" .last_response.header.Link ]]'
+      fail_on_template_error: true
+
+cursor:
+  last_timestamp:
+    value: '[[ .last_event.created_at ]]'
+
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/github/0.3.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/github/0.3.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..1230312403
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,158 @@
+---
+description: Pipeline for parsing GitHub audit logs
+processors:
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: event.kind
+    value: event
+- set:
+    field: ecs.version
+    value: "8.0.0"
+- append:
+    field: event.type
+    value: access
+- append:
+    field: event.category
+    value: web
+- append:
+    field: event.category
+    value: iam
+- rename:
+    field: message
+    target_field: event.original
+    ignore_missing: true
+- json:
+    field: event.original
+    target_field: json
+- fingerprint:
+    fields: 
+        - json._document_id
+    target_field: "_id"
+    ignore_missing: true
+- date:
+    field: json.created_at
+    formats:
+    - UNIX_MS
+    timezone: UTC
+    target_field: "@timestamp"
+- rename:
+    field: json._document_id
+    target_field: event.id
+    ignore_missing: true
+- rename:
+    field: json.action
+    target_field: event.action
+    ignore_missing: true
+- rename:
+    field: json.actor
+    target_field: user.name
+    ignore_missing: true
+- append:
+    field: related.user
+    value: "{{user.name}}"
+    if: ctx.user?.name != null
+- rename:
+    field: json.org
+    target_field: github.org
+    ignore_missing: true
+- rename:
+    field: json.user
+    target_field: user.target.name
+    ignore_missing: true
+- append:
+    field: related.user
+    value: "{{user.target.name}}"
+    if: ctx.user?.target?.name != null
+- rename:
+    field: json.repo
+    target_field: github.repo
+    ignore_missing: true
+- rename:
+    field: json.team
+    target_field: github.team
+    ignore_missing: true
+- rename:
+    field: json.data.team
+    target_field: github.team
+    ignore_missing: true
+    if: ctx.github?.team == null
+- set:
+    field: group.name
+    copy_from: github.team
+    ignore_empty_value: true
+    if: ctx.event?.action.startsWith("team.")
+- set:
+    field: user.target.group.name
+    copy_from: github.team
+    ignore_empty_value: true
+    if: ctx.event?.action.startsWith("team.") && ctx.user?.target?.name != null
+- set:
+    field: group.name
+    copy_from: github.org
+    ignore_empty_value: true
+    if: ctx.event?.action.startsWith("org.")
+- set:
+    field: user.target.group.name
+    copy_from: github.org
+    ignore_empty_value: true
+    if: ctx.event?.action.startsWith("org.") && ctx.user?.target?.name != null
+- rename:
+    field: json.data.old_user
+    target_field: user.target.group.name
+    ignore_missing: true
+- rename:
+    field: json.data.old_user
+    target_field: user.target.group.name
+    ignore_missing: true
+    if: ctx.user?.target?.group?.name == null
+- rename:
+    field: json.actor_location.country_code
+    target_field: client.geo.country_iso_code
+    ignore_missing: true
+- grok:
+    field: event.action
+    ignore_missing: true
+    patterns:
+      - '^%{GH_CAT:github.category}\.%{GREEDYDATA}'
+    pattern_definitions:
+      GH_CAT: '[a-z_]+'
+- remove:
+    field:
+      - json
+    ignore_missing: true  
+- remove:
+    field: event.original
+    if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+on_failure:
+- set:
+    field: error.message
+    value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/github/0.3.4/data_stream/audit/fields/agent.yml b/packages/github/0.3.4/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/github/0.3.4/data_stream/audit/fields/base-fields.yml b/packages/github/0.3.4/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..f087bfee14
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,23 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: github
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: github.audit
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
diff --git a/packages/github/0.3.4/data_stream/audit/fields/ecs.yml b/packages/github/0.3.4/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..089f10244c
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,88 @@
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: Name of the group.
+  name: user.target.group.name
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/github/0.3.4/data_stream/audit/fields/fields.yml b/packages/github/0.3.4/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..59930fc9dc
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/fields/fields.yml
@@ -0,0 +1,17 @@
+- name: github.org
+  type: keyword
+  description: >
+    GitHub organization name
+
+- name: github.team
+  type: keyword
+  description: >-
+    GitHub team name
+- name: github.repo
+  type: keyword
+  description: >-
+    GitHub repository name
+- name: github.category
+  type: keyword
+  description: >-
+    GitHub action category
diff --git a/packages/github/0.3.4/data_stream/audit/manifest.yml b/packages/github/0.3.4/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..fd72fb7ea5
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/manifest.yml
@@ -0,0 +1,91 @@
+type: logs
+title: GitHub Audit Logs
+release: experimental
+streams:
+  - input: httpjson
+    vars:
+      - name: access_token
+        type: text
+        title: Personal Access Token
+        description: the GitHub Personal Access Token.  Requires the 'admin:org' scope
+        multi: false
+        required: true
+        show_user: true
+      - name: organization
+        type: text
+        title: Organization Name
+        description: The GitHub organization name/ID
+        multi: false
+        required: true
+        show_user: true
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        multi: false
+        required: false
+        show_user: true
+        default: 60s
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+        default: 1h
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: true
+        default: 730h # 30 days
+        description: Initial interval to poll for events.  Default is 730 hours (30 days).
+      - name: api_url
+        type: text
+        title: API URL.
+        description: The API URL without the path.
+        multi: false
+        required: true
+        show_user: false
+        default: https://api.github.com
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: false
+      - name: proxy_url
+        type: text
+        title: Proxy URL
+        multi: false
+        required: false
+        show_user: false
+        description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - forwarded
+          - github-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
+    template_path: httpjson.yml.hbs
+    title: GitHub audit logs
+    description: Collect GitHub audit logs via the API
diff --git a/packages/github/0.3.4/data_stream/audit/sample_event.json b/packages/github/0.3.4/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..6e39ba2bfa
--- /dev/null
+++ b/packages/github/0.3.4/data_stream/audit/sample_event.json
@@ -0,0 +1,64 @@
+{
+    "@timestamp": "2020-11-18T17:05:48.837Z",
+    "agent": {
+        "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04",
+        "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "github.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "repo.destroy",
+        "agent_id_status": "verified",
+        "category": [
+            "web",
+            "iam"
+        ],
+        "created": "2022-02-03T12:34:05.664Z",
+        "dataset": "github.audit",
+        "id": "LwW2vpJZCDS-WUmo9Z-ifw",
+        "ingested": "2022-02-03T12:34:06Z",
+        "kind": "event",
+        "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}",
+        "type": [
+            "access"
+        ]
+    },
+    "github": {
+        "category": "repo",
+        "org": "mona-org",
+        "repo": "mona-org/mona-test-repo"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "user": [
+            "monalisa"
+        ]
+    },
+    "tags": [
+        "forwarded",
+        "github-audit",
+        "preserve_original_event"
+    ],
+    "user": {
+        "name": "monalisa"
+    }
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/docs/README.md b/packages/github/0.3.4/docs/README.md
new file mode 100755
index 0000000000..d927294b7c
--- /dev/null
+++ b/packages/github/0.3.4/docs/README.md
@@ -0,0 +1,136 @@
+# GitHub Integration
+
+The GitHub integration collects audit events from the GitHub API.
+
+## Logs
+
+### Audit
+
+The GitHub audit log records all events related to the GitHub organization. See [https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions](https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions) for more details.
+
+To use this integration, you must be an organization owner, and you must use an Personal Access Token with the admin:org scope.
+
+*This integration is not compatible with GitHub Enterprise server.*
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| github.category | GitHub action category | keyword |
+| github.org | GitHub organization name | keyword |
+| github.repo | GitHub repository name | keyword |
+| github.team | GitHub team name | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2020-11-18T17:05:48.837Z",
+    "agent": {
+        "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04",
+        "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "github.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "repo.destroy",
+        "agent_id_status": "verified",
+        "category": [
+            "web",
+            "iam"
+        ],
+        "created": "2022-02-03T12:34:05.664Z",
+        "dataset": "github.audit",
+        "id": "LwW2vpJZCDS-WUmo9Z-ifw",
+        "ingested": "2022-02-03T12:34:06Z",
+        "kind": "event",
+        "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}",
+        "type": [
+            "access"
+        ]
+    },
+    "github": {
+        "category": "repo",
+        "org": "mona-org",
+        "repo": "mona-org/mona-test-repo"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "user": [
+            "monalisa"
+        ]
+    },
+    "tags": [
+        "forwarded",
+        "github-audit",
+        "preserve_original_event"
+    ],
+    "user": {
+        "name": "monalisa"
+    }
+}
+```
\ No newline at end of file
diff --git a/packages/github/0.3.4/img/github-audit-dashboard.png b/packages/github/0.3.4/img/github-audit-dashboard.png
new file mode 100755
index 0000000000..e6738cf99f
Binary files /dev/null and b/packages/github/0.3.4/img/github-audit-dashboard.png differ
diff --git a/packages/github/0.3.4/img/github-user-dashboard.png b/packages/github/0.3.4/img/github-user-dashboard.png
new file mode 100755
index 0000000000..d31984b7fa
Binary files /dev/null and b/packages/github/0.3.4/img/github-user-dashboard.png differ
diff --git a/packages/github/0.3.4/img/github.svg b/packages/github/0.3.4/img/github.svg
new file mode 100755
index 0000000000..a8d1174049
--- /dev/null
+++ b/packages/github/0.3.4/img/github.svg
@@ -0,0 +1,3 @@
+<svg width="1024" height="1024" viewBox="0 0 1024 1024" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8C0 11.54 2.29 14.53 5.47 15.59C5.87 15.66 6.02 15.42 6.02 15.21C6.02 15.02 6.01 14.39 6.01 13.72C4 14.09 3.48 13.23 3.32 12.78C3.23 12.55 2.84 11.84 2.5 11.65C2.22 11.5 1.82 11.13 2.49 11.12C3.12 11.11 3.57 11.7 3.72 11.94C4.44 13.15 5.59 12.81 6.05 12.6C6.12 12.08 6.33 11.73 6.56 11.53C4.78 11.33 2.92 10.64 2.92 7.58C2.92 6.71 3.23 5.99 3.74 5.43C3.66 5.23 3.38 4.41 3.82 3.31C3.82 3.31 4.49 3.1 6.02 4.13C6.66 3.95 7.34 3.86 8.02 3.86C8.7 3.86 9.38 3.95 10.02 4.13C11.55 3.09 12.22 3.31 12.22 3.31C12.66 4.41 12.38 5.23 12.3 5.43C12.81 5.99 13.12 6.7 13.12 7.58C13.12 10.65 11.25 11.33 9.47 11.53C9.76 11.78 10.01 12.26 10.01 13.01C10.01 14.08 10 14.94 10 15.21C10 15.42 10.15 15.67 10.55 15.59C13.71 14.53 16 11.53 16 8C16 3.58 12.42 0 8 0Z" transform="scale(64)" fill="#1B1F23"/>
+</svg>
diff --git a/packages/github/0.3.4/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..50358b3d23
--- /dev/null
+++ b/packages/github/0.3.4/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,42 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"panelRefName\":\"panel_af01806a-78b1-4068-8d69-fa2ca952f365\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"panelRefName\":\"panel_7d42442c-83c9-420d-8ef4-883eeb150687\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"panelRefName\":\"panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"panelRefName\":\"panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"type\":\"search\",\"version\":\"7.16.0\"}]",
+    "timeRestore": false,
+    "title": "[GitHub] User Change Audit",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-8bfd8310-205c-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0",
+      "name": "af01806a-78b1-4068-8d69-fa2ca952f365:panel_af01806a-78b1-4068-8d69-fa2ca952f365",
+      "type": "visualization"
+    },
+    {
+      "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0",
+      "name": "7d42442c-83c9-420d-8ef4-883eeb150687:panel_7d42442c-83c9-420d-8ef4-883eeb150687",
+      "type": "visualization"
+    },
+    {
+      "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0",
+      "name": "76db3a0d-7562-4436-acd5-3cbfd4f6d044:panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044",
+      "type": "visualization"
+    },
+    {
+      "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+      "name": "1e435c96-c37f-4eb5-a4e5-2d446b2bf464:panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..506153bc21
--- /dev/null
+++ b/packages/github/0.3.4/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,62 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"w\":41,\"x\":0,\"y\":0},\"panelIndex\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"panelRefName\":\"panel_63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"w\":7,\"x\":41,\"y\":0},\"panelIndex\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"panelRefName\":\"panel_b37e0c71-2cc3-4895-b839-383ce53561a8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"panelRefName\":\"panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-540},\"mapCenter\":{\"lat\":27.08856,\"lon\":-30.5613,\"zoom\":1},\"openTOCDetails\":[]},\"gridData\":{\"h\":18,\"i\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"w\":37,\"x\":0,\"y\":26},\"panelIndex\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"panelRefName\":\"panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":18,\"i\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"w\":11,\"x\":37,\"y\":26},\"panelIndex\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"panelRefName\":\"panel_0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"w\":25,\"x\":0,\"y\":44},\"panelIndex\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"panelRefName\":\"panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"w\":23,\"x\":25,\"y\":44},\"panelIndex\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"panelRefName\":\"panel_9ed1cfce-9337-4813-8df5-14a1280bb351\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"w\":48,\"x\":0,\"y\":63},\"panelIndex\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"panelRefName\":\"panel_d48a66a5-50e7-4cab-9b16-767bfa427860\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "[GitHub] Audit Log Activity",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-dcee84c0-2059-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0",
+      "name": "63210180-c999-4d93-8d7a-f2fcb810ad1b:panel_63210180-c999-4d93-8d7a-f2fcb810ad1b",
+      "type": "visualization"
+    },
+    {
+      "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0",
+      "name": "b37e0c71-2cc3-4895-b839-383ce53561a8:panel_b37e0c71-2cc3-4895-b839-383ce53561a8",
+      "type": "visualization"
+    },
+    {
+      "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0",
+      "name": "fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9:panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9",
+      "type": "visualization"
+    },
+    {
+      "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0",
+      "name": "88887e58-b192-4c9b-85c7-14d18a6c1c0d:panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d",
+      "type": "map"
+    },
+    {
+      "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0",
+      "name": "0c469087-fb3f-46d3-8962-c49d2e50f70c:panel_0c469087-fb3f-46d3-8962-c49d2e50f70c",
+      "type": "visualization"
+    },
+    {
+      "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0",
+      "name": "108cd1b7-ce79-4558-ae38-5f1bb93961fe:panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe",
+      "type": "visualization"
+    },
+    {
+      "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0",
+      "name": "9ed1cfce-9337-4813-8df5-14a1280bb351:panel_9ed1cfce-9337-4813-8df5-14a1280bb351",
+      "type": "visualization"
+    },
+    {
+      "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0",
+      "name": "d48a66a5-50e7-4cab-9b16-767bfa427860:panel_d48a66a5-50e7-4cab-9b16-767bfa427860",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..28e6fd92ec
--- /dev/null
+++ b/packages/github/0.3.4/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,22 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":0.75,\"id\":\"a427cb7d-077b-4c8a-8741-74f8f03283e2\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#6092C0\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#4379aa\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true},{\"alpha\":0.75,\"id\":\"a0ea096b-e0eb-43dd-8f75-c0d8c0e4ac9a\",\"includeInFitToBounds\":true,\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"id\":\"167d9148-ad58-4fa1-99eb-c3e75fc75f96\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"indexPatternTitle\":\"logs-*\",\"term\":\"client.geo.country_iso_code\",\"type\":\"ES_TERM_SOURCE\"}}],\"label\":\"Events by Country\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+    "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-29.82486},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-18M\",\"to\":\"now\"},\"zoom\":0.56}",
+    "title": "Activity Map by Actor Location [GitHub]",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "map": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_join_0_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..3becd882e0
--- /dev/null
+++ b/packages/github/0.3.4/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,46 @@
+{
+  "attributes": {
+    "columns": [
+      "user.name",
+      "user.target.name",
+      "github.org",
+      "event.action"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"user.target.name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.target.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "GitHub Audit Users",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..6fcc2915aa
--- /dev/null
+++ b/packages/github/0.3.4/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "GitHub Audit",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..e74ffec7ff
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top 5 Event Types [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Event Types [GitHub]\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..bee75a85b9
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top 5 Active Users [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Active Users [GitHub]\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..ffb543647f
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,50 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Controls Audit [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"github.org\",\"id\":\"1632831213212\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Organization\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"github.repo\",\"id\":\"1632831234336\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Repository\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.name\",\"id\":\"1632872599896\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Actor\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.target.name\",\"id\":\"1632872564349\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Users\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.action\",\"id\":\"1632874177516\",\"indexPatternRefName\":\"control_4_index_pattern\",\"label\":\"Action\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Controls Audit [GitHub]\",\"type\":\"input_control_vis\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_0_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_1_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_2_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_3_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_4_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..0b63b91066
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Events per Organization [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"github.org\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Events per Organization [GitHub]\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..2adad09de2
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "User Changes [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":0,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"User Changes [GitHub]\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..ab96e88761
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "User Change Timeline [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Change Timeline [GitHub]\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..862ffe3f0b
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Events over time [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Events over time [GitHub]\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..e833f96f8f
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top 10 Active Repositories [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Repository\",\"field\":\"github.repo\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 10 Active Repositories [GitHub]\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/0.3.4/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..1b32797c76
--- /dev/null
+++ b/packages/github/0.3.4/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Total Events [GitHub]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\" \"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Events [GitHub]\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/0.3.4/manifest.yml b/packages/github/0.3.4/manifest.yml
new file mode 100755
index 0000000000..325c2de7d7
--- /dev/null
+++ b/packages/github/0.3.4/manifest.yml
@@ -0,0 +1,35 @@
+name: github
+title: GitHub
+version: 0.3.4
+release: experimental
+description: Collect events from GitHub with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/github.svg
+    title: GitHub
+    size: 1024x1024
+    type: image/svg+xml
+screenshots:
+  - src: /img/github-audit-dashboard.png
+    title: GitHub audit overview
+    size: 3000x1788
+    type: image/png
+  - src: /img/github-user-dashboard.png
+    title: GitHub user overview
+    size: 2998x1631
+    type: image/png
+policy_templates:
+  - name: github
+    title: GitHub logs
+    description: Collect logs from GitHub
+    inputs:
+      - type: httpjson
+        title: "Collect GitHub logs via API"
+        description: "Collecting logs from GitHub via API"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/microsoft_sqlserver/0.4.5/changelog.yml b/packages/microsoft_sqlserver/0.4.5/changelog.yml
new file mode 100755
index 0000000000..70244b80e4
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/changelog.yml
@@ -0,0 +1,52 @@
+# newer versions go on top
+- version: "0.4.5"
+  changes:
+    - description: Update Readme. Added links to Microsoft documentation
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3058
+- version: "0.4.4"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.4.3"
+  changes:
+    - description: Fix field conflict for `winlog.record_id`
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2894
+- version: "0.4.2"
+  changes:
+    - description: Fix mapper_parsing_exception when parsing sqlserver.audit.event_time.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2813
+- version: "0.4.1"
+  changes:
+    - description: Change owner to SEI
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2650
+- version: "0.4.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2493
+- version: "0.3.0"
+  changes:
+    - description: Expose winlog input ignore_older option.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2542
+    - description: Fix preserve original event option
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2542
+    - description: Make order of options consistent with other winlog based integrations.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2542
+- version: "0.2.0"
+  changes:
+    - description: Expose winlog input language option.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2344
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2009
diff --git a/packages/microsoft_sqlserver/0.4.5/data_stream/audit/agent/stream/winlog.yml.hbs b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/agent/stream/winlog.yml.hbs
new file mode 100755
index 0000000000..ed053196d1
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/agent/stream/winlog.yml.hbs
@@ -0,0 +1,22 @@
+name: {{channel}}
+condition: ${host.platform} == 'windows'
+event_id: {{event_id}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+{{#if language}}
+language: {{language}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{/if}}
+{{#if preserve_original_event}}
+include_xml: true
+{{/if}}
+{{#if processors.length}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/microsoft_sqlserver/0.4.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..2f4f84e8d0
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1280 @@
+---
+description: Pipeline for processing SQL Server audit logs
+processors:
+- set:
+    field: ecs.version
+    value: 8.0.0
+- gsub:
+    description: Strip final dot from param1.
+    field: winlog.event_data.param1
+    pattern: '(?m)^\.$'
+    replacement: ''
+    if: ctx?.winlog?.event_id == "33205"
+- dissect:
+    description: Extract statement
+    pattern: "%{}statement:%{_temp.stmt}\nadditional_information:%{}"
+    field: winlog.event_data.param1
+- gsub:
+    field: winlog.event_data.param1
+    pattern: 'statement:(.*\s)*(?=additional_information:)'
+    replacement: ''
+- kv:
+    field: winlog.event_data.param1
+    field_split: \n
+    value_split: ':'
+    target_field: sqlserver.audit
+    trim_key: \n
+    trim_value: \n
+- set:
+    field: sqlserver.audit.statement
+    copy_from: _temp.stmt
+- set:
+    field: log.level
+    copy_from: winlog.log.level
+    ignore_empty_value: true
+    if: ctx?.winlog?.log?.level != ""
+- date:
+    field: sqlserver.audit.event_time
+    formats:
+      - "yyyy-MM-dd HH:mm:ss.SSSSSSS"
+##
+# Set host.mac to dash separated upper case value
+# as per ECS recommendation
+##
+- gsub:
+    field: host.mac
+    pattern: '[-:.]'
+    replacement: ''
+    ignore_missing: true
+- gsub:
+    field: host.mac
+    pattern: '(..)(?!$)'
+    replacement: '$1-'
+    ignore_missing: true
+- uppercase:
+    field: host.mac
+    ignore_missing: true
+##
+# Event kind, code and action
+##
+- set:
+    field: event.kind
+    value: event
+- append:
+    field: event.category
+    value: database
+- trim:
+    field: sqlserver.audit.action_id
+    ignore_missing: true
+- trim:
+    field: sqlserver.audit.class_type
+    ignore_missing: true
+- uppercase:
+    field: sqlserver.audit.action_id
+    ignore_missing: true
+- uppercase:
+    field: sqlserver.audit.class_type
+    ignore_missing: true
+- script:
+    lang: painless
+    description: The script processor enables setting event type, action and category based on action_id and class_type fields.
+    params:
+      classtypes:
+        "DB": "DATABASE"
+        "OB": "OBJECT"
+        "TY": "TYPE"
+        "SC": "SCHEMA"
+        "SX": "XML SCHEMA COLLECTION"
+        "AS": "ASSEMBLY"
+        "US": "USER"
+        "RL": "ROLE"
+        "AR": "APPLICATION ROLE"
+        "MT": "MESSAGE TYPE"
+        "CT": "CONTRACT"
+        "SV": "SERVICE"
+        "BN": "REMOTE SERVICE BINDING"
+        "RT": "ROUTE"
+        "FC": "FULLTEXT CATALOG"
+        "FL": "FULLTEXT STOPLIST"
+        "FP": "SEARCH PROPERTY LIST"
+        "SK": "SYMMETRIC KEY"
+        "CR": "CERTIFICATE"
+        "AK": "ASYMMETRIC KEY"
+        "DC": "DATABASE SCOPED CREDENTIAL"
+        "EL": "EXTERNAL LIBRARY"
+        "LA": "EXTERNAL LANGUAGE"
+        "SR": "SERVER"
+        "EP": "ENDPOINT"
+        "SG": "SERVER ROLE"
+        "AG": "AVAILABILITY GROUP"
+        "LX": "LOGIN"
+        "CK": "COLUMN ENCRYPTION KEY"
+        "CM": "COLUMN MASTER KEY"
+        "DA": "DATABASE AUDIT SPECIFICATION"
+        "DU": "AUDIT"
+        "DS": "DATABASE SCOPED CONFIGURATION"
+        "DR": "DATABASE SCOPED RESOURCE GOVERNOR"
+        "DN": "EVENT NOTIFICATION DATABASE"
+        "DT": "TRIGGER DATABASE"
+        "MK": "MASTER KEY"
+        "DK": "DATABASE ENCRYPTION KEY"
+        "ON": "EVENT NOTIFICATION OBJECT"
+        "PF": "PARTITION FUNCTION"
+        "PR": "BROKER PRIORITY"
+        "PS": "PARTITION SCHEME"
+        "DE": "DATABASE EVENT SESSION"
+        "AQ": "ADHOC QUERY"
+        "AF": "AGGREGATE"
+        "AP": "Undocumented"
+        "C": "CHECK CONSTRAINT"
+        "D": "DEFAULT"
+        "EC": "EDGE CONSTRAINT"
+        "EN": "EVENT NOTIFICATION"
+        "F": "FOREIGN KEY CONSTRAINT"
+        "FS": "FUNCTION SCALAR ASSEMBLY"
+        "FT": "FUNCTION TABLE-VALUED ASSEMBLY"
+        "FN": "FUNCTION SCALAR SQL"
+        "IX": "INDEX"
+        "IF": "FUNCTION TABLE-VALUED INLINE SQL"
+        "IS": "FUNCTION SCALAR INLINE SQL"
+        "IT": "INTERNAL TABLE"
+        "PQ": "PREPARED ADHOC QUERY"
+        "PK": "PRIMARY KEY"
+        "P": "STORED PROCEDURE"
+        "PC": "STORED PROCEDURE ASSEMBLY"
+        "RF": "STORED PROCEDURE REPLICATION FILTER"
+        "R": "RULE"
+        "SP": "SECURITY POLICY"
+        "SO": "SEQUENCE OBJECT"
+        "ST": "STATISTICS"
+        "SQ": "QUEUE"
+        "SN": "SYNONYM"
+        "S": "TABLE SYSTEM"
+        "TF": "FUNCTION TABLE-VALUED SQL"
+        "TA": "TRIGGER ASSEMBLY"
+        "TR": "TRIGGER"
+        "UQ": "UNIQUE CONSTRAINT"
+        "U": "TABLE"
+        "V": "VIEW"
+        "X": "STORED PROCEDURE EXTENDED"
+        "XR": "XREL TREE"
+        "AU": "ASYMMETRIC KEY USER"
+        "CU": "CERTIFICATE USER"
+        "GU": "GROUP USER"
+        "SU": "SQL USER"
+        "WU": "WINDOWS USER"
+        "XU": "EXTERNAL USER"
+        "PU": "EXTERNAL GROUP USER"
+        "A": "SERVER AUDIT"
+        "CD": "CREDENTIAL"
+        "CP": "CRYPTOGRAPHIC PROVIDER"
+        "ED": "EXTERNAL DATA SOURCE"
+        "EF": "EXTERNAL FILE FORMAT"
+        "RG": "RESOURCE GOVERNOR"
+        "SA": "SERVER AUDIT SPECIFICATION"
+        "SD": "EVENT NOTIFICATION SERVER"
+        "T": "TRIGGER SERVER"
+        "SE": "EVENT SESSION"
+        "CO": "SERVER CONFIG"
+        "AL": "ASYMMETRIC KEY LOGIN"
+        "CL": "CERTIFICATE LOGIN"
+        "SL": "SQL LOGIN"
+        "WG": "WINDOWS GROUP"
+        "WL": "WINDOWS LOGIN"
+        "ER": "EXTERNAL RESOURCE POOL"
+        "EX": "EXTERNAL SCRIPT QUERY"
+        "PL": "EXTERNAL GROUP LOGIN"
+        "XL": "EXTERNAL LOGIN"
+      actions:
+        "ACDO":
+          value: "DATABASE_OBJECT_ACCESS_GROUP"
+          type:
+            - access
+          action: database-object-accessed
+        "ACO":
+          value: "SCHEMA_OBJECT_ACCESS_GROUP"
+          type:
+            - access
+          action: schema-object-permission-checked
+        "ADBO":
+          value: "BULK ADMIN"
+          type:
+            - change
+          action: bulk-admin-operation
+        "ADDP":
+          value: "DATABASE_ROLE_MEMBER_CHANGE_GROUP"
+          type:
+            - admin
+            - change
+            - user
+          category:
+            - iam
+          action: login-changed-from-database-role
+        "ADFR":
+          # SQL 2019 feature to tackle dynamic SQL
+          # and SQL injection threats. By restricting
+          # ErrorMessages and WaitFor statement.
+          value: "ADD FEATURE RESTRICTION"
+          type:
+            - info
+          action: add-feature-restriction
+        "ADSC":
+          value: "ADD SENSITIVITY CLASSIFICATION"
+          type:
+            - change
+          action: add-sensitivity-classification-to-db-columns
+        "ADSP":
+          value: "SERVER_ROLE_MEMBER_CHANGE_GROUP"
+          type:
+            - admin
+            - change
+            - user
+          category:
+            - iam
+          action: login-changed-from-server-role
+        "AL":
+          value: "ALTER"
+          type:
+            - change
+          action: alter-object
+        "ALCN":
+          value: "ALTER CONNECTION"
+          type:
+            - change
+            - connection
+          category:
+            - network
+          action: alter-connection
+        "ALRS":
+          value: "ALTER RESOURCES"
+          type:
+            - change
+          action: alter-resources
+        "ALSS":
+          value: "ALTER SERVER STATE"
+          type:
+            - change
+          action: alter-server-state
+        "ALST":
+          value: "ALTER SETTINGS"
+          type:
+            - change
+          category:
+            - configuration
+          action: alter-settings
+        "ALTR":
+          value: "ALTER TRACE"
+          type:
+            - change
+          action: alter-trace
+        "APRL":
+          value: "ADD MEMBER"
+          type:
+            - change
+          action: add-member
+        "AS":
+          value: "ACCESS"
+          type:
+            - access
+          action: access-object
+        "AUSC":
+          # To troubleshoot what goes on after this event
+          # configure login auditing
+          # https://docs.microsoft.com/en-us/sql/ssms/configure-login-auditing-sql-server-management-studio
+          value: "AUDIT SESSION CHANGED"
+          type:
+            - change
+          action: audit-session-changed
+        "AUSF":
+          # https://docs.microsoft.com/en-us/sql/t-sql/statements/create-server-audit-transact-sql
+          # See ON_FAILURE
+          value: "AUDIT SHUTDOWN ON FAILURE"
+          type:
+            - error
+          action: audit-write-failed-database-shutdown
+        "AUTH":
+          # Changing authentication mode for login
+          value: "AUTHENTICATE"
+          type:
+            - info
+          action: authenticate
+        "BA":
+          # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql
+          value: "BACKUP"
+          type:
+            - info
+          action: database-backup-executed
+        "BAL":
+          # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql
+          value: "BACKUP LOG"
+          type:
+            - info
+          action: transaction-log-backup-executed
+        "BCM":
+          value: "BATCH COMPLETED"
+          type:
+            - info
+          action: transact-sql-batch-completed
+        "BCMG":
+          value: "BATCH_COMPLETED_GROUP"
+          type:
+            - info
+          action: batch-text-stored-proc-or-txn-mgmt-op-ended
+        "BRDB":
+          value: "BACKUP_RESTORE_GROUP"
+          type:
+            - admin
+          action: backup-or-restore-command-issued
+        "BST":
+          value: "BATCH STARTED"
+          type:
+            - info
+          action: transact-sql-batch-started
+        "BSTG":
+          value: "BATCH_STARTED_GROUP"
+          type:
+            - info
+          action: batch-text-stored-proc-txn-mgmt-op-started
+        "C2OF":
+          # https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/c2-audit-mode-server-configuration-option
+          value: "TRACE AUDIT C2OFF"
+          type:
+            - change
+          action: c2-audit-mode-server-config-off
+        "C2ON":
+          value: "TRACE AUDIT C2ON"
+          type:
+            - info
+          action: c2-audit-mode-server-config-on
+        "CCLG":
+          value: "CHANGE LOGIN CREDENTIAL"
+          type:
+            - change
+          action: change-login-credential
+        "CMLG":
+          value: "CREDENTIAL MAP TO LOGIN"
+          type:
+            - change
+          action: credential-mapped-to-sql-server-login
+        "CNAU":
+          value: "AUDIT_CHANGE_GROUP"
+          type:
+            - change
+          action: audit-or-audit-spec-changed
+        "CO":
+          # nodoc or TSQL
+          value: "CONNECT"
+          type:
+            - info
+          action: connect
+        "CP":
+          value: "CHECKPOINT"
+          type:
+            - info
+          action: checkpoint-created
+        "CR":
+          value: "CREATE"
+          type:
+            - info
+          action: create
+        "DABO":
+          # bulk ops like bulk insert, copy, load
+          # and so on.
+          value: "DATABASE BULK ADMIN"
+          type:
+            - change
+          action: database-bulk-admin
+        "DAGF":
+          # principal login to contained database failed.
+          # https://docs.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable
+          value: "FAILED_DATABASE_AUTHENTICATION_GROUP"
+          type:
+            - error
+          action: principal-login-failed
+        "DAGL":
+          value: "DATABASE_LOGOUT_GROUP"
+          type:
+            - info
+            - end
+          category:
+            - session
+          action: contained-database-user-logout
+        "DAGS":
+          value: "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"
+          type:
+            - info
+            - start
+          category:
+            - session
+          action: principal-login-to-contained-database-successful
+        "DBAF":
+          # nodoc
+          value: "DATABASE AUTHENTICATION FAILED"
+          type:
+            - error
+          action: database-authentication-failed
+        "DBAS":
+          value: "DATABASE AUTHENTICATION SUCCEEDED"
+          type:
+            - access
+            - info
+          action: database-authentication-succeeded
+        "DBCC":
+          # https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-transact-sql
+          value: "DBCC"
+          type:
+            - change
+          category:
+            - configuration
+          action: principal-issued-dbcc-command
+        "DBCG":
+          value: "DBCC_GROUP"
+          type:
+            - change
+          category:
+            - configuration
+          action: principal-issued-dbcc-command
+        "DBL":
+          # nodoc
+          value: "DATABASE LOGOUT"
+          type:
+            - end
+          category:
+            - session
+          action: database-logout
+        "D":
+          # TSQL
+          value: "DENY"
+          type:
+            - info
+          action: permission-denied-to-principal
+        "DL":
+          # nodoc
+          # TSQL DELETE
+          value: "DELETE"
+          type:
+            - change
+          action: delete
+        "DPRL":
+          # ? https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-droprolemember-transact-sql
+          value: "DROP MEMBER"
+          type:
+            - info
+          action: drop-security-account-from-role
+        "DR":
+          value: "DROP"
+          type:
+            - change
+          action: drop-object
+        "DRFR":
+          # SQL 2019 feature to tackle dynamic SQL
+          # and SQL injection threats. By restricting
+          # ErrorMessages and WaitFor statement.
+          value: "DROP FEATURE RESTRICTION"
+          type:
+            - change
+          action: drop-feature-restriction
+        "DRSC":
+          value: "DROP SENSITIVITY CLASSIFICATION"
+          type:
+            - change
+          action: drop-sensitivity-classification-from-db-columns
+        "DWC":
+          # TSQL
+          value: "DENY WITH CASCADE"
+          type:
+            - change
+          action: permission-denied-with-cascade
+        "EX":
+          value: "EXECUTE"
+          type:
+            - info
+          action: execute-stored-proc-or-function
+        "FRCG":
+          # nodoc
+          # 2019 feature see ADFR and DRFR
+          value: "FEATURE_RESTRICTION_CHANGE_GROUP"
+          type:
+            - change
+          action: feature-restriction-changed
+        "FT":
+          # nodoc
+          # using FTG
+          value: "FULLTEXT"
+          type:
+            - info
+          action: fulltext-event-occurred
+        "FTG":
+          value: "FULLTEXT_GROUP"
+          type:
+            - info
+          action: fulltext-event-occurred
+        "G":
+          # TSQL
+          value: "GRANT"
+          type:
+            - info
+          action: grant-permission-to-principal
+        "GRDB":
+          value: "DATABASE_PERMISSION_CHANGE_GROUP"
+          type:
+            - change
+          action: grant-revoke-or-deny-permission
+        "GRDO":
+          value: "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP"
+          type:
+            - change
+          action: grant-revoke-or-deny-permission-on-schema-or-assemblies
+        "GRO":
+          # schema objects like database tables, views etc.
+          value: "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP"
+          type:
+            - change
+          action: grant-revoke-or-deny-permission-on-schema-objects
+        "GRSO":
+          value: "SERVER_OBJECT_PERMISSION_CHANGE_GROUP"
+          type:
+            - change
+          action: grant-revoke-or-deny-permission-on-server-objects
+        "GRSV":
+          value: "SERVER_PERMISSION_CHANGE_GROUP"
+          type:
+            - change
+          action: grant-revoke-or-deny-permission-issued-in-server-scope
+        "GWG":
+          # TSQL
+          value: "GRANT WITH GRANT"
+          type:
+            - info
+          action: grant-with-grant-issued-to-principal
+        "IMDP":
+          value: "DATABASE_PRINCIPAL_IMPERSONATION_GROUP"
+          type:
+            - info
+          action: database-user-impersonation-occurred
+        "IMP":
+          # nodoc
+          # using IMDP
+          value: "IMPERSONATE"
+          type:
+            - info
+          action: database-user-impersonation-occurred
+        "IMSP":
+          value: "SERVER_PRINCIPAL_IMPERSONATION_GROUP"
+          type:
+            - user
+          action: server-login-impersonation-occurred
+        "IN":
+          value: "INSERT"
+          type:
+            - info
+          action: insert
+        "LGB":
+          # nodoc
+          # using LGBG
+          value: "BROKER LOGIN"
+          type:
+            - info
+          action: service-broker-transport-security-event
+        "LGBG":
+          value: "BROKER_LOGIN_GROUP"
+          type:
+            - info
+          action: service-broker-transport-security-event
+        "LGDA":
+          # Can be disable trigger or indexes and constraints
+          value: "DISABLE"
+          type:
+            - change
+          action: disable
+        "LGDB":
+          value: "CHANGE DEFAULT DATABASE"
+          type:
+            - change
+          action: change-default-database
+        "LGEA":
+          value: "ENABLE"
+          type:
+            - info
+          action: enable
+        "LGFL":
+          value: "FAILED_LOGIN_GROUP"
+          type:
+            - error
+          category:
+            - authentication
+          action: principal-login-failed
+        "LGGG":
+          # nodoc
+          value: "GLOBAL_TRANSACTIONS_LOGIN_GROUP"
+          type:
+            - info
+          action: global-transactions-login
+        "LGG":
+          # nodoc
+          # https://www.manageengine.com/products/eventlog/sql-auditing/global-transaction-login-in-sql-server-24337.html
+          value: "GLOBAL TRANSACTIONS LOGIN"
+          type:
+            - info
+          action: global-transactions-login
+        "LGIF":
+          value: "LOGIN FAILED"
+          type:
+            - error
+          category:
+            - authentication
+          action: login-failed
+        "LGIS":
+          value: "LOGIN SUCCEEDED"
+          type:
+            - info
+            - start
+          category:
+            - session
+          action: login-succeeded
+        "LGLG":
+          value: "CHANGE DEFAULT LANGUAGE"
+          type:
+            - change
+          action: change-default-language
+        "LGM":
+          # using LGMG
+          value: "DATABASE MIRRORING LOGIN"
+          type:
+            - info
+          action: database-mirroring-transport-security-event
+        "LGMG":
+          value: "DATABASE_MIRRORING_LOGIN_GROUP"
+          type:
+            - info
+          action: database-mirroring-transport-security-event
+        "LGNM":
+          value: "NAME CHANGE"
+          type:
+            - change
+          action: name-change
+        "LGO":
+          value: "LOGOUT"
+          type:
+            - end
+          category:
+            - session
+          action: logout
+        "LGSD":
+          value: "SUCCESSFUL_LOGIN_GROUP"
+          type:
+            - info
+            - start
+          category:
+            - session
+          action: user-login-succeeded
+        "LGSG":
+          # nodoc
+          value: "STORAGE_LOGIN_GROUP"
+          type:
+            - info
+          action: storage-login
+        "LGS":
+          # nodoc
+          value: "STORAGE LOGIN"
+          type:
+            - info
+          action: storage-login
+        "LO":
+          value: "LOGOUT_GROUP"
+          type:
+            - info
+            - end
+          category:
+            - session
+          action: user-logout-succeeded
+        "MNDB":
+          value: "DATABASE_CHANGE_GROUP"
+          type:
+            - change
+          action: database-created-altered-or-dropped
+        "MNDO":
+          value: "DATABASE_OBJECT_CHANGE_GROUP"
+          type:
+            - change
+          action: database-object-created-altered-or-dropped
+        "MNDP":
+          value: "DATABASE_PRINCIPAL_CHANGE_GROUP"
+          type:
+            - change
+          action: principals-created-altered-or-dropped
+        "MNO":
+          value: "SCHEMA_OBJECT_CHANGE_GROUP"
+          type:
+            - change
+          action: schema-object-create-alter-or-dropped
+        "MNSO":
+          # server objects like databases or endpoints
+          value: "SERVER_OBJECT_CHANGE_GROUP"
+          type:
+            - change
+          action: server-object-create-alter-or-dropped
+        "MNSP":
+          value: "SERVER_PRINCIPAL_CHANGE_GROUP"
+          type:
+            - change
+          action: server-principal-create-alter-or-dropped
+        "NMLG":
+          # no credential map to login probably unable to execute
+          # external operation
+          # https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-credential
+          value: "NO CREDENTIAL MAP TO LOGIN"
+          type:
+            - error
+          action: no-credential-map-to-login
+        "OPDB":
+          value: "DATABASE_OPERATION_GROUP"
+          type:
+            - info
+          action: db-checkpoint-or-subscribe-query-notification-executed
+        "OP":
+          # open cursor
+          value: "OPEN"
+          type:
+            - access
+          action: open
+        "OPSV":
+          value: "SERVER_OPERATION_GROUP"
+          type:
+            - change
+          action: alter-settings-resources-or-external-access
+        "PWAR":
+          value: "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP"
+          type:
+            - change
+          action: password-changed-for-application-role
+        "PWC":
+          # nodoc
+          # using PWAR
+          value: "CHANGE PASSWORD"
+          type:
+            - change
+          action: password-changed-for-application-role
+        "PWCG":
+          value: "LOGIN_CHANGE_PASSWORD_GROUP"
+          type:
+            - change
+          action: login-password-changed-via-alter-or-sp-password
+        "PWCS":
+          # nodoc
+          value: "CHANGE OWN PASSWORD"
+          type:
+            - change
+          action: change-own-password
+        "PWEX":
+          # nodoc
+          value: "PASSWORD EXPIRATION"
+          type:
+            - info
+          action: password-expired
+        "PWMC":
+          # nodoc
+          value: "MUST CHANGE PASSWORD"
+          type:
+            - info
+          action: must-change-password
+        "PWPL":
+          # nodoc
+          value: "PASSWORD POLICY"
+          type:
+            - info
+          action: password-policy
+        "PWR":
+          # nodoc
+          value: "RESET PASSWORD"
+          type:
+            - change
+          action: reset-password
+        "PWRS":
+          # nodoc
+          value: "RESET OWN PASSWORD"
+          type:
+            - change
+          action: reset-own-password
+        "PWU":
+          # TSQL ALTER LOGIN UNLOCK
+          value: "UNLOCK ACCOUNT"
+          type:
+            - change
+          action: unlock-sql-server-login-account
+        "RCM":
+          value: "RPC COMPLETED"
+          type:
+            - end
+          category:
+            - network
+          action: rpc-completed
+        "RC":
+          value: "RECEIVE"
+          type:
+            - access
+          action: retrieve-message-from-queue
+        "RF":
+          value: "REFERENCES"
+          type:
+            - info
+          action: references
+        "R":
+          value: "REVOKE"
+          type:
+            - change
+          action: remove-granted-or-denied-permission
+        "RS":
+          value: "RESTORE"
+          type:
+            - change
+          action: restore-database-backup
+        "RST":
+          value: "RPC STARTED"
+          type:
+            - start
+          category:
+            - network
+          action: rpc-started
+        "RWC":
+          value: "REVOKE WITH CASCADE"
+          type:
+            - change
+          action: revoke-granted-or-denied-permission-with-cascade
+        "RWG":
+          value: "REVOKE WITH GRANT"
+          type:
+            - change
+          action: revoke-with-grant
+        "SCCG":
+          # sensitivity classification for columns
+          # https://docs.microsoft.com/en-us/sql/t-sql/statements/add-sensitivity-classification-transact-sql
+          value: "SENSITIVITY_CLASSIFICATION_CHANGE_GROUP"
+          type:
+            - change
+          action: sensitivity-classification-changed
+        "SL":
+          value: "SELECT"
+          type:
+            - access
+          action: select
+        "SN":
+          value: "SEND"
+          type:
+            - access
+          action: send-message-to-queue
+        "SPLN":
+          # https://docs.microsoft.com/en-us/sql/t-sql/statements/set-showplan-all-transact-sql
+          value: "SHOW PLAN"
+          type:
+            - info
+          action: show-plan
+        "STSV":
+          value: "SERVER_STATE_CHANGE_GROUP"
+          type:
+            - info
+          action: server-service-state-changed
+        "SUQN":
+          value: "SUBSCRIBE QUERY NOTIFICATION"
+          type:
+            - info
+          action: subscribe-query-notification
+        "SVCN":
+          value: "SERVER CONTINUE"
+          type:
+            - change
+          action: server-service-state-changed-to-continue
+        "SVPD":
+          value: "SERVER PAUSED"
+          type:
+            - change
+          action: server-service-state-changed-to-paused
+        "SVSD":
+          value: "SERVER SHUTDOWN"
+          type:
+            - change
+          action: server-service-state-changed-to-shutdown
+        "SVSR":
+          value: "SERVER STARTED"
+          type:
+            - change
+          action: server-service-state-changed-to-start
+        "TASA":
+          # nodoc
+          value: "TRACE AUDIT START"
+          type:
+            - info
+          action: trace-audit-start
+        "TASP":
+          # nodoc
+          value: "TRACE AUDIT STOP"
+          type:
+            - info
+          action: trace-audit-stop
+        "TODB":
+          value: "DATABASE_OWNERSHIP_CHANGE_GROUP"
+          type:
+            - change
+          action: permission-check-performed-to-change-database-owner
+        "TODO":
+          value: "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP"
+          type:
+            - change
+          action: database-object-owner-changed
+        "TOO":
+          value: "SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP"
+          type:
+            - info
+          action: permission-check-performed-to-change-schema-object
+        "TOSO":
+          value: "SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP"
+          type:
+            - change
+          action: server-scoped-object-owner-changed
+        "TO":
+          # nodoc
+          value: "TAKE OWNERSHIP"
+          type:
+            - info
+          action: take-ownership
+        "TRBC":
+          value: "TRANSACTION BEGIN COMPLETED"
+          type:
+            - info
+          action: transaction-begin-completed
+        "TRBS":
+          value: "TRANSACTION BEGIN STARTING"
+          type:
+            - info
+          action: transaction-begin-starting
+        "TRCC":
+          value: "TRANSACTION COMMIT COMPLETED"
+          type:
+            - info
+          action: transaction-commit-completed
+        "TRCG":
+          value: "TRACE_CHANGE_GROUP"
+          type:
+            - info
+          action: permission-checked-for-alter-trace
+        "TRCS":
+          value: "TRANSACTION COMMIT STARTING"
+          type:
+            - info
+          action: transaction-commit-starting
+        "TRGC":
+          value: "TRANSACTION PROPAGATE COMPLETED"
+          type:
+            - info
+          action: transaction-propogation-completed
+        "TRGS":
+          value: "TRANSACTION PROPAGATE STARTING"
+          type:
+            - info
+          action: transaction-propogation-starting
+        "TRO":
+          value: "TRANSFER"
+          type:
+            - info
+          action: data-transfer
+        "TRPC":
+          # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion
+          value: "TRANSACTION PROMOTE COMPLETED"
+          type:
+            - info
+          action: local-to-distributed-transaction-promote-completed
+        "TRPS":
+          # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion
+          value: "TRANSACTION PROMOTE STARTING"
+          type:
+            - info
+          action: local-to-distributed-transaction-promote-starting
+        "TRRC":
+          value: "TRANSACTION ROLLBACK COMPLETED"
+          type:
+            - info
+          action: transaction-rollback-completed
+        "TRRS":
+          value: "TRANSACTION ROLLBACK STARTING"
+          type:
+            - info
+          action: transaction-rollback-starting
+        "TRSC":
+          value: "TRANSACTION SAVEPOINT COMPLETED"
+          type:
+            - info
+          action: transaction-savepoint-completed
+        "TRSS":
+          value: "TRANSACTION SAVEPOINT STARTING"
+          type:
+            - info
+          action: transaction-savepoint-starting
+        "TXBG":
+          value: "TRANSACTION BEGIN"
+          type:
+            - info
+          action: transaction-begin
+        "TXCG":
+          value: "TRANSACTION_COMMIT_GROUP"
+          type:
+            - info
+          action: transaction-commit-group-event
+        "TXCM":
+          value: "TRANSACTION COMMIT"
+          type:
+            - info
+          action: transaction-commit
+        "TXGG":
+          value: "TRANSACTION_BEGIN_GROUP"
+          type:
+            - info
+          action: transaction-begin-group-event
+        "TXRB":
+          value: "TRANSACTION ROLLBACK"
+          type:
+            - info
+          action: transaction-rollback
+        "TXRG":
+          value: "TRANSACTION_ROLLBACK_GROUP"
+          type:
+            - info
+          action: transaction-rollback-group
+        "TX":
+          value: "TRANSACTION_GROUP"
+          type:
+            - info
+          action: transaction-event-occurred
+        "UCGP":
+          value: "USER_CHANGE_PASSWORD_GROUP"
+          type:
+            - change
+          action: password-of-contained-database-user-changed
+        "UDAG":
+          value: "USER_DEFINED_AUDIT_GROUP"
+          type:
+            - info
+          action: user-defined-audit-event-sp-audit-write
+        "UDAU":
+          value: "USER DEFINED AUDIT"
+          type:
+            - info
+          action: user-defined-audit-event-sp-audit-write
+        "UNDG":
+          value: "STATEMENT_ROLLBACK_GROUP"
+          type:
+            - info
+          action: statement-rollback-group
+        "UNDO":
+          value: "STATEMENT ROLLBACK"
+          type:
+            - info
+          action: statement-rollback
+        "UP":
+          value: "UPDATE"
+          type:
+            - change
+          action: update
+        "USAF":
+          value: "CHANGE USERS LOGIN AUTO"
+          type:
+            - change
+          action: change-users-login-auto
+        "USLG":
+          value: "CHANGE USERS LOGIN"
+          type:
+            - change
+          action: change-users-login
+        "USTC":
+          # https://docs.microsoft.com/en-us/troubleshoot/sql/security/transfer-logins-passwords-between-instances
+          value: "COPY PASSWORD"
+          type:
+            - info
+          action: password-copied
+        "VDST":
+          value: "VIEW DATABASE STATE"
+          type:
+            - info
+          action: view-database-state
+        "VSST":
+          value: "VIEW SERVER STATE"
+          type:
+            - info
+          action: view-server-state
+        "VWCT":
+          value: "VIEW CHANGETRACKING"
+          type:
+            - info
+          action: view-change-tracking
+        "VW":
+          value: "VIEW"
+          type:
+            - info
+          action: view
+        "XA":
+          # see EXTERNAL_ACCESS
+          # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly
+          value: "EXTERNAL ACCESS ASSEMBLY"
+          type:
+            - access
+          category:
+            - network
+            - registry
+          action: external-access-assembly
+        "XU":
+          # see UNSAFE
+          # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly
+          value: "UNSAFE ASSEMBLY"
+          type:
+            - access
+          action: unsafe-assembly
+    source: |-
+         def actionIdKey = ctx.sqlserver.audit.action_id;
+         def actions = params.get('actions');
+         def classTypes = params.get('classtypes');
+         // handle class type
+         // overwrite the abbreviated key with its value
+         def ct = classTypes.get(ctx.sqlserver.audit.class_type);
+         if (ct != null) {
+           ctx.sqlserver.audit.class_type = ct;
+         }
+         // error case - for unhandled action ids
+         def actionData = actions.get(actionIdKey);
+         if (actionData == null) {
+           ctx.event.action = 'unknown-' + actionIdKey.toLowerCase();
+           ctx.event.type = ['info'];
+           return;
+         }
+         // overwrite the action id with its actual value
+         ctx.sqlserver.audit.action_id = actionData.get('value');
+         // event.type
+         def actionType = actionData.get('type');
+         if (actionType != null) {
+           ctx.event.type = new ArrayList(actionType);
+         }
+         // event.category
+         def actionCategory = actionData.get('category');
+         if (actionCategory != null) {
+           for (def c : actionCategory) {
+             ctx.event.category.add(c);
+           }
+         }
+         // event.action
+         def action = actionData.get('action');
+         if (action != null) {
+           ctx.event.action = action;
+         }
+- convert:
+    field: sqlserver.audit.sequence_number
+    type: integer
+    ignore_missing: true
+- convert:
+    field: sqlserver.audit.succeeded
+    type: boolean
+    ignore_missing: true
+- convert:
+    field: sqlserver.audit.affected_rows
+    type: long
+    ignore_missing: true
+- convert:
+    field: sqlserver.audit.response_rows
+    type: long
+    ignore_missing: true
+- convert:
+    field: sqlserver.audit.is_column_permission
+    type: boolean
+    ignore_missing: true
+- script:
+    lang: painless
+    description: Convert ms to ns and set it to event.duration
+    source: |-
+        def v = ctx?.sqlserver?.audit?.duration_milliseconds;
+        if (v != null) {
+            ctx.event.duration = Long.parseLong(v) * 1000000;
+        }
+- rename:
+    field: winlog.process
+    target_field: process
+    ignore_missing: true
+##
+# Set user.name, user.domain and user.id values from
+# SPN
+##
+- dissect:
+    description: Extract user domain and name
+    pattern: "%{_temp.domain}\\%{_temp.username}"
+    field: sqlserver.audit.server_principal_name
+    if: 'ctx?.sqlserver?.audit?.server_principal_name != null && ctx?.sqlserver?.audit?.server_principal_name.contains("\\")'
+    ignore_missing: true
+- set:
+    description: Set username as is if domain is not present
+    field: user.name
+    copy_from: sqlserver.audit.server_principal_name
+    if: 'ctx?.sqlserver?.audit?.server_principal_name != null && !ctx?.sqlserver?.audit?.server_principal_name.contains("\\")'
+- set:
+    description: Set username if it was extracted from Domain\User format
+    field: user.name
+    copy_from: _temp.username
+    if: "ctx?._temp?.username != null"
+- set:
+    description: Set domain if it was extracted from Domain\User format
+    field: user.domain
+    copy_from: _temp.domain
+    if: "ctx?._temp?.domain != null"
+- set:
+    field: user.id
+    copy_from: sqlserver.audit.server_principal_sid
+- set:
+    field: user.target.name
+    copy_from: sqlserver.audit.target_server_principal_name
+- set:
+    field: user.target.id
+    copy_from: sqlserver.audit.target_server_principal_sid
+    
+- convert:
+    field: winlog.record_id
+    type: string
+    ignore_missing: true
+##
+# Clean up
+##
+- remove:
+    field:
+      - _temp
+      - winlog.event_data.param1
+      - sqlserver.audit.event_time
+      - sqlserver.audit.additional_information
+      - sqlserver.audit.duration_milliseconds 
+      - sqlserver.audit.server_principal_name
+      - sqlserver.audit.server_principal_sid
+      - sqlserver.audit.target_server_principal_name
+      - sqlserver.audit.target_server_principal_sid
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+on_failure:
+- set:
+    field: error.message
+    value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/base-fields.yml b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..7c798f4534
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/ecs.yml b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..523f9134da
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,205 @@
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: destination.user.domain
+  type: keyword
+- description: Unique identifier of the user.
+  name: destination.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.user.name
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Identification code for this event, if one exists.
+    Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+  name: event.code
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    Source of the event.
+    Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+  name: event.provider
+  type: keyword
+- description: |-
+    Sequence number of the event.
+    The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+  name: event.sequence
+  type: long
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    Duration of the event in nanoseconds.
+    If event.start and event.end are known this value should be the difference between the end and start time.
+  name: event.duration
+  type: long
+- description: Directory where the file is located. It should include the drive letter, when appropriate.
+  name: file.directory
+  type: keyword
+- description: |-
+    File extension, excluding the leading dot.
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: file.extension
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: |-
+    Array of process arguments, starting with the absolute path to the executable.
+    May be filtered to protect sensitive information.
+  name: process.args
+  type: keyword
+- description: |-
+    Length of the process.args array.
+    This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
+  name: process.args_count
+  type: long
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.command_line
+  type: wildcard
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.entity_id
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: |-
+    Process title.
+    The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.title
+  type: keyword
+- description: Thread ID.
+  name: process.thread.id
+  type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.target.id
+  type: keyword
diff --git a/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/fields.yml b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..7985824ba4
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/fields.yml
@@ -0,0 +1,139 @@
+- name: sqlserver
+  type: group
+  description: All fields specific to SQL Server events
+  fields:
+    - name: audit
+      type: group
+      description: All fields specific to SQL Server audit events.
+      fields:
+        - name: audit_schema_version
+          type: keyword
+          description: Audit event schema version.
+        - name: event_time
+          type: date
+          description: Date/time when the auditable action is fired.
+        - name: sequence_number
+          type: integer
+          description: >
+            Tracks the sequence of records within a single audit record  that was too large to fit in the write buffer for audits.
+
+        - name: action_id
+          type: keyword
+          description: ID of the action
+        - name: succeeded
+          type: boolean
+          description: >
+            Indicates whether or not the permission check of the action triggering the audit event succeeded or failed.
+
+        - name: permission_bitmask
+          type: keyword
+          description: >
+            When applicable shows the permissions that were granted, denied or revoked.
+
+        - name: is_column_permission
+          type: boolean
+          description: Flag indicating a column level permission
+        - name: session_id
+          type: integer
+          description: ID of the session on which the event occurred.
+        - name: server_principal_id
+          type: keyword
+          description: ID of the login context that the action is performed in.
+        - name: database_principal_id
+          type: keyword
+          description: ID of the database user context that the action is performed in.
+        - name: object_id
+          type: keyword
+          description: >
+            "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects."
+
+        - name: target_server_principal_id
+          type: keyword
+          description: Server principal that the auditable action applies to.
+        - name: target_database_principal_id
+          type: keyword
+          description: Database principal that the auditable action applies to.
+        - name: class_type
+          type: keyword
+          description: Type of auditable entity that the audit occurs on.
+        - name: session_server_principal_name
+          type: keyword
+          description: Server principal for the session.
+        - name: server_principal_name
+          type: keyword
+          description: Current login.
+        - name: server_principal_sid
+          type: keyword
+          description: Current login SID.
+        - name: database_principal_name
+          type: keyword
+          description: Current user.
+        - name: target_server_principal_name
+          type: keyword
+          description: Target login of the action.
+        - name: target_server_principal_sid
+          type: keyword
+          description: SID of the target login.
+        - name: target_database_principal_name
+          type: keyword
+          description: Target user of the action.
+        - name: server_instance_name
+          type: keyword
+          description: >
+            "Name of the server instance where the audit occurred. Uses the standard machine\\instance format."
+
+        - name: database_name
+          type: keyword
+          description: The database context in which the action occurred.
+        - name: schema_name
+          type: keyword
+          description: The schema context in which the action occurred.
+        - name: object_name
+          type: keyword
+          description: >
+            "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)."
+
+        - name: statement
+          type: text
+          description: "TSQL statement (if any)"
+        - name: additional_information
+          type: text
+          description: Any additional information about the event stored as XML.
+        - name: affected_rows
+          type: long
+          description: Number of rows affected by the operation.
+        - name: application_name
+          type: keyword
+          description: Name of the application that caused the audit event.
+        - name: client_ip
+          type: keyword
+          description: >
+            "Name or IP address of the machine running the application that caused the audit event."
+
+        - name: connection_id
+          type: keyword
+          description: Connection ID (unique UUID for the connection)
+        - name: data_sensitivity_information
+          type: keyword
+          description: Sensitivity information about the operation.
+        - name: duration_milliseconds
+          type: long
+          description: Duration of the operation in milliseconds.
+        - name: host_name
+          type: keyword
+          description: SQL Server host name.
+        - name: response_rows
+          type: long
+          description: Number of rows returned.
+        - name: sequence_group_id
+          type: keyword
+          description: Sequence group ID (unique UUID).
+        - name: transaction_id
+          type: keyword
+          description: Transaction ID
+        - name: user_defined_event_id
+          type: integer
+          description: User defined event ID.
+        - name: user_defined_information
+          type: text
+          description: User defined information
diff --git a/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/winlog.yml b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/winlog.yml
new file mode 100755
index 0000000000..075d40345d
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/fields/winlog.yml
@@ -0,0 +1,155 @@
+- name: winlog
+  type: group
+  description: >
+    All fields specific to the Windows Event Log are defined here.
+
+  fields:
+    - name: api
+      required: true
+      type: keyword
+      description: >
+        The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API.
+
+        The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
+
+    - name: activity_id
+      type: keyword
+      required: false
+      description: >
+        A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
+
+    - name: computer_name
+      type: keyword
+      required: true
+      description: >
+        The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
+
+    - name: event_data
+      type: object
+      object_type: keyword
+      required: false
+      description: >
+        The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
+
+    - name: event_data
+      type: group
+      description: >
+        This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
+
+      fields:
+        - name: param1
+          type: keyword
+        - name: param2
+          type: keyword
+        - name: param3
+          type: keyword
+        - name: param4
+          type: keyword
+        - name: param5
+          type: keyword
+        - name: param6
+          type: keyword
+        - name: param7
+          type: keyword
+        - name: param8
+          type: keyword
+    - name: event_id
+      type: keyword
+      required: true
+      description: >
+        The event identifier. The value is specific to the source of the event.
+
+    - name: keywords
+      type: keyword
+      required: false
+      description: >
+        The keywords are used to classify an event.
+
+    - name: channel
+      type: keyword
+      required: true
+      description: >
+        The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
+
+    - name: record_id
+      type: keyword
+      required: true
+      description: >
+        The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
+
+    - name: related_activity_id
+      type: keyword
+      required: false
+      description: >
+        A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
+
+    - name: opcode
+      type: keyword
+      required: false
+      description: >
+        The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+    - name: provider_guid
+      type: keyword
+      required: false
+      description: >
+        A globally unique identifier that identifies the provider that logged the event.
+
+    - name: process.pid
+      type: long
+      required: false
+      description: >
+        The process_id of the Client Server Runtime Process.
+
+    - name: provider_name
+      type: keyword
+      required: true
+      description: >
+        The source of the event log record (the application or service that logged the record).
+
+    - name: task
+      type: keyword
+      required: false
+      description: >
+        The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
+
+    - name: process.thread.id
+      type: long
+      required: false
+    - name: user_data
+      type: object
+      object_type: keyword
+      required: false
+      description: >
+        The event specific data. This field is mutually exclusive with `event_data`.
+
+    - name: user.identifier
+      type: keyword
+      required: false
+      example: S-1-5-21-3541430928-2051711210-1391384369-1001
+      description: >
+        The Windows security identifier (SID) of the account associated with this event.
+
+        If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
+
+    - name: user.name
+      type: keyword
+      description: >
+        Name of the user associated with this event.
+
+    - name: user.domain
+      type: keyword
+      required: false
+      description: >
+        The domain that the account associated with this event is a member of.
+
+    - name: user.type
+      type: keyword
+      required: false
+      description: >
+        The type of account associated with this event.
+
+    - name: version
+      type: long
+      required: false
+      description: The version number of the event's definition.
diff --git a/packages/microsoft_sqlserver/0.4.5/data_stream/audit/manifest.yml b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..da4c3838e1
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/data_stream/audit/manifest.yml
@@ -0,0 +1,62 @@
+title: "SQL Server audit events"
+type: logs
+streams:
+  - input: winlog
+    title: SQL Server audit events from Windows event logs
+    description: Collect SQL Server audit events from the Windows event logs
+    template_path: winlog.yml.hbs
+    vars:
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: >-
+          Preserves a raw copy of the original XML event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: event_id
+        type: text
+        title: Event ID
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Defaults to 33205. Change the default only if SQL Server uses another documented event ID for audits. Setting a value other than an SQL Server audit event ID will cause the package to malfunction. A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 33205), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs.
+        default: 33205
+      - name: channel
+        description: Channel name where audit events are configured to be sent.
+        type: text
+        title: Channel
+        multi: false
+        required: true
+        default: Security
+        show_user: true
+      - name: ignore_older
+        type: text
+        title: Ignore events older than
+        default: 72h
+        required: false
+        show_user: false
+        description: >-
+          If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+      - name: language
+        type: text
+        title: Language ID
+        description: >-
+          The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US
+        required: false
+        show_user: false
+        default: 0
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
diff --git a/packages/microsoft_sqlserver/0.4.5/docs/README.md b/packages/microsoft_sqlserver/0.4.5/docs/README.md
new file mode 100755
index 0000000000..ccc8b0d7b4
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/docs/README.md
@@ -0,0 +1,156 @@
+# Microsoft SQL Server Integration
+
+The Microsoft SQL Server integration package allows you to search, observe and visualize the SQL Server audit events through Elasticsearch. 
+Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. 
+SQL Server audit lets you create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. 
+See: [SQL Server Audit page](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-ver15) for more information on SQL Server auditing.
+
+## Compatibility
+
+The package collects audit events from the event log. Other log sources such as file are not supported.
+
+## Configuration
+
+There are several levels of auditing for SQL Server, depending on government or standards requirements for your installation. The SQL Server Audit feature enables you to audit server-level and database-level groups of events and individual events. 
+
+See: [SQL Server Audit Action Groups and Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver15) for more information on the different audit levels.
+
+See: [Instructions on how to enable auditing for SQL Server](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification?view=sql-server-ver15).
+
+>Note: For the integration package to be able to read and send audit events the event target must be configured to be Windows event log.
+
+### Audit Events
+
+Enable to collect SQL Server audit events from the specified windows event log channel.
+
+## Logs
+
+### Audit
+
+The SQL Server audit dataset provides events from the configured Windows event log channel. All SQL Server audit specific fields are available in the `sqlserver.audit` field group.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| process.thread.id | Thread ID. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.title.text | Multi-field of `process.title`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| sqlserver.audit.action_id | ID of the action | keyword |
+| sqlserver.audit.additional_information | Any additional information about the event stored as XML. | text |
+| sqlserver.audit.affected_rows | Number of rows affected by the operation. | long |
+| sqlserver.audit.application_name | Name of the application that caused the audit event. | keyword |
+| sqlserver.audit.audit_schema_version | Audit event schema version. | keyword |
+| sqlserver.audit.class_type | Type of auditable entity that the audit occurs on. | keyword |
+| sqlserver.audit.client_ip | "Name or IP address of the machine running the application that caused the audit event." | keyword |
+| sqlserver.audit.connection_id | Connection ID (unique UUID for the connection) | keyword |
+| sqlserver.audit.data_sensitivity_information | Sensitivity information about the operation. | keyword |
+| sqlserver.audit.database_name | The database context in which the action occurred. | keyword |
+| sqlserver.audit.database_principal_id | ID of the database user context that the action is performed in. | keyword |
+| sqlserver.audit.database_principal_name | Current user. | keyword |
+| sqlserver.audit.duration_milliseconds | Duration of the operation in milliseconds. | long |
+| sqlserver.audit.event_time | Date/time when the auditable action is fired. | date |
+| sqlserver.audit.host_name | SQL Server host name. | keyword |
+| sqlserver.audit.is_column_permission | Flag indicating a column level permission | boolean |
+| sqlserver.audit.object_id | "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects." | keyword |
+| sqlserver.audit.object_name | "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)." | keyword |
+| sqlserver.audit.permission_bitmask | When applicable shows the permissions that were granted, denied or revoked. | keyword |
+| sqlserver.audit.response_rows | Number of rows returned. | long |
+| sqlserver.audit.schema_name | The schema context in which the action occurred. | keyword |
+| sqlserver.audit.sequence_group_id | Sequence group ID (unique UUID). | keyword |
+| sqlserver.audit.sequence_number | Tracks the sequence of records within a single audit record  that was too large to fit in the write buffer for audits. | integer |
+| sqlserver.audit.server_instance_name | "Name of the server instance where the audit occurred. Uses the standard machine\\instance format." | keyword |
+| sqlserver.audit.server_principal_id | ID of the login context that the action is performed in. | keyword |
+| sqlserver.audit.server_principal_name | Current login. | keyword |
+| sqlserver.audit.server_principal_sid | Current login SID. | keyword |
+| sqlserver.audit.session_id | ID of the session on which the event occurred. | integer |
+| sqlserver.audit.session_server_principal_name | Server principal for the session. | keyword |
+| sqlserver.audit.statement | TSQL statement (if any) | text |
+| sqlserver.audit.succeeded | Indicates whether or not the permission check of the action triggering the audit event succeeded or failed. | boolean |
+| sqlserver.audit.target_database_principal_id | Database principal that the auditable action applies to. | keyword |
+| sqlserver.audit.target_database_principal_name | Target user of the action. | keyword |
+| sqlserver.audit.target_server_principal_id | Server principal that the auditable action applies to. | keyword |
+| sqlserver.audit.target_server_principal_name | Target login of the action. | keyword |
+| sqlserver.audit.target_server_principal_sid | SID of the target login. | keyword |
+| sqlserver.audit.transaction_id | Transaction ID | keyword |
+| sqlserver.audit.user_defined_event_id | User defined event ID. | integer |
+| sqlserver.audit.user_defined_information | User defined information | text |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
+| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
+| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
+| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword |
+| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
+| winlog.event_data.param1 |  | keyword |
+| winlog.event_data.param2 |  | keyword |
+| winlog.event_data.param3 |  | keyword |
+| winlog.event_data.param4 |  | keyword |
+| winlog.event_data.param5 |  | keyword |
+| winlog.event_data.param6 |  | keyword |
+| winlog.event_data.param7 |  | keyword |
+| winlog.event_data.param8 |  | keyword |
+| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
+| winlog.keywords | The keywords are used to classify an event. | keyword |
+| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
+| winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
+| winlog.process.thread.id |  | long |
+| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
+| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
+| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
+| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword |
+| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
+| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
+| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
+| winlog.user.name | Name of the user associated with this event. | keyword |
+| winlog.user.type | The type of account associated with this event. | keyword |
+| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object |
+| winlog.version | The version number of the event's definition. | long |
+
diff --git a/packages/microsoft_sqlserver/0.4.5/img/microsoft-sql-server-logo.svg b/packages/microsoft_sqlserver/0.4.5/img/microsoft-sql-server-logo.svg
new file mode 100755
index 0000000000..30758ba323
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/img/microsoft-sql-server-logo.svg
@@ -0,0 +1 @@
+<svg width="1478.201px" height="1478.201px" viewBox="0 -141.54 1478.201 1478.201" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.569 0 0 .569 199.451 -82.735)"><linearGradient id="a" gradientUnits="userSpaceOnUse" x1="-2901.952" y1="923.573" x2="-2061.249" y2="1420.331" gradientTransform="matrix(.1234 0 0 -.1234 1158.33 1550.273)"><stop offset="0" stop-color="#909ca9"/><stop offset="1" stop-color="#ededee"/></linearGradient><path fill="url(#a)" d="M1410.773 814.195l-286.9 93.683-249.599 110.161-69.829 18.435c-17.784 16.916-36.431 34.049-56.599 51.397-22.119 19.082-42.72 36.433-58.553 49.008-17.564 13.88-43.587 39.902-56.814 56.38-19.735 24.721-35.348 50.96-42.071 71.13-11.928 36.433-6.07 73.297 16.916 107.346 29.492 43.369 88.261 87.606 156.785 117.749 34.916 15.4 93.683 35.132 137.92 46.19 73.512 18.651 215.771 38.819 294.054 41.857 15.828.65 37.082.65 37.947 0 1.737-1.088 13.881-24.289 27.979-53.129 48.142-98.238 82.838-190.402 101.703-269.119 11.276-47.706 20.166-111.246 26.019-186.492 1.521-21.036 2.169-91.514.868-115.37-1.953-39.033-5.423-70.692-10.84-101.703-.868-4.555-1.088-8.676-.652-8.892.865-.65 3.467-1.517 38.815-11.712l-7.153-16.912v-.005h.004zm-65.49 38.386c2.602 0 9.539 66.573 11.273 108.646.436 8.89.216 14.745-.216 14.745-1.733 0-36.649-20.599-61.583-36.212-21.687-13.663-62.888-40.988-69.393-46.192-2.173-1.517-1.957-1.733 15.828-7.807 30.14-10.194 101.706-33.18 104.091-33.18zm-146.161 48.143c1.953 0 6.937 2.816 18.865 10.191 44.671 27.974 105.393 61.805 131.415 73.083 8.022 3.469 8.887 2.166-9.542 14.746-39.468 26.889-88.697 53.344-148.983 80.018-10.624 4.771-19.514 8.456-19.73 8.456-.432 0 .865-5.418 2.598-11.925 14.53-54.001 22.772-108.647 23.208-152.452.216-21.687.216-21.687 2.169-22.334-.436.217-.22.217 0 .217zm-30.142 11.492c1.297 1.299.432 49.877-1.304 63.104-3.903 31.662-9.975 61.153-19.947 94.335-2.386 8.018-4.558 14.745-4.987 15.177-.872 1.083-30.581-27.975-40.339-39.251-16.916-19.518-30.141-39.035-39.9-58.117-4.988-9.759-12.793-28.84-12.144-29.492 3.469-2.385 117.753-46.622 118.621-45.756zm-141.826 55.731c.216 0 .432 0 .652.216.432.434 1.953 3.905 3.254 7.807 6.937 18.867 22.548 46.624 35.997 64.407 14.746 19.518 34.048 40.334 50.091 53.996 5.207 4.337 9.975 8.456 10.624 9.108 1.304 1.302 1.737 1.083-33.612 14.53-40.981 15.613-85.656 31.226-136.835 47.706a6825.474 6825.474 0 0 0-36.643 11.928c-1.955.652-1.303-.434 4.335-9.323 25.371-39.686 63.97-117.536 85.657-172.618 3.687-9.542 7.373-19.082 8.025-21.251.868-3.038 1.95-4.121 4.768-5.64 1.518-.43 3.038-.866 3.687-.866zm-43.367 17.999c.649.436-10.411 23.637-21.254 44.889-21.036 40.985-44.022 81.323-74.815 130.331-5.204 8.456-10.19 16.265-10.842 17.132-1.083 1.519-1.519 1.083-4.988-5.638-7.373-14.53-13.447-33.181-16.699-50.313-3.254-16.916-2.602-46.406 1.086-64.621 2.816-13.444 2.602-13.227 9.107-16.481 27.757-14.095 117.537-56.166 118.405-55.299zm374.073 15.182v9.107c0 48.359-5.204 114.716-12.797 163.077-1.301 8.456-2.389 15.393-2.602 15.613 0 0-6.288-1.733-13.661-3.905-32.527-10.193-67.875-25.156-99.754-42.718-21.038-11.494-51.612-30.363-50.743-31.231.213-.215 9.323-4.986 19.947-10.625 42.509-22.118 83.274-45.972 118.622-69.609 13.229-8.892 33.176-23.202 37.518-27.107l3.47-2.602zm-537.802 64.185c.867 0 .65 1.735-.651 9.542-.868 5.64-1.951 16.049-2.382 23.202-1.739 31.662 3.469 55.084 19.082 87.177 4.337 8.892 7.809 16.265 7.589 16.48-1.519 1.303-145.074 43.375-190.183 55.734-13.444 3.685-25.152 6.939-26.024 7.153-1.515.436-1.733.22-1.083-3.47 4.987-31.875 29.276-73.512 63.104-108.644 22.554-23.419 40.554-37.08 71.347-54.648 22.119-12.575 56.165-31.439 58.767-32.309.002-.217.218-.217.434-.217zm338.295 60.503c.216-.216 5.42 2.605 11.708 6.29 46.408 26.891 111.03 51.83 166.108 64.623l4.991 1.086-6.941 3.899c-28.84 16.049-123.606 55.515-220.538 91.732-14.098 5.202-27.975 10.409-30.581 11.492-2.602 1.083-4.988 1.735-4.988 1.519 0-.22 3.906-7.809 8.89-17.132 27.107-50.744 54.433-112.547 68.311-155.485 1.739-4.12 2.82-7.805 3.04-8.024zm-34.48 11.278c.22.221-1.517 4.771-3.687 9.975-18.865 45.756-43.59 95.636-75.249 151.583-8.022 14.314-14.746 25.808-14.966 25.808-.213 0-6.721-3.906-14.527-8.676-45.976-28.192-86.743-62.888-113.414-96.501l-3.905-4.771 19.732-5.422c70.696-19.298 130.762-40.116 190.4-65.704 8.459-3.471 15.4-6.292 15.616-6.292zm214.253 74.815s.217.217 0 0c.216 4.988-10.844 49.661-19.953 81.969-7.589 27.107-14.098 48.361-26.022 85.874-5.204 16.485-9.755 30.143-9.975 30.143-.216 0-1.517-.216-2.818-.647-64.405-11.714-122.089-27.977-176.303-49.661-15.182-6.074-36.866-15.833-38.167-16.916-.432-.438 12.58-6.506 29.06-13.663 98.669-43.154 201.024-92.164 236.153-113.196 4.119-2.603 7.373-3.903 8.025-3.903zm-494.646 16.916c.434.432-27.107 40.118-65.709 94.114-13.444 18.867-29.057 40.985-34.911 49.225-5.856 8.241-14.746 21.253-19.734 29.06l-9.112 14.096-9.759-8.24c-11.494-9.544-31.442-29.927-40.333-41.204-18.651-23.201-31.226-47.706-36.214-70.04-2.386-10.411-2.386-15.618-.22-16.265 3.252-.867 61.153-14.53 115.37-27.11 30.143-6.937 65.054-15.177 77.632-18.213 12.579-3.041 22.774-5.423 22.99-5.423zm27.756 10.626l6.937 7.806c31.231 34.914 63.108 60.724 101.708 83.272 6.941 3.906 12.144 7.373 11.708 7.594-1.514 1.083-134.016 48.136-195.385 69.389-34.478 12.143-62.888 21.901-63.102 21.901-.216 0-2.169-1.299-4.341-2.818l-3.901-2.82 6.288-9.106c20.383-29.493 45.976-61.803 101.707-129.028l38.381-46.19zm173.053 123.822c.213-.215 9.755 3.252 21.464 7.594 28.195 10.624 50.527 17.345 80.456 24.936 36.866 9.326 90.211 18.434 121.657 21.035 4.771.432 7.373.868 6.505 1.519-1.521.868-33.395 11.494-56.816 18.867-37.302 11.708-151.149 45.32-243.962 71.995-17.132 4.987-31.879 9.108-32.746 9.323-2.166.436-9.325-1.519-9.325-2.386 0-.431 5.204-7.153 11.494-14.527 31.225-37.3 62.238-78.935 88.044-118.403 7.154-10.846 13.229-19.736 13.229-19.953zm-38.17 1.087c.216.216-15.179 24.936-42.066 67.439-11.496 17.999-24.291 38.383-28.846 45.54-4.337 6.939-10.842 17.784-14.527 23.854l-6.29 11.061-3.252-.868c-7.809-2.169-62.672-21.471-77.202-27.325-18-7.157-36.649-15.829-50.529-23.202-17.346-9.326-39.03-23.206-37.297-23.637.433-.216 30.143-8.243 65.922-17.999 94.984-25.809 147.678-40.77 182.161-51.612 6.29-1.952 11.71-3.471 11.926-3.251zm269.985 63.318h.216c.868 2.171-34.26 99.755-47.06 130.547-2.815 6.939-3.896 8.677-5.417 8.456-3.687-.213-54.646-7.37-85.66-11.925-53.994-8.24-144.641-24.073-167.409-29.275l-5.204-1.083 32.307-7.378c69.396-15.613 102.791-24.069 136.619-34.478 42.722-13.011 85.011-29.276 127.729-49.225 6.722-3.037 12.361-5.422 13.879-5.639z"/><linearGradient id="b" gradientUnits="userSpaceOnUse" x1="-2882.7" y1="10288.81" x2="-2206.249" y2="10288.81" gradientTransform="matrix(.1234 0 0 -.1234 1158.33 1550.273)"><stop offset="0" stop-color="#939fab"/><stop offset="1" stop-color="#dcdee1"/></linearGradient><path fill="url(#b)" d="M1114.983 145.414c-4.771-.647-81.757 27.11-131.415 47.275-67.01 27.327-119.052 53.351-151.148 75.899-11.925 8.461-26.891 23.422-29.273 29.276-.867 2.169-1.303 4.771-1.303 7.373l29.06 27.541 69.175 22.119 164.594 29.493 188.228 32.312 1.953-16.264c-.649 0-1.085-.216-1.73-.216l-24.728-3.905-4.984-8.89c-25.59-45.107-53.781-101.056-70.261-138.789-12.793-29.276-24.938-63.102-31.662-87.391-3.687-14.746-4.119-15.613-6.501-15.829v-.005h-.005zm-3.474 11.063h.223c.213.214 1.081 6.29 1.95 13.442 3.683 30.364 10.411 59.635 21.035 91.297 8.022 23.855 8.022 22.555-1.301 19.734-22.119-6.07-121.221-23.202-193-33.177-11.494-1.519-21.253-3.036-21.253-3.252-.867-.867 51.827-28.41 75.031-39.25 29.709-13.665 111.246-47.711 117.315-48.794zm-209.047 97.15l8.461 2.816c45.97 15.616 161.551 37.736 225.31 42.94 7.154.651 13.229 1.303 13.442 1.303.216.216-5.852 3.469-13.661 7.154-30.79 15.397-64.621 34.264-88.042 48.794-6.937 4.335-13.229 7.807-14.094 7.807-.868 0-5.42-.868-10.191-1.519l-8.674-1.303-21.683-21.253c-38.167-37.08-68.094-65.704-79.588-76.549l-11.28-10.19zm-8.671 6.721l30.576 38.168c16.696 21.035 33.611 41.635 37.301 46.187 3.683 4.557 6.721 8.245 6.505 8.461-.868.65-44.236-7.809-67.226-13.011-23.637-5.423-33.395-8.025-47.924-12.577l-11.928-3.905v-3.038c.216-14.53 18.651-36.214 49.877-58.331l2.819-1.954zm259.791 52.046c.869 0 1.95 1.951 4.552 7.806 7.373 16.263 30.364 60.07 35.997 68.526 1.74 2.822 4.771 3.038-25.802-1.95-73.512-11.93-97.152-15.829-97.152-16.263 0-.216 2.169-1.735 4.988-3.254 22.771-12.575 45.756-28.624 66.142-45.756 4.988-4.121 9.542-8.024 10.407-8.676.216-.433.652-.649.868-.433z"/><radialGradient id="c" cx="-14217.448" cy="7277.705" r="898.12" gradientTransform="matrix(-.1185 -.0178 -.036 .237 -198.955 -1314.415)" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#ee352c"/><stop offset="1" stop-color="#a91d22"/></radialGradient><path fill="url(#c)" d="M804.66 294.828s-4.768 7.593-.215 18.87c2.822 6.937 11.061 15.393 20.384 24.069 0 0 96.5 94.114 108.211 107.561 53.344 61.585 76.549 122.305 78.718 206.012 1.301 53.78-8.894 101.054-34.264 155.919-45.106 98.453-140.307 207.098-287.117 327.67l21.472-7.157c13.878-10.411 32.745-21.467 76.982-45.756 102.137-55.952 217.071-107.346 358.028-160.258 202.971-76.335 536.715-165.681 726.676-194.736l19.737-3.038-3.038-4.771c-17.345-26.891-29.276-43.587-43.59-61.369-41.633-51.612-92.157-93.463-153.964-128.161-85.007-47.489-194.956-84.571-334.173-112.112-26.239-5.207-83.923-15.181-130.763-22.337-99.321-15.393-163.51-26.021-234.203-38.165-25.37-4.339-63.323-10.843-88.478-16.263-13.011-2.822-37.947-8.676-57.464-15.398-15.613-6.075-38.168-12.147-42.939-30.58zm55.952 54.216c.214-.214 3.683 1.083 8.24 2.602 8.24 2.816 18.865 6.07 31.446 9.542a1599.47 1599.47 0 0 0 28.624 7.589c13.011 3.251 23.852 6.288 24.068 6.288 1.521 1.519 23.424 71.558 30.797 98.449 2.815 10.195 4.988 18.867 4.771 18.867-.223.22-2.605-3.469-5.423-8.456-25.373-44.673-65.491-89.995-111.899-126.428-6.069-4.333-10.624-8.237-10.624-8.453zm106.692 29.492c1.085 0 5.856.651 11.708 1.951 36.866 8.24 103.008 20.818 145.293 27.975 7.157 1.083 12.797 2.387 12.797 2.818 0 .436-2.605 1.951-5.859 3.688-7.153 3.685-35.997 20.815-45.536 27.322-24.073 16.047-45.756 33.395-61.371 49.008-6.288 6.29-11.712 11.494-11.712 11.494s-1.297-3.685-2.386-8.242c-7.802-30.143-24.069-74.816-38.815-106.258-2.386-4.986-4.339-9.541-4.339-9.973 0 .433 0 .217.22.217zm187.795 35.781c1.301.432 3.47 7.806 7.806 24.069 8.025 31.446 11.712 66.576 10.411 99.321-.436 9.108-.868 17.564-1.304 18.651l-.649 2.166-11.276-3.685c-23.204-7.373-60.935-18.435-93.245-27.541-18.436-4.988-33.395-9.542-33.395-9.975 0-1.303 26.891-28.192 38.383-38.383 21.898-19.303 81.316-65.275 83.269-64.623zm14.963 2.166c.652-.647 89.779 14.746 130.331 22.554 30.145 5.854 73.948 14.963 76.549 16.049 1.301.432-3.254 3.034-17.784 9.539-57.248 25.808-99.754 49.008-142.036 77.202-11.06 7.373-20.386 13.444-20.602 13.444-.216 0-.433-6.287-.433-13.878 0-41.201-8.241-82.838-23.424-117.968-1.517-3.47-2.818-6.722-2.601-6.942zm230.516 45.542c.652.65-2.169 18.217-4.771 28.624-7.806 32.312-28.84 80.24-54.643 125.343-4.558 8.024-8.677 14.53-9.114 14.746-.429.216-6.285-3.038-13.009-6.941-25.154-14.746-53.778-28.624-85.007-41.637-8.671-3.685-16.263-6.723-16.48-7.153-1.521-1.303 68.308-47.493 105.174-69.612 29.276-17.781 76.982-44.239 77.85-43.37zm16.48 2.601c1.953 0 41.421 10.844 62.019 16.916 50.963 15.181 109.512 36.648 147.679 53.996l15.828 7.159-11.056 2.6c-93.245 21.467-173.049 46.192-250.034 77.418-6.289 2.602-11.928 4.771-12.357 4.771-.436 0 1.733-4.987 4.552-11.061 23.204-49.225 38.167-100.62 41.85-144.427.221-4.121.867-7.372 1.519-7.372zm-392.938 90.213c.649-.652 30.793 6.506 47.057 11.056 24.721 6.942 77.198 24.505 77.198 25.808 0 .216-5.853 5.204-12.79 11.278-28.408 23.637-55.734 48.572-88.481 80.234-9.759 9.328-17.997 16.917-18.429 16.917-.436 0-.649-1.304-.436-3.038 4.987-36.433 3.906-83.272-3.034-130.763-.653-6.074-1.302-11.276-1.085-11.492zm633.433.652c.429.431-13.881 22.984-22.988 35.777-13.009 18.649-32.098 43.375-75.252 97.588-22.765 28.622-48.358 60.936-56.812 71.778-8.678 10.842-15.831 19.948-16.051 19.948-.216 0-3.031-3.901-6.069-8.671-24.289-36.433-53.349-68.311-87.829-96.935-6.505-5.423-13.658-11.278-16.044-13.013-2.386-1.734-4.339-3.469-4.339-3.685 0-.649 36.862-16.483 64.841-27.757 49.01-19.952 115.794-43.805 165.892-59.203 26.24-8.239 54.215-16.263 54.651-15.827zm16.696 4.334c.865-.215 6.072 2.387 12.361 6.07 52.697 30.143 104.305 68.962 145.077 108.864 11.492 11.278 39.9 40.77 39.464 40.986 0 0-9.975.867-21.683 1.733-91.296 6.942-208.178 26.239-320.511 53.345-7.589 1.733-14.31 3.252-14.746 3.252-.429 0 8.025-8.456 18.653-18.647 65.922-63.538 96.067-103.656 131.628-175.22 4.986-10.623 9.325-19.731 9.757-20.383-.216 0-.216 0 0 0zm-482.936 49.446c3.038.647 31.229 13.88 52.48 24.503 19.517 9.755 48.794 25.372 50.311 26.671.216.216-10.195 5.638-22.984 11.928-40.772 20.384-75.684 39.682-112.118 61.802-10.408 6.29-19.082 11.497-19.298 11.497-.868 0-.652-.872 5.204-11.497 19.518-35.561 35.129-78.065 44.023-119.486.864-3.252 1.733-5.418 2.382-5.418zm-28.192 5.202c.652.652-6.721 27.323-11.273 41.853-8.894 27.541-23.856 62.02-38.383 88.043-3.474 6.069-8.677 14.961-11.496 19.948l-5.42 8.674-12.144-11.707c-14.094-13.663-25.59-22.12-40.333-29.712-5.859-3.033-10.411-5.638-10.411-6.069 0-1.735 37.082-35.347 65.49-59.635 20.383-17.566 63.321-52.045 63.97-51.395zm172.404 70.913l10.627 6.937c24.282 15.833 52.906 36.866 74.813 55.298 12.357 10.19 36.21 31.662 40.985 36.866l2.598 2.822-17.561 4.986c-99.321 27.538-176.087 52.043-265.649 85.007-9.975 3.685-18.433 6.721-19.085 6.721-1.297 0-2.385 1.083 19.954-19.519 57.251-52.691 107.992-110.812 145.726-167.411l7.592-11.707zm-45.324 11.276c.432.432-29.276 42.284-47.06 65.922-21.251 28.192-58.985 75.465-85.007 106.256-10.84 12.797-20.163 23.422-20.599 23.64-.652.216-.868-3.036-.868-8.024 0-26.242-6.721-54.216-18.433-78.068-4.988-9.975-5.856-12.361-4.768-13.444 4.119-3.688 67.223-39.686 107.123-61.153 26.89-14.312 68.956-35.563 69.612-35.129zm-274.107 67.225c.652 0 5.64 2.6 11.279 5.638 13.878 7.589 26.239 16.046 37.298 25.156.432.432-5.204 4.988-12.577 10.406-20.602 14.746-51.828 38.385-70.041 52.915-19.088 15.18-19.734 15.613-17.568 12.361 14.314-21.903 21.467-34.264 29.06-50.093 6.721-14.094 13.442-30.793 18.213-45.323 1.734-6.289 3.904-11.06 4.336-11.06zm73.083 57.248c1.081-.214 2.386 1.735 8.238 10.411 12.361 18.429 21.903 43.154 24.292 63.104l.429 4.339-29.705 11.494c-53.133 20.599-102.139 40.985-135.322 56.162-9.322 4.339-25.587 12.144-36.211 17.352-10.627 5.418-19.301 9.539-19.301 9.323s6.721-5.204 14.961-11.278c64.844-47.055 121.007-98.669 163.076-150.279 4.555-5.423 8.677-10.411 9.107-10.627l.436-.001zm-33.612 8.242c.868.867-23.853 28.84-40.768 45.971-41.853 42.723-83.273 76.12-134.669 108.649-6.505 4.119-12.359 7.804-13.011 8.24-1.519.867.432-1.303 22.986-25.808 14.314-15.397 25.155-28.408 37.516-44.453 8.24-10.624 9.759-12.143 21.688-20.604 31.878-22.987 105.39-72.864 106.258-71.995z"/></g><path fill="#231F1F" d="M265.747 900.102c-2.276 0-4.553.217-6.809.217-45.975 2.45-76.983 22.683-95.113 62.195-15.506 35.735-13.813 82.446.174 118.4 16.265 35.131 42.547 53.672 86.416 60.675 9.282 1.52 15.506 6.616 33.483 27.606l22.12 25.915h40.118l-26.676-26.892c-14.746-14.745-26.673-27.584-26.673-28.712 0-1.127 5.641-3.599 12.469-5.68 22.51-6.812 41.203-24.202 54.279-50.854 10.583-21.402 12.102-28.018 13.619-54.646 3.969-79.26-37.82-128.813-107.409-128.247l.002.023zm35.173 207.27c-19.517 9.453-47.857 11.34-66.356 4.553-19.127-7.025-37.646-26.889-45.975-49.377-9.259-24.591-7.937-69.956 2.646-90.386 17.023-32.528 39.534-47.49 72.43-47.49 48.792 0 76.549 29.884 80.171 86.048 2.863 46.885-12.838 82.058-42.895 96.632l-.021.02zm693.025-139.568c-16.828 0-29.709 6.811-38.385 20.231l-6.809 10.627v-27.628h-29.123v165.678h29.104v-52.956c0-48.424.604-54.084 7.371-67.335 9.326-18.172 25.371-27.234 40.879-22.897l10.408 3.036v-28.712h-13.445v-.044zm-171.098-1.519c-5.705 0-11.756.76-17.781 2.084-38.971 10.19-60.938 47.489-59.594 85.873 0 32.139 6.244 48.206 21.752 65.057 31.77 26.065 60.502 28.146 99.275 14.161 6.615-2.819 13.814-6.072 13.814-6.072v-26.065l-13.814 7.156c-31.379 13.661-55.016 13.661-73.949-2.43-12.076-12.296-17.391-27.042-19.84-43.868h117.426v-22.339c0-45.539-27.41-74.294-67.313-73.557h.024zm-47.492 72.647s4.338-28.407 20.428-39.554c7.744-5.466 16.633-8.11 25.328-8.11 8.719 0 17.414 2.818 24.592 8.306 14.748 11.341 17.219 39.143 17.219 39.143h-87.566v.215h-.001zm-702.111-29.881c-31.573-19.128-45.582-32.921-43.869-49.185 4.9-44.997 60.503-38.773 91.295-21.749l.219-30.272s-17.024-7.373-41.421-7.764c-37.429-.564-61.63 11.709-72.97 36.691-16.656 36.865-1.908 64.665 51.396 95.677 29.925 17.412 43.152 32.528 43.152 49.008 0 34.047-41.05 45.931-83.401 24.57-8.716-4.337-16.09-7.959-16.48-7.959-1.519 9.651-.736 32.745-.736 32.745s13.012 5.466 32.527 9.236c48.4 9.65 92.445-13.054 96.608-49.919 3.622-34.609-8.893-52.761-56.318-81.104l-.002.025zm1178.454-43.155c-5.682 0-11.711.78-18 2.103-38.924 10.192-60.85 47.492-59.354 85.876 0 32.095 6.225 48.011 21.729 64.838 31.771 26.089 60.504 28.191 99.473 14.184 6.592-2.818 13.77-6.026 13.77-6.026v-26.109l-13.791 7.197c-31.443 13.619-55.082 13.619-73.947-2.471-12.145-12.274-17.414-26.847-19.865-43.871h117.232v-22.336c0-45.321-27.412-74.099-67.313-73.339l.066-.046zm-47.492 72.646s4.381-28.365 20.449-39.729c7.721-5.485 16.611-8.132 25.307-8.132 8.674 0 17.414 2.819 24.594 8.327 14.746 11.342 17.219 39.338 17.219 39.338h-87.545l-.024.196zm-533.809-29.123c-31.573-19.083-45.54-32.92-43.848-49.185 4.9-45.02 60.504-38.773 91.296-21.749l.218-30.272s-17.024-7.374-41.421-7.722c-37.429-.563-61.63 11.711-72.991 36.692-16.633 36.864-1.692 64.666 51.437 95.677 29.884 17.393 43.111 32.312 43.111 48.792 0 34.047-41.029 46.126-83.381 24.569-8.674-4.337-16.046-7.916-16.48-7.916-1.519 9.649-.736 32.746-.736 32.746s12.858 5.27 32.31 9.237c48.445 9.672 92.51-13.012 96.653-49.877 3.6-34.437-8.891-52.587-56.167-80.952v-.04zm752.421-42.005c-16.828 0-29.859 6.829-38.383 20.254l-6.811 10.582v-27.583h-29.123V1136.3h29.102v-52.954c0-48.403.584-54.085 7.375-67.313 9.324-18.15 25.369-27.235 40.875-22.878l10.408 3.035v-28.775h-13.443zm-984.021 41.05V902.941h-29.361v233.728h123.478v-27.604h-94.116v-100.601zm679.015 32.896l-24.201 62.975-23.27-63.322-23.637-70.173h-30.055c19.475 55.212 40.658 111.376 62.02 165.829 9.26.216 18.541 0 27.799 0l32.682-82.058 33.287-83.75h-28.732s-12.688 33.266-25.914 70.521l.021-.022zM506.455 839.251c4.728 0 8.674-1.516 11.927-4.769 3.208-3.211 4.9-6.984 4.9-11.711 0-4.728-1.692-8.675-4.9-11.711-3.253-3.035-7.005-4.555-11.711-4.555-4.769 0-8.717 1.52-11.927 4.728-3.252 3.211-4.727 7.158-4.727 11.712 0 4.771 1.519 8.716 4.727 11.711 3.037 3.034 6.984 4.553 11.711 4.553v.042zm-10.408-26.889c2.818-2.818 6.245-4.121 10.625-4.121 4.121 0 7.548 1.303 10.411 4.121 2.819 2.819 4.337 6.245 4.337 10.409 0 4.163-1.518 7.764-4.337 10.582-2.862 2.817-6.29 4.163-10.411 4.163-4.185 0-7.59-1.301-10.408-4.163-2.819-2.818-4.337-6.419-4.337-10.582 0-4.164 1.301-7.589 4.12-10.409zm7.003 11.928h1.908c1.346 0 2.668 1.3 3.795 3.773l2.279 5.116h3.577l-2.818-5.683c-1.149-2.275-2.276-3.598-3.6-3.969 1.67-.39 2.992-.953 3.947-2.082.952-.974 1.3-2.298 1.3-3.795 0-1.734-.542-3.034-1.69-3.989-1.302-1.084-3.384-1.669-6.074-1.669h-6.026v21.187h3.035v-8.891l.367.002zm0-9.846h2.647c1.908 0 3.253.39 3.99.953.716.564.911 1.303.911 2.646 0 2.45-1.52 3.601-4.337 3.601h-3.252v-7.2h.041zm-485.018 7.958c0-7.373-.216-12.858-.39-16.09h.174c.758 3.814 1.691 6.657 2.45 8.543l28.19 62.975h4.728l28.19-63.538c.761-1.733 1.52-4.337 2.452-7.959h.216c-.563 6.29-.758 11.754-.758 16.112v55.581h9.648v-82.622h-12.1L54.919 852.87c-.955 2.276-2.278 5.683-3.969 10.193h-.392c-.563-2.234-1.886-5.639-3.772-9.803l-25.33-58.053H8.598v82.621h9.281v-55.385l.153-.041zm96.045.154h8.329v51.458h-8.329v-51.458zm4.164-18.868c1.736 0 3.21-.587 4.337-1.734 1.15-1.129 1.91-2.603 1.91-4.337 0-1.692-.565-3.211-1.887-4.337-1.171-1.15-2.668-1.737-4.381-1.737-1.69 0-3.208.587-4.338 1.737-1.146 1.126-1.907 2.645-1.907 4.337 0 1.887.586 3.208 1.907 4.337 1.304 1.147 2.647 1.734 4.338 1.734h.021zm63.54 71.455v-9.066c-4.555 3.405-9.456 5.098-14.53 5.098-6.07 0-10.995-2.081-14.595-6.07-3.577-3.947-5.485-9.436-5.485-16.266 0-7.156 1.908-12.84 5.854-17.177 3.795-4.163 8.719-6.245 14.748-6.245 4.922 0 9.647 1.52 14.009 4.557v-9.65c-3.968-2.082-8.5-3.037-13.619-3.037-9.456 0-16.827 3.037-22.335 8.894-5.466 5.854-8.285 13.813-8.285 23.42 0 8.543 2.45 15.722 7.548 21.209 5.312 5.637 12.102 8.5 20.428 8.5 6.438-.178 11.707-1.523 16.262-4.167zm23.831-27.433c0-6.788 1.518-12.273 4.337-16.049 2.647-3.403 5.855-5.116 9.65-5.116 3.21 0 5.486.585 7.155 1.908v-9.846c-1.3-.563-3.187-.758-5.637-.758-3.405 0-6.439 1.146-9.107 3.253-2.819 2.231-5.074 5.638-6.397 9.975h-.216v-12.08h-9.433v58.985h9.454V847.71h.194zm54.279 31.443c8.892 0 16.048-2.863 21.36-8.543 5.29-5.641 7.936-13.229 7.936-22.686 0-9.647-2.427-17.021-7.372-22.51-4.9-5.483-11.711-8.132-20.603-8.132s-16.048 2.647-21.36 7.764c-5.681 5.641-8.674 13.599-8.674 23.813 0 8.891 2.429 16.265 7.548 21.751 5.29 5.68 12.295 8.521 21.165 8.521v.022zm-13.445-48.055c3.6-3.795 8.329-5.683 14.182-5.683 6.074 0 10.627 1.888 14.01 5.683 3.404 3.969 5.097 9.63 5.097 17.197 0 7.198-1.519 12.859-4.729 16.654-3.208 3.969-7.936 6.071-14.183 6.071-6.071 0-10.777-2.104-14.377-6.071-3.577-3.99-5.291-9.456-5.291-16.654-.368-7.156 1.519-13.01 5.291-17.197zm84.141 42.916c3.599-3.208 5.509-7.155 5.509-12.102 0-4.337-1.52-7.936-4.338-10.777-2.3-2.275-5.854-4.337-10.994-6.419-4.556-1.906-7.374-3.6-8.893-4.923-1.517-1.517-2.45-3.402-2.45-6.071 0-2.45.955-4.337 2.821-5.855 1.908-1.516 4.337-2.253 7.59-2.253 5.096 0 9.454 1.343 13.443 4.185v-9.456c-3.816-1.906-7.958-2.817-12.686-2.817-6.071 0-11.189 1.671-14.964 4.899-3.969 3.212-5.854 7.375-5.854 12.274 0 4.337 1.3 7.938 3.771 10.582 2.082 2.256 5.641 4.556 10.583 6.614 4.729 2.083 7.938 3.968 9.65 5.485 1.691 1.52 2.45 3.405 2.45 5.641 0 5.506-3.772 8.349-11.146 8.349-5.682 0-10.776-1.866-15.333-5.638v10.189c4.121 2.475 9.066 3.601 14.53 3.601 7.005-.368 12.49-2.081 16.264-5.486l.047-.022zm45.019-56.73c-8.893 0-16.048 2.647-21.361 7.764-5.638 5.641-8.674 13.599-8.674 23.813 0 8.891 2.452 16.265 7.547 21.751 5.313 5.68 12.295 8.521 21.187 8.521 9.107 0 16.048-2.861 21.36-8.545 5.313-5.637 7.958-13.227 7.958-22.683 0-9.65-2.472-17.022-7.374-22.509-5.115-5.487-11.927-8.133-20.601-8.133l-.042.021zm18.345 31.012c0 7.198-1.518 12.859-4.727 16.654-3.21 3.969-7.938 6.071-14.184 6.071-6.074 0-10.778-2.104-14.379-6.071-3.577-3.99-5.29-9.456-5.29-16.654 0-7.59 1.888-13.444 5.683-17.393 3.576-3.773 8.306-5.682 14.182-5.682 5.854 0 10.561 1.907 13.964 5.682 3.037 4.163 4.729 9.824 4.729 17.393h.022zm25.547 29.513h9.433v-51.068h13.813v-7.938H428.93v-9.108c0-8.282 3.208-12.446 9.845-12.446 2.234 0 4.511.563 6.203 1.518v-8.521c-1.692-.759-3.969-.932-6.812-.932-5.095 0-9.258 1.519-12.664 4.727-3.969 3.773-6.071 8.674-6.071 15.312v9.672h-9.978v7.936h9.978v50.876l.067-.028zm38.75-16.091c0 11.538 5.098 17.414 15.506 17.414 3.774 0 6.614-.606 8.891-1.951v-8.11c-1.734 1.302-3.795 1.91-6.071 1.91-3.208 0-5.464-.762-6.788-2.475-1.345-1.689-2.103-4.554-2.103-8.501v-33.286h14.961v-7.938h-14.961v-17.39c-3.253 1.127-6.44 2.082-9.456 3.034v14.355h-10.192v7.938h10.192v34.979l.021.021zm1014.88 108.73c-3.209-3.034-7.004-4.553-11.709-4.553-4.77 0-8.719 1.519-11.928 4.771-3.209 3.188-4.729 7.155-4.729 11.711 0 4.728 1.52 8.675 4.705 11.709 3.211 3.036 7.156 4.556 11.928 4.556 4.705 0 8.674-1.52 11.928-4.729 3.188-3.253 4.879-7.004 4.879-11.709-.174-4.771-1.887-8.719-5.096-11.754l.022-.002zm-1.517 22.338c-2.82 2.818-6.246 4.119-10.41 4.119-4.119 0-7.545-1.301-10.408-4.119-2.818-2.863-4.338-6.441-4.338-10.627 0-4.121 1.301-7.545 4.164-10.408 2.818-2.817 6.225-4.121 10.582-4.121 4.121 0 7.549 1.304 10.41 4.121 2.818 2.863 4.336 6.287 4.336 10.408 0 4.382-1.301 7.764-4.336 10.627zm-8.502-9.651c1.691-.39 3.037-1.149 3.969-2.081.955-.977 1.303-2.301 1.303-3.815 0-1.692-.543-3.037-1.691-3.969-1.301-1.085-3.404-1.671-6.07-1.671h-6.029v21.164h3.037v-8.891h1.885c1.303 0 2.604 1.3 3.773 3.773l2.254 5.096h3.602l-2.818-5.683c-.977-2.472-2.105-3.601-3.252-3.97l.037.047zm-2.082-1.907h-3.252v-7.155h2.668c1.887 0 3.209.345 3.969.932.758.563.932 1.301.932 2.646 0 2.45-1.518 3.579-4.336 3.579l.019-.002zM933.443 816.353h2.646v-21.187h7.002v-2.646h-16.652v2.646h7.006v21.187h-.002zm16.047-15.917c0-2.062 0-3.753-.152-4.705.174 1.126.564 1.887.738 2.45l8.133 18.172h1.301l8.152-18.347c.219-.563.393-1.301.76-2.275-.174 1.887-.174 3.401-.174 4.553v16.048h2.82V792.52h-3.406l-7.371 16.438c-.174.587-.762 1.734-1.129 3.037h-.217c-.152-.761-.541-1.519-1.084-2.818l-7.373-16.655h-3.816v23.854h2.666v-15.917l.152-.023z"/></svg>
\ No newline at end of file
diff --git a/packages/microsoft_sqlserver/0.4.5/img/sqlserver-dashboard.png b/packages/microsoft_sqlserver/0.4.5/img/sqlserver-dashboard.png
new file mode 100755
index 0000000000..8929f7c2a9
Binary files /dev/null and b/packages/microsoft_sqlserver/0.4.5/img/sqlserver-dashboard.png differ
diff --git a/packages/microsoft_sqlserver/0.4.5/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json b/packages/microsoft_sqlserver/0.4.5/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json
new file mode 100755
index 0000000000..3ab14432ae
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json
@@ -0,0 +1,167 @@
+{
+  "attributes": {
+    "description": "Microsoft SQL Server Audit Events",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\":{\"columnOrder\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\",\"a6937f39-2999-4be2-8371-619b5bf2fb67\"],\"columns\":{\"70000b7b-124a-439e-8ef2-6a8dad15c166\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"a6937f39-2999-4be2-8371-619b5bf2fb67\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\"],\"layerId\":\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false,\"timeRange\":{\"from\":\"now-2d\",\"to\":\"now\"}},\"gridData\":{\"h\":13,\"i\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"w\":18,\"x\":0,\"y\":0},\"panelIndex\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"title\":\"Microsoft SQL Server Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"w\":17,\"x\":18,\"y\":0},\"panelIndex\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action: \\\"login-failed\\\" \"},\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"041831df-5315-4457-98a4-2be03a47fc31\",\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"columns\":{\"041831df-5315-4457-98a4-2be03a47fc31\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"5m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Principal Changes\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"SQL LOGIN\",\"SQL USER\",\"WINDOWS LOGIN\",\"LOGIN\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL USER\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"WINDOWS LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"LOGIN\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"041831df-5315-4457-98a4-2be03a47fc31\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"w\":13,\"x\":0,\"y\":13},\"panelIndex\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"title\":\"Database Principal Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Role Member Changes\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"ROLE\",\"SERVER ROLE\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"ROLE\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER ROLE\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"w\":13,\"x\":13,\"y\":13},\"panelIndex\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"title\":\"Role Member Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count()\",\"operationType\":\"formula\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}},\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"scale\":\"ratio\"},\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Part of count()\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"15m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"DATABASE AUDIT SPECIFICATION\",\"SERVER AUDIT SPECIFICATION\",\"AUDIT\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"DATABASE AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"AUDIT\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":-90,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Number of Audit Changes\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"w\":13,\"x\":26,\"y\":13},\"panelIndex\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"title\":\"Audit Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03553b27-f941-4b4b-bcb6-8e1943c154f3\":{\"columnOrder\":[\"d4a0fc9f-f361-4113-b529-f55dd6faab93\"],\"columns\":{\"d4a0fc9f-f361-4113-b529-f55dd6faab93\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"login-failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"login-failed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"d4a0fc9f-f361-4113-b529-f55dd6faab93\",\"layerId\":\"03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"w\":9,\"x\":39,\"y\":13},\"panelIndex\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"title\":\"Number of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"}]",
+    "timeRestore": false,
+    "title": "[Logs Microsoft SQL Server Audit Events] Overview",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.1",
+  "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb",
+  "migrationVersion": {
+    "dashboard": "7.15.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "842e1cfc-7341-462d-8949-eef99e130666:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-1",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-2",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-1",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-2",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-1",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-2",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-current-indexpattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-0",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-1",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/microsoft_sqlserver/0.4.5/manifest.yml b/packages/microsoft_sqlserver/0.4.5/manifest.yml
new file mode 100755
index 0000000000..1fb3e973d6
--- /dev/null
+++ b/packages/microsoft_sqlserver/0.4.5/manifest.yml
@@ -0,0 +1,33 @@
+format_version: 1.0.0
+name: microsoft_sqlserver
+title: "Microsoft SQL Server"
+version: 0.4.5
+license: basic
+description: Collect audit events from Microsoft SQL Server with Elastic Agent.
+type: integration
+categories:
+  - datastore
+  - security
+release: beta
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+screenshots:
+  - src: /img/sqlserver-dashboard.png
+    title: Microsoft SQL Server Dashboard
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/microsoft-sql-server-logo.svg
+    title: Microsof SQL Server
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: audit_logs
+    title: SQL Server audit logs
+    description: Collect audit logs from Windows event logs
+    inputs:
+      - type: winlog
+        title: Collect audit events from Windows event logs
+        description: Collecting audit events from Windows event logs
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/netflow/1.4.2/changelog.yml b/packages/netflow/1.4.2/changelog.yml
new file mode 100755
index 0000000000..83b2d13ab4
--- /dev/null
+++ b/packages/netflow/1.4.2/changelog.yml
@@ -0,0 +1,97 @@
+# newer versions go on top
+- version: "1.4.2"
+  changes:
+    - description: Replace invalid field value
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3096
+- version: "1.4.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.4.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2424
+- version: "1.3.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2220
+- version: "1.2.3"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2098
+- version: "1.2.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1973
+- version: "1.2.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1833
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1667
+- version: "1.1.3"
+  changes:
+    - description: Convert to generated ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1489
+- version: '1.1.2'
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1396
+- version: "1.1.1"
+  changes:
+    - description: Escape special characters in docs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "1.1.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1218
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1218
+- version: "0.4.1"
+  changes:
+    - description: Use `wildcard` field type for the relevant ECS fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1179
+- version: "0.4.0"
+  changes:
+    - description: update to ECS 1.10.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1062
+- version: "0.3.9"
+  changes:
+    - description: add pipeline tests and move ecs.version set the to ingest pipeline
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1006
+- version: "0.3.8"
+  changes:
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/857
+- version: "0.1.0"
+  changes:
+    - description: Change field type of `netflow.application_category_nam` and `netflow.application_sub_category_name` to keyword to ensure there are no type conflicts between vendors.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/697
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/23
diff --git a/packages/netflow/1.4.2/data_stream/log/agent/stream/netflow.yml.hbs b/packages/netflow/1.4.2/data_stream/log/agent/stream/netflow.yml.hbs
new file mode 100755
index 0000000000..45be18a81e
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/agent/stream/netflow.yml.hbs
@@ -0,0 +1,31 @@
+protocols: [v1, v5, v6, v7, v8, v9, ipfix]
+host: '{{host}}:{{port}}'
+max_message_size: '{{max_message_size}}'
+expiration_timeout: '{{expiration_timeout}}'
+queue_size: {{queue_size}}
+{{#if timeout}}
+timeout: '{{timeout}}'
+{{/if}}
+{{#if read_buffer}}
+read_buffer: '{{read_buffer}}'
+{{/if}}
+{{#if custom_definitions}}
+custom_definitions:
+{{#each custom_definitions}}
+- '{{this}}'
+{{/each}}
+{{/if}}
+{{#if detect_sequence_reset}}
+detect_sequence_reset: {{detect_sequence_reset}}
+{{/if}}
+tags:
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/netflow/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/netflow/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..c64bcd19eb
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,69 @@
+---
+description: Pipeline for NetFlow
+
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - convert:
+      field: network.iana_number
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+
+  - set:
+      field: event.category
+      value:
+        - network
+        - session
+      if: 'ctx.event?.category != null && ctx.event?.category == "network_session"'
+
+  # IP Geolocation Lookup
+  - geoip:
+      if: ctx.source?.geo == null
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      if: ctx.destination?.geo == null
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true 
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+          - asn
+          - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+          - asn
+          - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/netflow/1.4.2/data_stream/log/fields/agent.yml b/packages/netflow/1.4.2/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/netflow/1.4.2/data_stream/log/fields/base-fields.yml b/packages/netflow/1.4.2/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..12d5ac2a45
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: netflow
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: netflow.log
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/netflow/1.4.2/data_stream/log/fields/ecs.yml b/packages/netflow/1.4.2/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..d9ce1eb931
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/fields/ecs.yml
@@ -0,0 +1,1593 @@
+- description: |-
+    Date/time when the event originated.
+    This is the date/time extracted from the event, typically representing when the event was generated by the source.
+    If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
+    Required field for all events.
+  name: '@timestamp'
+  type: date
+- description: |-
+    Ephemeral identifier of this agent (if one exists).
+    This id normally changes across restarts, but `agent.id` does not.
+  name: agent.ephemeral_id
+  type: keyword
+- description: |-
+    Unique identifier of this agent (if one exists).
+    Example: For Beats this would be beat.id.
+  name: agent.id
+  type: keyword
+- description: |-
+    Custom name of the agent.
+    This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
+    If no name is given, the name is often left empty.
+  name: agent.name
+  type: keyword
+- description: |-
+    Type of the agent.
+    The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+  name: agent.type
+  type: keyword
+- description: Version of the agent.
+  name: agent.version
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: as.organization.name
+  type: keyword
+- description: |-
+    Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: client.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: client.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.as.organization.name
+  type: keyword
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: City name.
+  name: client.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: client.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: client.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: client.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: client.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: client.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: client.geo.region_name
+  type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: |-
+    MAC address of the client.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: client.mac
+  type: keyword
+- description: |-
+    Translated IP of source based NAT sessions (e.g. internal client to internet).
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: client.nat.ip
+  type: ip
+- description: |-
+    Translated port of source based NAT sessions (e.g. internal client to internet).
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: client.nat.port
+  type: long
+- description: Packets sent from the client to the server.
+  name: client.packets
+  type: long
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: |-
+    The highest registered client domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: client.registered_domain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: client.top_level_domain
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: client.user.domain
+  type: keyword
+- description: User email address.
+  name: client.user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.user.full_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: client.user.group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: client.user.group.id
+  type: keyword
+- description: Name of the group.
+  name: client.user.group.name
+  type: keyword
+- description: |-
+    Unique user hash to correlate information for a user in anonymized form.
+    Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+  name: client.user.hash
+  type: keyword
+- description: Unique identifier of the user.
+  name: client.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.user.name
+  type: keyword
+- description: |-
+    The cloud account or organization id used to identify different entities in a multi-tenant environment.
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+  name: cloud.account.id
+  type: keyword
+- description: Availability zone in which this host, resource, or service is located.
+  name: cloud.availability_zone
+  type: keyword
+- description: Instance ID of the host machine.
+  name: cloud.instance.id
+  type: keyword
+- description: Instance name of the host machine.
+  name: cloud.instance.name
+  type: keyword
+- description: Machine type of the host machine.
+  name: cloud.machine.type
+  type: keyword
+- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+  name: cloud.provider
+  type: keyword
+- description: Region in which this host, resource, or service is located.
+  name: cloud.region
+  type: keyword
+- description: Unique container id.
+  name: container.id
+  type: keyword
+- description: Name of the image the container was built on.
+  name: container.image.name
+  type: keyword
+- description: Container image tags.
+  name: container.image.tag
+  type: keyword
+- description: Image labels.
+  name: container.labels
+  type: object
+- description: Container name.
+  name: container.name
+  type: keyword
+- description: Runtime managing this container.
+  name: container.runtime
+  type: keyword
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: |-
+    The domain name of the destination system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: destination.domain
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: destination.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    MAC address of the destination.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: destination.mac
+  type: keyword
+- description: |-
+    Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.ip
+  type: ip
+- description: |-
+    Port the source session is translated to by NAT Device.
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.port
+  type: long
+- description: Packets sent from the destination to the source.
+  name: destination.packets
+  type: long
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: |-
+    The highest registered destination domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: destination.registered_domain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: destination.top_level_domain
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: destination.user.domain
+  type: keyword
+- description: User email address.
+  name: destination.user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.user.full_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: destination.user.group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: destination.user.group.id
+  type: keyword
+- description: Name of the group.
+  name: destination.user.group.name
+  type: keyword
+- description: |-
+    Unique user hash to correlate information for a user in anonymized form.
+    Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+  name: destination.user.hash
+  type: keyword
+- description: Unique identifier of the user.
+  name: destination.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.user.name
+  type: keyword
+- description: |-
+    An array containing an object for each answer section returned by the server.
+    The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
+    Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+  name: dns.answers
+  type: object
+- description: The class of DNS data contained in this resource record.
+  name: dns.answers.class
+  type: keyword
+- description: |-
+    The data describing the resource.
+    The meaning of this data depends on the type and class of the resource record.
+  name: dns.answers.data
+  type: keyword
+- description: |-
+    The domain name to which this resource record pertains.
+    If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
+  name: dns.answers.name
+  type: keyword
+- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+  name: dns.answers.ttl
+  type: long
+- description: The type of data contained in this resource record.
+  name: dns.answers.type
+  type: keyword
+- description: |-
+    Array of 2 letter DNS header flags.
+    Expected values are: AA, TC, RD, RA, AD, CD, DO.
+  name: dns.header_flags
+  type: keyword
+- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+  name: dns.id
+  type: keyword
+- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
+  name: dns.op_code
+  type: keyword
+- description: The class of records being queried.
+  name: dns.question.class
+  type: keyword
+- description: |-
+    The name being queried.
+    If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+  name: dns.question.name
+  type: keyword
+- description: |-
+    The highest registered domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: dns.question.registered_domain
+  type: keyword
+- description: |-
+    The subdomain is all of the labels under the registered_domain.
+    If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: dns.question.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: dns.question.top_level_domain
+  type: keyword
+- description: The type of record being queried.
+  name: dns.question.type
+  type: keyword
+- description: |-
+    Array containing all IPs seen in `answers.data`.
+    The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+  name: dns.resolved_ip
+  type: ip
+- description: The DNS response code.
+  name: dns.response_code
+  type: keyword
+- description: |-
+    The type of DNS event captured, query or answer.
+    If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
+    If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+  name: dns.type
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error code describing the error.
+  name: error.code
+  type: keyword
+- description: Unique identifier for the error.
+  name: error.id
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: The stack trace of this error in plain text.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: error.stack_trace
+  type: wildcard
+- description: The type of the error, for example the class name of the exception.
+  name: error.type
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Identification code for this event, if one exists.
+    Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+  name: event.code
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Duration of the event in nanoseconds.
+    If event.start and event.end are known this value should be the difference between the end and start time.
+  name: event.duration
+  type: long
+- description: event.end contains the date when the event ended or when the activity was last observed.
+  name: event.end
+  type: date
+- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+  name: event.hash
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Source of the event.
+    Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+  name: event.provider
+  type: keyword
+- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+  name: event.risk_score
+  type: float
+- description: |-
+    Normalized risk score or priority of the event, on a scale of 0 to 100.
+    This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
+  name: event.risk_score_norm
+  type: float
+- description: |-
+    Sequence number of the event.
+    The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+  name: event.sequence
+  type: long
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+  name: event.start
+  type: date
+- description: |-
+    This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+  name: event.timezone
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    Last time the file was accessed.
+    Note that not all filesystems keep track of access time.
+  name: file.accessed
+  type: date
+- description: |-
+    File creation time.
+    Note that not all filesystems store the creation time.
+  name: file.created
+  type: date
+- description: |-
+    Last time the file attributes or metadata changed.
+    Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
+  name: file.ctime
+  type: date
+- description: Device that is the source of the file.
+  name: file.device
+  type: keyword
+- description: Directory where the file is located. It should include the drive letter, when appropriate.
+  name: file.directory
+  type: keyword
+- description: |-
+    File extension, excluding the leading dot.
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: file.extension
+  type: keyword
+- description: Primary group ID (GID) of the file.
+  name: file.gid
+  type: keyword
+- description: Primary group name of the file.
+  name: file.group
+  type: keyword
+- description: MD5 hash.
+  name: file.hash.md5
+  type: keyword
+- description: SHA1 hash.
+  name: file.hash.sha1
+  type: keyword
+- description: SHA256 hash.
+  name: file.hash.sha256
+  type: keyword
+- description: SHA512 hash.
+  name: file.hash.sha512
+  type: keyword
+- description: Inode representing the file in the filesystem.
+  name: file.inode
+  type: keyword
+- description: Mode of the file in octal representation.
+  name: file.mode
+  type: keyword
+- description: Last time the file content was modified.
+  name: file.mtime
+  type: date
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: File owner's username.
+  name: file.owner
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    File size in bytes.
+    Only relevant when `file.type` is "file".
+  name: file.size
+  type: long
+- description: Target path for symlinks.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.target_path
+  type: keyword
+- description: File type (file, dir, or symlink).
+  name: file.type
+  type: keyword
+- description: The user ID (UID) or security identifier (SID) of the file owner.
+  name: file.uid
+  type: keyword
+- description: City name.
+  name: geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: geo.name
+  type: keyword
+- description: Region ISO code.
+  name: geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: geo.region_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: group.id
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: MD5 hash.
+  name: hash.md5
+  type: keyword
+- description: SHA1 hash.
+  name: hash.sha1
+  type: keyword
+- description: SHA256 hash.
+  name: hash.sha256
+  type: keyword
+- description: SHA512 hash.
+  name: hash.sha512
+  type: keyword
+- description: Operating system architecture.
+  name: host.architecture
+  type: keyword
+- description: City name.
+  name: host.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: host.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: host.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: host.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: host.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: host.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: host.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: host.geo.region_name
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: Host ip addresses.
+  name: host.ip
+  type: ip
+- description: |-
+    Host MAC addresses.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: host.mac
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+  name: host.os.family
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: host.os.full
+  type: keyword
+- description: Operating system kernel version as a raw string.
+  name: host.os.kernel
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: host.os.name
+  type: keyword
+- description: Operating system platform (such centos, ubuntu, windows).
+  name: host.os.platform
+  type: keyword
+- description: Operating system version as a raw string.
+  name: host.os.version
+  type: keyword
+- description: |-
+    Type of host.
+    For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+  name: host.type
+  type: keyword
+- description: Seconds the host has been up.
+  name: host.uptime
+  type: long
+- description: Size in bytes of the request body.
+  name: http.request.body.bytes
+  type: long
+- description: The full HTTP request body.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: http.request.body.content
+  type: wildcard
+- description: Total size in bytes of the request (body and headers).
+  name: http.request.bytes
+  type: long
+- description: |-
+    HTTP request method.
+    The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+  name: http.request.method
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: Size in bytes of the response body.
+  name: http.response.body.bytes
+  type: long
+- description: The full HTTP response body.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: http.response.body.content
+  type: wildcard
+- description: Total size in bytes of the response (body and headers).
+  name: http.response.bytes
+  type: long
+- description: HTTP response status code.
+  name: http.response.status_code
+  type: long
+- description: HTTP version.
+  name: http.version
+  type: keyword
+- description: |-
+    Custom key/value pairs.
+    Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+    Example: `docker` and `k8s` labels.
+  name: labels
+  type: object
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+  name: log.logger
+  type: keyword
+- description: The line number of the file containing the source code which originated the log event.
+  name: log.origin.file.line
+  type: long
+- description: |-
+    The name of the file containing the source code which originated the log event.
+    Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.
+  name: log.origin.file.name
+  type: keyword
+- description: The name of the function or method which originated the log event.
+  name: log.origin.function
+  type: keyword
+- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.
+  name: log.syslog
+  type: object
+- description: |-
+    The Syslog numeric facility of the log event, if available.
+    According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+  name: log.syslog.facility.code
+  type: long
+- description: The Syslog text-based facility of the log event, if available.
+  name: log.syslog.facility.name
+  type: keyword
+- description: |-
+    Syslog numeric priority of the event, if available.
+    According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+  name: log.syslog.priority
+  type: long
+- description: |-
+    The Syslog numeric severity of the log event, if available.
+    If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+  name: log.syslog.severity.code
+  type: long
+- description: |-
+    The Syslog numeric severity of the log event, if available.
+    If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+  name: log.syslog.severity.name
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+    For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+    The field value must be normalized to lowercase for querying.
+  name: network.application
+  type: keyword
+- description: |-
+    Total bytes transferred in both directions.
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+  name: network.bytes
+  type: long
+- description: |-
+    A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+    Learn more at https://github.com/corelight/community-id-spec.
+  name: network.community_id
+  type: keyword
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: Host IP address when the source IP address is the proxy.
+  name: network.forwarded_ip
+  type: ip
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+  name: network.iana_number
+  type: keyword
+- description: Name given by operators to sections of their network.
+  name: network.name
+  type: keyword
+- description: |-
+    Total packets transferred in both directions.
+    If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+  name: network.packets
+  type: long
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+    The field value must be normalized to lowercase for querying.
+  name: network.type
+  type: keyword
+- description: City name.
+  name: observer.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: observer.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: observer.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: observer.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: observer.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: observer.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: observer.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: observer.geo.region_name
+  type: keyword
+- description: Hostname of the observer.
+  name: observer.hostname
+  type: keyword
+- description: IP addresses of the observer.
+  name: observer.ip
+  type: ip
+- description: |-
+    MAC addresses of the observer.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: observer.mac
+  type: keyword
+- description: |-
+    Custom name of the observer.
+    This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+    If no custom name is needed, the field can be left empty.
+  name: observer.name
+  type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+  name: observer.os.family
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: observer.os.full
+  type: keyword
+- description: Operating system kernel version as a raw string.
+  name: observer.os.kernel
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: observer.os.name
+  type: keyword
+- description: Operating system platform (such centos, ubuntu, windows).
+  name: observer.os.platform
+  type: keyword
+- description: Operating system version as a raw string.
+  name: observer.os.version
+  type: keyword
+- description: The product name of the observer.
+  name: observer.product
+  type: keyword
+- description: Observer serial number.
+  name: observer.serial_number
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: Observer version.
+  name: observer.version
+  type: keyword
+- description: Unique identifier for the organization.
+  name: organization.id
+  type: keyword
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: organization.name
+  type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+  name: os.family
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: os.full
+  type: keyword
+- description: Operating system kernel version as a raw string.
+  name: os.kernel
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: os.name
+  type: keyword
+- description: Operating system platform (such centos, ubuntu, windows).
+  name: os.platform
+  type: keyword
+- description: Operating system version as a raw string.
+  name: os.version
+  type: keyword
+- description: Package architecture.
+  name: package.architecture
+  type: keyword
+- description: Checksum of the installed package for verification.
+  name: package.checksum
+  type: keyword
+- description: Description of the package.
+  name: package.description
+  type: keyword
+- description: Indicating how the package was installed, e.g. user-local, global.
+  name: package.install_scope
+  type: keyword
+- description: Time when package was installed.
+  name: package.installed
+  type: date
+- description: |-
+    License under which the package was released.
+    Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).
+  name: package.license
+  type: keyword
+- description: Package name
+  name: package.name
+  type: keyword
+- description: Path where the package is installed.
+  name: package.path
+  type: keyword
+- description: Package size in bytes.
+  name: package.size
+  type: long
+- description: Package version
+  name: package.version
+  type: keyword
+- description: |-
+    Array of process arguments, starting with the absolute path to the executable.
+    May be filtered to protect sensitive information.
+  name: process.args
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: MD5 hash.
+  name: process.hash.md5
+  type: keyword
+- description: SHA1 hash.
+  name: process.hash.sha1
+  type: keyword
+- description: SHA256 hash.
+  name: process.hash.sha256
+  type: keyword
+- description: SHA512 hash.
+  name: process.hash.sha512
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: Identifier of the group of processes the process belongs to.
+  name: process.pgid
+  type: long
+- description: Process id.
+  name: process.pid
+  type: long
+- description: Process id.
+  name: process.parent.pid
+  type: long
+- description: The time the process started.
+  name: process.start
+  type: date
+- description: Thread ID.
+  name: process.thread.id
+  type: long
+- description: Thread name.
+  name: process.thread.name
+  type: keyword
+- description: |-
+    Process title.
+    The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.title
+  type: keyword
+- description: Seconds the process has been up.
+  name: process.uptime
+  type: long
+- description: The working directory of the process.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.working_directory
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: |-
+    Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: server.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: server.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: server.as.organization.name
+  type: keyword
+- description: Bytes sent from the server to the client.
+  name: server.bytes
+  type: long
+- description: |-
+    The domain name of the server system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: server.domain
+  type: keyword
+- description: City name.
+  name: server.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: server.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: server.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: server.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: server.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: server.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: server.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: server.geo.region_name
+  type: keyword
+- description: IP address of the server (IPv4 or IPv6).
+  name: server.ip
+  type: ip
+- description: |-
+    MAC address of the server.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: server.mac
+  type: keyword
+- description: |-
+    Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: server.nat.ip
+  type: ip
+- description: |-
+    Translated port of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: server.nat.port
+  type: long
+- description: Packets sent from the server to the client.
+  name: server.packets
+  type: long
+- description: Port of the server.
+  name: server.port
+  type: long
+- description: |-
+    The highest registered server domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: server.registered_domain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: server.top_level_domain
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: server.user.domain
+  type: keyword
+- description: User email address.
+  name: server.user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: server.user.full_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: server.user.group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: server.user.group.id
+  type: keyword
+- description: Name of the group.
+  name: server.user.group.name
+  type: keyword
+- description: |-
+    Unique user hash to correlate information for a user in anonymized form.
+    Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+  name: server.user.hash
+  type: keyword
+- description: Unique identifier of the user.
+  name: server.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: server.user.name
+  type: keyword
+- description: |-
+    Ephemeral identifier of this service (if one exists).
+    This id normally changes across restarts, but `service.id` does not.
+  name: service.ephemeral_id
+  type: keyword
+- description: |-
+    Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
+    This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
+    Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+  name: service.id
+  type: keyword
+- description: |-
+    Name of the service data is collected from.
+    The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
+    In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+  name: service.name
+  type: keyword
+- description: |-
+    Name of a service node.
+    This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.
+    In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.
+  name: service.node.name
+  type: keyword
+- description: Current state of the service.
+  name: service.state
+  type: keyword
+- description: |-
+    The type of the service data is collected from.
+    The type can be used to group and correlate logs and metrics from one service type.
+    Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
+  name: service.type
+  type: keyword
+- description: |-
+    Version of the service the data was collected from.
+    This allows to look at a data set only for a specific version of a service.
+  name: service.version
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    MAC address of the source.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: source.mac
+  type: keyword
+- description: |-
+    Translated ip of source based NAT sessions (e.g. internal client to internet)
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: source.nat.ip
+  type: ip
+- description: |-
+    Translated port of source based NAT sessions. (e.g. internal client to internet)
+    Typically used with load balancers, firewalls, or routers.
+  name: source.nat.port
+  type: long
+- description: Packets sent from the source to the destination.
+  name: source.packets
+  type: long
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: |-
+    The highest registered source domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: source.registered_domain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: source.top_level_domain
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: source.user.domain
+  type: keyword
+- description: User email address.
+  name: source.user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.full_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: source.user.group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: source.user.group.id
+  type: keyword
+- description: Name of the group.
+  name: source.user.group.name
+  type: keyword
+- description: |-
+    Unique user hash to correlate information for a user in anonymized form.
+    Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+  name: source.user.hash
+  type: keyword
+- description: Unique identifier of the user.
+  name: source.user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
+  name: threat.framework
+  type: keyword
+- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
+  name: threat.tactic.id
+  type: keyword
+- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
+  name: threat.tactic.name
+  type: keyword
+- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
+  name: threat.tactic.reference
+  type: keyword
+- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+  name: threat.technique.id
+  type: keyword
+- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: threat.technique.name
+  type: keyword
+- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+  name: threat.technique.reference
+  type: keyword
+- description: |-
+    Unique identifier of the trace.
+    A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
+  name: trace.id
+  type: keyword
+- description: |-
+    Unique identifier of the transaction within the scope of its trace.
+    A transaction is the highest level of work measured within a service, such as a request to a server.
+  name: transaction.id
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    The field contains the file extension from the original request url, excluding the leading dot.
+    The file extension is only set if it exists, as not every url has a file extension.
+    The leading period must not be included. For example, the value must be "png", not ".png".
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: url.extension
+  type: keyword
+- description: |-
+    Portion of the url after the `#`, such as "top".
+    The `#` is not part of the fragment.
+  name: url.fragment
+  type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.full
+  type: wildcard
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Password of the request.
+  name: url.password
+  type: keyword
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: Port of the request, such as 443.
+  name: url.port
+  type: long
+- description: |-
+    The query field describes the query string of the request, such as "q=elasticsearch".
+    The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+  name: url.query
+  type: keyword
+- description: |-
+    The highest registered url domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: url.registered_domain
+  type: keyword
+- description: |-
+    Scheme of the request, such as "https".
+    Note: The `:` is not part of the scheme.
+  name: url.scheme
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: url.top_level_domain
+  type: keyword
+- description: Username of the request.
+  name: url.username
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.group.id
+  type: keyword
+- description: Name of the group.
+  name: user.group.name
+  type: keyword
+- description: |-
+    Unique user hash to correlate information for a user in anonymized form.
+    Useful if `user.id` or `user.name` contain confidential information and cannot be used.
+  name: user.hash
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+  name: user_agent.os.family
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Operating system kernel version as a raw string.
+  name: user_agent.os.kernel
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system platform (such centos, ubuntu, windows).
+  name: user_agent.os.platform
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/netflow/1.4.2/data_stream/log/fields/package-fields.yml b/packages/netflow/1.4.2/data_stream/log/fields/package-fields.yml
new file mode 100755
index 0000000000..1915b6a75d
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/fields/package-fields.yml
@@ -0,0 +1,2689 @@
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: flow.locality
+  type: keyword
+  description: Identifies whether the flow involved public IP addresses or only private address.
+- name: flow.id
+  type: keyword
+  description: Hash of source and destination IPs.
+- name: destination.locality
+  type: keyword
+  description: Whether the destination IP is private or public.
+- name: source.locality
+  type: keyword
+  description: Whether the source IP is private or public.
+- name: netflow
+  type: group
+  description: >
+    Fields from NetFlow and IPFIX.
+
+  fields:
+    - name: type
+      type: keyword
+      description: >
+        The type of NetFlow record described by this event.
+
+    - name: exporter
+      type: group
+      description: >
+        Metadata related to the exporter device that generated this record.
+
+      fields:
+        - name: address
+          type: keyword
+          description: >
+            Exporter's network address in IP:port format.
+
+        - name: source_id
+          type: long
+          description: >
+            Observation domain ID to which this record belongs.
+
+        - name: timestamp
+          type: date
+          description: >
+            Time and date of export.
+
+        - name: uptime_millis
+          type: long
+          description: >
+            How long the exporter process has been running, in milliseconds.
+
+        - name: version
+          type: integer
+          description: >
+            NetFlow version used.
+
+    - name: absolute_error
+      type: double
+    - name: address_pool_high_threshold
+      type: long
+    - name: address_pool_low_threshold
+      type: long
+    - name: address_port_mapping_high_threshold
+      type: long
+    - name: address_port_mapping_low_threshold
+      type: long
+    - name: address_port_mapping_per_user_high_threshold
+      type: long
+    - name: afc_protocol
+      type: integer
+    - name: afc_protocol_name
+      type: keyword
+    - name: anonymization_flags
+      type: integer
+    - name: anonymization_technique
+      type: integer
+    - name: application_business-relevance
+      type: long
+    - name: application_category_name
+      type: keyword
+    - name: application_description
+      type: keyword
+    - name: application_group_name
+      type: keyword
+    - name: application_http_uri_statistics
+      type: short
+    - name: application_http_user-agent
+      type: short
+    - name: application_id
+      type: short
+    - name: application_name
+      type: keyword
+    - name: application_sub_category_name
+      type: keyword
+    - name: application_traffic-class
+      type: long
+    - name: art_client_network_time_maximum
+      type: long
+    - name: art_client_network_time_minimum
+      type: long
+    - name: art_client_network_time_sum
+      type: long
+    - name: art_clientpackets
+      type: long
+    - name: art_count_late_responses
+      type: long
+    - name: art_count_new_connections
+      type: long
+    - name: art_count_responses
+      type: long
+    - name: art_count_responses_histogram_bucket1
+      type: long
+    - name: art_count_responses_histogram_bucket2
+      type: long
+    - name: art_count_responses_histogram_bucket3
+      type: long
+    - name: art_count_responses_histogram_bucket4
+      type: long
+    - name: art_count_responses_histogram_bucket5
+      type: long
+    - name: art_count_responses_histogram_bucket6
+      type: long
+    - name: art_count_responses_histogram_bucket7
+      type: long
+    - name: art_count_retransmissions
+      type: long
+    - name: art_count_transactions
+      type: long
+    - name: art_network_time_maximum
+      type: long
+    - name: art_network_time_minimum
+      type: long
+    - name: art_network_time_sum
+      type: long
+    - name: art_response_time_maximum
+      type: long
+    - name: art_response_time_minimum
+      type: long
+    - name: art_response_time_sum
+      type: long
+    - name: art_server_network_time_maximum
+      type: long
+    - name: art_server_network_time_minimum
+      type: long
+    - name: art_server_network_time_sum
+      type: long
+    - name: art_server_response_time_maximum
+      type: long
+    - name: art_server_response_time_minimum
+      type: long
+    - name: art_server_response_time_sum
+      type: long
+    - name: art_serverpackets
+      type: long
+    - name: art_total_response_time_maximum
+      type: long
+    - name: art_total_response_time_minimum
+      type: long
+    - name: art_total_response_time_sum
+      type: long
+    - name: art_total_transaction_time_maximum
+      type: long
+    - name: art_total_transaction_time_minimum
+      type: long
+    - name: art_total_transaction_time_sum
+      type: long
+    - name: assembled_fragment_count
+      type: long
+    - name: audit_counter
+      type: long
+    - name: average_interarrival_time
+      type: long
+    - name: bgp_destination_as_number
+      type: long
+    - name: bgp_next_adjacent_as_number
+      type: long
+    - name: bgp_next_hop_ipv4_address
+      type: ip
+    - name: bgp_next_hop_ipv6_address
+      type: ip
+    - name: bgp_prev_adjacent_as_number
+      type: long
+    - name: bgp_source_as_number
+      type: long
+    - name: bgp_validity_state
+      type: short
+    - name: biflow_direction
+      type: short
+    - name: bind_ipv4_address
+      type: ip
+    - name: bind_transport_port
+      type: integer
+    - name: class_id
+      type: long
+    - name: class_name
+      type: keyword
+    - name: classification_engine_id
+      type: short
+    - name: collection_time_milliseconds
+      type: date
+    - name: collector_certificate
+      type: short
+    - name: collector_ipv4_address
+      type: ip
+    - name: collector_ipv6_address
+      type: ip
+    - name: collector_transport_port
+      type: integer
+    - name: common_properties_id
+      type: long
+    - name: confidence_level
+      type: double
+    - name: conn_ipv4_address
+      type: ip
+    - name: conn_transport_port
+      type: integer
+    - name: connection_sum_duration_seconds
+      type: long
+    - name: connection_transaction_id
+      type: long
+    - name: conntrack_id
+      type: long
+    - name: data_byte_count
+      type: long
+    - name: data_link_frame_section
+      type: short
+    - name: data_link_frame_size
+      type: integer
+    - name: data_link_frame_type
+      type: integer
+    - name: data_records_reliability
+      type: boolean
+    - name: delta_flow_count
+      type: long
+    - name: destination_ipv4_address
+      type: ip
+    - name: destination_ipv4_prefix
+      type: ip
+    - name: destination_ipv4_prefix_length
+      type: short
+    - name: destination_ipv6_address
+      type: ip
+    - name: destination_ipv6_prefix
+      type: ip
+    - name: destination_ipv6_prefix_length
+      type: short
+    - name: destination_mac_address
+      type: keyword
+    - name: destination_transport_port
+      type: integer
+    - name: digest_hash_value
+      type: long
+    - name: distinct_count_of_destination_ip_address
+      type: long
+    - name: distinct_count_of_destination_ipv4_address
+      type: long
+    - name: distinct_count_of_destination_ipv6_address
+      type: long
+    - name: distinct_count_of_source_ip_address
+      type: long
+    - name: distinct_count_of_source_ipv4_address
+      type: long
+    - name: distinct_count_of_source_ipv6_address
+      type: long
+    - name: dns_authoritative
+      type: short
+    - name: dns_cname
+      type: keyword
+    - name: dns_id
+      type: integer
+    - name: dns_mx_exchange
+      type: keyword
+    - name: dns_mx_preference
+      type: integer
+    - name: dns_nsd_name
+      type: keyword
+    - name: dns_nx_domain
+      type: short
+    - name: dns_ptrd_name
+      type: keyword
+    - name: dns_qname
+      type: keyword
+    - name: dns_qr_type
+      type: integer
+    - name: dns_query_response
+      type: short
+    - name: dns_rr_section
+      type: short
+    - name: dns_soa_expire
+      type: long
+    - name: dns_soa_minimum
+      type: long
+    - name: dns_soa_refresh
+      type: long
+    - name: dns_soa_retry
+      type: long
+    - name: dns_soa_serial
+      type: long
+    - name: dns_soam_name
+      type: keyword
+    - name: dns_soar_name
+      type: keyword
+    - name: dns_srv_port
+      type: integer
+    - name: dns_srv_priority
+      type: integer
+    - name: dns_srv_target
+      type: integer
+    - name: dns_srv_weight
+      type: integer
+    - name: dns_ttl
+      type: long
+    - name: dns_txt_data
+      type: keyword
+    - name: dot1q_customer_dei
+      type: boolean
+    - name: dot1q_customer_destination_mac_address
+      type: keyword
+    - name: dot1q_customer_priority
+      type: short
+    - name: dot1q_customer_source_mac_address
+      type: keyword
+    - name: dot1q_customer_vlan_id
+      type: integer
+    - name: dot1q_dei
+      type: boolean
+    - name: dot1q_priority
+      type: short
+    - name: dot1q_service_instance_id
+      type: long
+    - name: dot1q_service_instance_priority
+      type: short
+    - name: dot1q_service_instance_tag
+      type: short
+    - name: dot1q_vlan_id
+      type: integer
+    - name: dropped_layer2_octet_delta_count
+      type: long
+    - name: dropped_layer2_octet_total_count
+      type: long
+    - name: dropped_octet_delta_count
+      type: long
+    - name: dropped_octet_total_count
+      type: long
+    - name: dropped_packet_delta_count
+      type: long
+    - name: dropped_packet_total_count
+      type: long
+    - name: dst_traffic_index
+      type: long
+    - name: egress_broadcast_packet_total_count
+      type: long
+    - name: egress_interface
+      type: long
+    - name: egress_interface_type
+      type: long
+    - name: egress_physical_interface
+      type: long
+    - name: egress_unicast_packet_total_count
+      type: long
+    - name: egress_vrfid
+      type: long
+    - name: encrypted_technology
+      type: keyword
+    - name: engine_id
+      type: short
+    - name: engine_type
+      type: short
+    - name: ethernet_header_length
+      type: short
+    - name: ethernet_payload_length
+      type: integer
+    - name: ethernet_total_length
+      type: integer
+    - name: ethernet_type
+      type: integer
+    - name: expired_fragment_count
+      type: long
+    - name: export_interface
+      type: long
+    - name: export_protocol_version
+      type: short
+    - name: export_sctp_stream_id
+      type: integer
+    - name: export_transport_protocol
+      type: short
+    - name: exported_flow_record_total_count
+      type: long
+    - name: exported_message_total_count
+      type: long
+    - name: exported_octet_total_count
+      type: long
+    - name: exporter_certificate
+      type: short
+    - name: exporter_ipv4_address
+      type: ip
+    - name: exporter_ipv6_address
+      type: ip
+    - name: exporter_transport_port
+      type: integer
+    - name: exporting_process_id
+      type: long
+    - name: external_address_realm
+      type: short
+    - name: firewall_event
+      type: short
+    - name: first_eight_non_empty_packet_directions
+      type: short
+    - name: first_non_empty_packet_size
+      type: integer
+    - name: first_packet_banner
+      type: keyword
+    - name: flags_and_sampler_id
+      type: long
+    - name: flow_active_timeout
+      type: integer
+    - name: flow_attributes
+      type: integer
+    - name: flow_direction
+      type: short
+    - name: flow_duration_microseconds
+      type: long
+    - name: flow_duration_milliseconds
+      type: long
+    - name: flow_end_delta_microseconds
+      type: long
+    - name: flow_end_microseconds
+      type: date
+    - name: flow_end_milliseconds
+      type: date
+    - name: flow_end_nanoseconds
+      type: date
+    - name: flow_end_reason
+      type: short
+    - name: flow_end_seconds
+      type: date
+    - name: flow_end_sys_up_time
+      type: long
+    - name: flow_id
+      type: long
+    - name: flow_idle_timeout
+      type: integer
+    - name: flow_key_indicator
+      type: long
+    - name: flow_label_ipv6
+      type: long
+    - name: flow_sampling_time_interval
+      type: long
+    - name: flow_sampling_time_spacing
+      type: long
+    - name: flow_selected_flow_delta_count
+      type: long
+    - name: flow_selected_octet_delta_count
+      type: long
+    - name: flow_selected_packet_delta_count
+      type: long
+    - name: flow_selector_algorithm
+      type: integer
+    - name: flow_start_delta_microseconds
+      type: long
+    - name: flow_start_microseconds
+      type: date
+    - name: flow_start_milliseconds
+      type: date
+    - name: flow_start_nanoseconds
+      type: date
+    - name: flow_start_seconds
+      type: date
+    - name: flow_start_sys_up_time
+      type: long
+    - name: flow_table_flush_event_count
+      type: long
+    - name: flow_table_peak_count
+      type: long
+    - name: forwarding_status
+      type: short
+    - name: fragment_flags
+      type: short
+    - name: fragment_identification
+      type: long
+    - name: fragment_offset
+      type: integer
+    - name: fw_blackout_secs
+      type: long
+    - name: fw_configured_value
+      type: long
+    - name: fw_cts_src_sgt
+      type: long
+    - name: fw_event_level
+      type: long
+    - name: fw_event_level_id
+      type: long
+    - name: fw_ext_event
+      type: integer
+    - name: fw_ext_event_alt
+      type: long
+    - name: fw_ext_event_desc
+      type: keyword
+    - name: fw_half_open_count
+      type: long
+    - name: fw_half_open_high
+      type: long
+    - name: fw_half_open_rate
+      type: long
+    - name: fw_max_sessions
+      type: long
+    - name: fw_rule
+      type: keyword
+    - name: fw_summary_pkt_count
+      type: long
+    - name: fw_zone_pair_id
+      type: long
+    - name: fw_zone_pair_name
+      type: long
+    - name: global_address_mapping_high_threshold
+      type: long
+    - name: gre_key
+      type: long
+    - name: hash_digest_output
+      type: boolean
+    - name: hash_flow_domain
+      type: integer
+    - name: hash_initialiser_value
+      type: long
+    - name: hash_ip_payload_offset
+      type: long
+    - name: hash_ip_payload_size
+      type: long
+    - name: hash_output_range_max
+      type: long
+    - name: hash_output_range_min
+      type: long
+    - name: hash_selected_range_max
+      type: long
+    - name: hash_selected_range_min
+      type: long
+    - name: http_content_type
+      type: keyword
+    - name: http_message_version
+      type: keyword
+    - name: http_reason_phrase
+      type: keyword
+    - name: http_request_host
+      type: keyword
+    - name: http_request_method
+      type: keyword
+    - name: http_request_target
+      type: keyword
+    - name: http_status_code
+      type: integer
+    - name: http_user_agent
+      type: keyword
+    - name: icmp_code_ipv4
+      type: short
+    - name: icmp_code_ipv6
+      type: short
+    - name: icmp_type_code_ipv4
+      type: integer
+    - name: icmp_type_code_ipv6
+      type: integer
+    - name: icmp_type_ipv4
+      type: short
+    - name: icmp_type_ipv6
+      type: short
+    - name: igmp_type
+      type: short
+    - name: ignored_data_record_total_count
+      type: long
+    - name: ignored_layer2_frame_total_count
+      type: long
+    - name: ignored_layer2_octet_total_count
+      type: long
+    - name: ignored_octet_total_count
+      type: long
+    - name: ignored_packet_total_count
+      type: long
+    - name: information_element_data_type
+      type: short
+    - name: information_element_description
+      type: keyword
+    - name: information_element_id
+      type: integer
+    - name: information_element_index
+      type: integer
+    - name: information_element_name
+      type: keyword
+    - name: information_element_range_begin
+      type: long
+    - name: information_element_range_end
+      type: long
+    - name: information_element_semantics
+      type: short
+    - name: information_element_units
+      type: integer
+    - name: ingress_broadcast_packet_total_count
+      type: long
+    - name: ingress_interface
+      type: long
+    - name: ingress_interface_type
+      type: long
+    - name: ingress_multicast_packet_total_count
+      type: long
+    - name: ingress_physical_interface
+      type: long
+    - name: ingress_unicast_packet_total_count
+      type: long
+    - name: ingress_vrfid
+      type: long
+    - name: initial_tcp_flags
+      type: short
+    - name: initiator_octets
+      type: long
+    - name: initiator_packets
+      type: long
+    - name: interface_description
+      type: keyword
+    - name: interface_name
+      type: keyword
+    - name: intermediate_process_id
+      type: long
+    - name: internal_address_realm
+      type: short
+    - name: ip_class_of_service
+      type: short
+    - name: ip_diff_serv_code_point
+      type: short
+    - name: ip_header_length
+      type: short
+    - name: ip_header_packet_section
+      type: short
+    - name: ip_next_hop_ipv4_address
+      type: ip
+    - name: ip_next_hop_ipv6_address
+      type: ip
+    - name: ip_payload_length
+      type: long
+    - name: ip_payload_packet_section
+      type: short
+    - name: ip_precedence
+      type: short
+    - name: ip_sec_spi
+      type: long
+    - name: ip_total_length
+      type: long
+    - name: ip_ttl
+      type: short
+    - name: ip_version
+      type: short
+    - name: ipv4_ihl
+      type: short
+    - name: ipv4_options
+      type: long
+    - name: ipv4_router_sc
+      type: ip
+    - name: ipv6_extension_headers
+      type: long
+    - name: is_multicast
+      type: short
+    - name: ixia_browser_id
+      type: short
+    - name: ixia_browser_name
+      type: keyword
+    - name: ixia_device_id
+      type: short
+    - name: ixia_device_name
+      type: keyword
+    - name: ixia_dns_answer
+      type: keyword
+    - name: ixia_dns_classes
+      type: keyword
+    - name: ixia_dns_query
+      type: keyword
+    - name: ixia_dns_record_txt
+      type: keyword
+    - name: ixia_dst_as_name
+      type: keyword
+    - name: ixia_dst_city_name
+      type: keyword
+    - name: ixia_dst_country_code
+      type: keyword
+    - name: ixia_dst_country_name
+      type: keyword
+    - name: ixia_dst_latitude
+      type: float
+    - name: ixia_dst_longitude
+      type: float
+    - name: ixia_dst_region_code
+      type: keyword
+    - name: ixia_dst_region_node
+      type: keyword
+    - name: ixia_encrypt_cipher
+      type: keyword
+    - name: ixia_encrypt_key_length
+      type: integer
+    - name: ixia_encrypt_type
+      type: keyword
+    - name: ixia_http_host_name
+      type: keyword
+    - name: ixia_http_uri
+      type: keyword
+    - name: ixia_http_user_agent
+      type: keyword
+    - name: ixia_imsi_subscriber
+      type: keyword
+    - name: ixia_l7_app_id
+      type: long
+    - name: ixia_l7_app_name
+      type: keyword
+    - name: ixia_latency
+      type: long
+    - name: ixia_rev_octet_delta_count
+      type: long
+    - name: ixia_rev_packet_delta_count
+      type: long
+    - name: ixia_src_as_name
+      type: keyword
+    - name: ixia_src_city_name
+      type: keyword
+    - name: ixia_src_country_code
+      type: keyword
+    - name: ixia_src_country_name
+      type: keyword
+    - name: ixia_src_latitude
+      type: float
+    - name: ixia_src_longitude
+      type: float
+    - name: ixia_src_region_code
+      type: keyword
+    - name: ixia_src_region_name
+      type: keyword
+    - name: ixia_threat_ipv4
+      type: ip
+    - name: ixia_threat_ipv6
+      type: ip
+    - name: ixia_threat_type
+      type: keyword
+    - name: large_packet_count
+      type: long
+    - name: layer2_frame_delta_count
+      type: long
+    - name: layer2_frame_total_count
+      type: long
+    - name: layer2_octet_delta_count
+      type: long
+    - name: layer2_octet_delta_sum_of_squares
+      type: long
+    - name: layer2_octet_total_count
+      type: long
+    - name: layer2_octet_total_sum_of_squares
+      type: long
+    - name: layer2_segment_id
+      type: long
+    - name: layer2packet_section_data
+      type: short
+    - name: layer2packet_section_offset
+      type: integer
+    - name: layer2packet_section_size
+      type: integer
+    - name: line_card_id
+      type: long
+    - name: log_op
+      type: short
+    - name: lower_ci_limit
+      type: double
+    - name: mark
+      type: long
+    - name: max_bib_entries
+      type: long
+    - name: max_entries_per_user
+      type: long
+    - name: max_export_seconds
+      type: date
+    - name: max_flow_end_microseconds
+      type: date
+    - name: max_flow_end_milliseconds
+      type: date
+    - name: max_flow_end_nanoseconds
+      type: date
+    - name: max_flow_end_seconds
+      type: date
+    - name: max_fragments_pending_reassembly
+      type: long
+    - name: max_packet_size
+      type: integer
+    - name: max_session_entries
+      type: long
+    - name: max_subscribers
+      type: long
+    - name: maximum_ip_total_length
+      type: long
+    - name: maximum_layer2_total_length
+      type: long
+    - name: maximum_ttl
+      type: short
+    - name: mean_flow_rate
+      type: long
+    - name: mean_packet_rate
+      type: long
+    - name: message_md5_checksum
+      type: short
+    - name: message_scope
+      type: short
+    - name: metering_process_id
+      type: long
+    - name: metro_evc_id
+      type: keyword
+    - name: metro_evc_type
+      type: short
+    - name: mib_capture_time_semantics
+      type: short
+    - name: mib_context_engine_id
+      type: short
+    - name: mib_context_name
+      type: keyword
+    - name: mib_index_indicator
+      type: long
+    - name: mib_module_name
+      type: keyword
+    - name: mib_object_description
+      type: keyword
+    - name: mib_object_identifier
+      type: short
+    - name: mib_object_name
+      type: keyword
+    - name: mib_object_syntax
+      type: keyword
+    - name: mib_object_value_bits
+      type: short
+    - name: mib_object_value_counter
+      type: long
+    - name: mib_object_value_gauge
+      type: long
+    - name: mib_object_value_integer
+      type: integer
+    - name: mib_object_value_ip_address
+      type: ip
+    - name: mib_object_value_octet_string
+      type: short
+    - name: mib_object_value_oid
+      type: short
+    - name: mib_object_value_time_ticks
+      type: long
+    - name: mib_object_value_unsigned
+      type: long
+    - name: mib_sub_identifier
+      type: long
+    - name: min_export_seconds
+      type: date
+    - name: min_flow_start_microseconds
+      type: date
+    - name: min_flow_start_milliseconds
+      type: date
+    - name: min_flow_start_nanoseconds
+      type: date
+    - name: min_flow_start_seconds
+      type: date
+    - name: minimum_ip_total_length
+      type: long
+    - name: minimum_layer2_total_length
+      type: long
+    - name: minimum_ttl
+      type: short
+    - name: mobile_imsi
+      type: keyword
+    - name: mobile_msisdn
+      type: keyword
+    - name: monitoring_interval_end_milli_seconds
+      type: date
+    - name: monitoring_interval_start_milli_seconds
+      type: date
+    - name: mpls_label_stack_depth
+      type: long
+    - name: mpls_label_stack_length
+      type: long
+    - name: mpls_label_stack_section
+      type: short
+    - name: mpls_label_stack_section10
+      type: short
+    - name: mpls_label_stack_section2
+      type: short
+    - name: mpls_label_stack_section3
+      type: short
+    - name: mpls_label_stack_section4
+      type: short
+    - name: mpls_label_stack_section5
+      type: short
+    - name: mpls_label_stack_section6
+      type: short
+    - name: mpls_label_stack_section7
+      type: short
+    - name: mpls_label_stack_section8
+      type: short
+    - name: mpls_label_stack_section9
+      type: short
+    - name: mpls_payload_length
+      type: long
+    - name: mpls_payload_packet_section
+      type: short
+    - name: mpls_top_label_exp
+      type: short
+    - name: mpls_top_label_ipv4_address
+      type: ip
+    - name: mpls_top_label_ipv6_address
+      type: ip
+    - name: mpls_top_label_prefix_length
+      type: short
+    - name: mpls_top_label_stack_section
+      type: short
+    - name: mpls_top_label_ttl
+      type: short
+    - name: mpls_top_label_type
+      type: short
+    - name: mpls_vpn_route_distinguisher
+      type: short
+    - name: mptcp_address_id
+      type: short
+    - name: mptcp_flags
+      type: short
+    - name: mptcp_initial_data_sequence_number
+      type: long
+    - name: mptcp_maximum_segment_size
+      type: integer
+    - name: mptcp_receiver_token
+      type: long
+    - name: multicast_replication_factor
+      type: long
+    - name: nat_event
+      type: short
+    - name: nat_inside_svcid
+      type: integer
+    - name: nat_instance_id
+      type: long
+    - name: nat_originating_address_realm
+      type: short
+    - name: nat_outside_svcid
+      type: integer
+    - name: nat_pool_id
+      type: long
+    - name: nat_pool_name
+      type: keyword
+    - name: nat_quota_exceeded_event
+      type: long
+    - name: nat_sub_string
+      type: keyword
+    - name: nat_threshold_event
+      type: long
+    - name: nat_type
+      type: short
+    - name: netscale_ica_client_version
+      type: keyword
+    - name: netscaler_aaa_username
+      type: keyword
+    - name: netscaler_app_name
+      type: keyword
+    - name: netscaler_app_name_app_id
+      type: long
+    - name: netscaler_app_name_incarnation_number
+      type: long
+    - name: netscaler_app_template_name
+      type: keyword
+    - name: netscaler_app_unit_name_app_id
+      type: long
+    - name: netscaler_application_startup_duration
+      type: long
+    - name: netscaler_application_startup_time
+      type: long
+    - name: netscaler_cache_redir_client_connection_core_id
+      type: long
+    - name: netscaler_cache_redir_client_connection_transaction_id
+      type: long
+    - name: netscaler_client_rtt
+      type: long
+    - name: netscaler_connection_chain_hop_count
+      type: long
+    - name: netscaler_connection_chain_id
+      type: short
+    - name: netscaler_connection_id
+      type: long
+    - name: netscaler_current_license_consumed
+      type: long
+    - name: netscaler_db_clt_host_name
+      type: keyword
+    - name: netscaler_db_database_name
+      type: keyword
+    - name: netscaler_db_login_flags
+      type: long
+    - name: netscaler_db_protocol_name
+      type: short
+    - name: netscaler_db_req_string
+      type: keyword
+    - name: netscaler_db_req_type
+      type: short
+    - name: netscaler_db_resp_length
+      type: long
+    - name: netscaler_db_resp_status
+      type: long
+    - name: netscaler_db_resp_status_string
+      type: keyword
+    - name: netscaler_db_user_name
+      type: keyword
+    - name: netscaler_flow_flags
+      type: long
+    - name: netscaler_http_client_interaction_end_time
+      type: keyword
+    - name: netscaler_http_client_interaction_start_time
+      type: keyword
+    - name: netscaler_http_client_render_end_time
+      type: keyword
+    - name: netscaler_http_client_render_start_time
+      type: keyword
+    - name: netscaler_http_content_type
+      type: keyword
+    - name: netscaler_http_domain_name
+      type: keyword
+    - name: netscaler_http_req_authorization
+      type: keyword
+    - name: netscaler_http_req_cookie
+      type: keyword
+    - name: netscaler_http_req_forw_fb
+      type: long
+    - name: netscaler_http_req_forw_lb
+      type: long
+    - name: netscaler_http_req_host
+      type: keyword
+    - name: netscaler_http_req_method
+      type: keyword
+    - name: netscaler_http_req_rcv_fb
+      type: long
+    - name: netscaler_http_req_rcv_lb
+      type: long
+    - name: netscaler_http_req_referer
+      type: keyword
+    - name: netscaler_http_req_url
+      type: keyword
+    - name: netscaler_http_req_user_agent
+      type: keyword
+    - name: netscaler_http_req_via
+      type: keyword
+    - name: netscaler_http_req_xforwarded_for
+      type: keyword
+    - name: netscaler_http_res_forw_fb
+      type: long
+    - name: netscaler_http_res_forw_lb
+      type: long
+    - name: netscaler_http_res_location
+      type: keyword
+    - name: netscaler_http_res_rcv_fb
+      type: long
+    - name: netscaler_http_res_rcv_lb
+      type: long
+    - name: netscaler_http_res_set_cookie
+      type: keyword
+    - name: netscaler_http_res_set_cookie2
+      type: keyword
+    - name: netscaler_http_rsp_len
+      type: long
+    - name: netscaler_http_rsp_status
+      type: integer
+    - name: netscaler_ica_app_module_path
+      type: keyword
+    - name: netscaler_ica_app_process_id
+      type: long
+    - name: netscaler_ica_application_name
+      type: keyword
+    - name: netscaler_ica_application_termination_time
+      type: long
+    - name: netscaler_ica_application_termination_type
+      type: integer
+    - name: netscaler_ica_channel_id1
+      type: long
+    - name: netscaler_ica_channel_id1_bytes
+      type: long
+    - name: netscaler_ica_channel_id2
+      type: long
+    - name: netscaler_ica_channel_id2_bytes
+      type: long
+    - name: netscaler_ica_channel_id3
+      type: long
+    - name: netscaler_ica_channel_id3_bytes
+      type: long
+    - name: netscaler_ica_channel_id4
+      type: long
+    - name: netscaler_ica_channel_id4_bytes
+      type: long
+    - name: netscaler_ica_channel_id5
+      type: long
+    - name: netscaler_ica_channel_id5_bytes
+      type: long
+    - name: netscaler_ica_client_host_name
+      type: keyword
+    - name: netscaler_ica_client_ip
+      type: ip
+    - name: netscaler_ica_client_launcher
+      type: integer
+    - name: netscaler_ica_client_side_rto_count
+      type: integer
+    - name: netscaler_ica_client_side_window_size
+      type: integer
+    - name: netscaler_ica_client_type
+      type: integer
+    - name: netscaler_ica_clientside_delay
+      type: long
+    - name: netscaler_ica_clientside_jitter
+      type: long
+    - name: netscaler_ica_clientside_packets_retransmit
+      type: integer
+    - name: netscaler_ica_clientside_rtt
+      type: long
+    - name: netscaler_ica_clientside_rx_bytes
+      type: long
+    - name: netscaler_ica_clientside_srtt
+      type: long
+    - name: netscaler_ica_clientside_tx_bytes
+      type: long
+    - name: netscaler_ica_connection_priority
+      type: integer
+    - name: netscaler_ica_device_serial_no
+      type: long
+    - name: netscaler_ica_domain_name
+      type: keyword
+    - name: netscaler_ica_flags
+      type: long
+    - name: netscaler_ica_host_delay
+      type: long
+    - name: netscaler_ica_l7_client_latency
+      type: long
+    - name: netscaler_ica_l7_server_latency
+      type: long
+    - name: netscaler_ica_launch_mechanism
+      type: integer
+    - name: netscaler_ica_network_update_end_time
+      type: long
+    - name: netscaler_ica_network_update_start_time
+      type: long
+    - name: netscaler_ica_rtt
+      type: long
+    - name: netscaler_ica_server_name
+      type: keyword
+    - name: netscaler_ica_server_side_rto_count
+      type: integer
+    - name: netscaler_ica_server_side_window_size
+      type: integer
+    - name: netscaler_ica_serverside_delay
+      type: long
+    - name: netscaler_ica_serverside_jitter
+      type: long
+    - name: netscaler_ica_serverside_packets_retransmit
+      type: integer
+    - name: netscaler_ica_serverside_rtt
+      type: long
+    - name: netscaler_ica_serverside_srtt
+      type: long
+    - name: netscaler_ica_session_end_time
+      type: long
+    - name: netscaler_ica_session_guid
+      type: short
+    - name: netscaler_ica_session_reconnects
+      type: short
+    - name: netscaler_ica_session_setup_time
+      type: long
+    - name: netscaler_ica_session_update_begin_sec
+      type: long
+    - name: netscaler_ica_session_update_end_sec
+      type: long
+    - name: netscaler_ica_username
+      type: keyword
+    - name: netscaler_license_type
+      type: short
+    - name: netscaler_main_page_core_id
+      type: long
+    - name: netscaler_main_page_id
+      type: long
+    - name: netscaler_max_license_count
+      type: long
+    - name: netscaler_msi_client_cookie
+      type: short
+    - name: netscaler_round_trip_time
+      type: long
+    - name: netscaler_server_ttfb
+      type: long
+    - name: netscaler_server_ttlb
+      type: long
+    - name: netscaler_syslog_message
+      type: keyword
+    - name: netscaler_syslog_priority
+      type: short
+    - name: netscaler_syslog_timestamp
+      type: long
+    - name: netscaler_transaction_id
+      type: long
+    - name: netscaler_unknown270
+      type: long
+    - name: netscaler_unknown271
+      type: long
+    - name: netscaler_unknown272
+      type: long
+    - name: netscaler_unknown273
+      type: long
+    - name: netscaler_unknown274
+      type: long
+    - name: netscaler_unknown275
+      type: long
+    - name: netscaler_unknown276
+      type: long
+    - name: netscaler_unknown277
+      type: long
+    - name: netscaler_unknown278
+      type: long
+    - name: netscaler_unknown279
+      type: long
+    - name: netscaler_unknown280
+      type: long
+    - name: netscaler_unknown281
+      type: long
+    - name: netscaler_unknown282
+      type: long
+    - name: netscaler_unknown283
+      type: long
+    - name: netscaler_unknown284
+      type: long
+    - name: netscaler_unknown285
+      type: long
+    - name: netscaler_unknown286
+      type: long
+    - name: netscaler_unknown287
+      type: long
+    - name: netscaler_unknown288
+      type: long
+    - name: netscaler_unknown289
+      type: long
+    - name: netscaler_unknown290
+      type: long
+    - name: netscaler_unknown291
+      type: long
+    - name: netscaler_unknown292
+      type: long
+    - name: netscaler_unknown293
+      type: long
+    - name: netscaler_unknown294
+      type: long
+    - name: netscaler_unknown295
+      type: long
+    - name: netscaler_unknown296
+      type: long
+    - name: netscaler_unknown297
+      type: long
+    - name: netscaler_unknown298
+      type: long
+    - name: netscaler_unknown299
+      type: long
+    - name: netscaler_unknown300
+      type: long
+    - name: netscaler_unknown301
+      type: long
+    - name: netscaler_unknown302
+      type: long
+    - name: netscaler_unknown303
+      type: long
+    - name: netscaler_unknown304
+      type: long
+    - name: netscaler_unknown305
+      type: long
+    - name: netscaler_unknown306
+      type: long
+    - name: netscaler_unknown307
+      type: long
+    - name: netscaler_unknown308
+      type: long
+    - name: netscaler_unknown309
+      type: long
+    - name: netscaler_unknown310
+      type: long
+    - name: netscaler_unknown311
+      type: long
+    - name: netscaler_unknown312
+      type: long
+    - name: netscaler_unknown313
+      type: long
+    - name: netscaler_unknown314
+      type: long
+    - name: netscaler_unknown315
+      type: long
+    - name: netscaler_unknown316
+      type: keyword
+    - name: netscaler_unknown317
+      type: long
+    - name: netscaler_unknown318
+      type: long
+    - name: netscaler_unknown319
+      type: keyword
+    - name: netscaler_unknown320
+      type: integer
+    - name: netscaler_unknown321
+      type: long
+    - name: netscaler_unknown322
+      type: long
+    - name: netscaler_unknown323
+      type: integer
+    - name: netscaler_unknown324
+      type: integer
+    - name: netscaler_unknown325
+      type: integer
+    - name: netscaler_unknown326
+      type: integer
+    - name: netscaler_unknown327
+      type: long
+    - name: netscaler_unknown328
+      type: integer
+    - name: netscaler_unknown329
+      type: integer
+    - name: netscaler_unknown330
+      type: integer
+    - name: netscaler_unknown331
+      type: integer
+    - name: netscaler_unknown332
+      type: long
+    - name: netscaler_unknown333
+      type: keyword
+    - name: netscaler_unknown334
+      type: keyword
+    - name: netscaler_unknown335
+      type: long
+    - name: netscaler_unknown336
+      type: long
+    - name: netscaler_unknown337
+      type: long
+    - name: netscaler_unknown338
+      type: long
+    - name: netscaler_unknown339
+      type: long
+    - name: netscaler_unknown340
+      type: long
+    - name: netscaler_unknown341
+      type: long
+    - name: netscaler_unknown342
+      type: long
+    - name: netscaler_unknown343
+      type: long
+    - name: netscaler_unknown344
+      type: long
+    - name: netscaler_unknown345
+      type: long
+    - name: netscaler_unknown346
+      type: long
+    - name: netscaler_unknown347
+      type: long
+    - name: netscaler_unknown348
+      type: integer
+    - name: netscaler_unknown349
+      type: keyword
+    - name: netscaler_unknown350
+      type: keyword
+    - name: netscaler_unknown351
+      type: keyword
+    - name: netscaler_unknown352
+      type: integer
+    - name: netscaler_unknown353
+      type: long
+    - name: netscaler_unknown354
+      type: long
+    - name: netscaler_unknown355
+      type: long
+    - name: netscaler_unknown356
+      type: long
+    - name: netscaler_unknown357
+      type: long
+    - name: netscaler_unknown363
+      type: short
+    - name: netscaler_unknown383
+      type: short
+    - name: netscaler_unknown391
+      type: long
+    - name: netscaler_unknown398
+      type: long
+    - name: netscaler_unknown404
+      type: long
+    - name: netscaler_unknown405
+      type: long
+    - name: netscaler_unknown427
+      type: long
+    - name: netscaler_unknown429
+      type: short
+    - name: netscaler_unknown432
+      type: short
+    - name: netscaler_unknown433
+      type: short
+    - name: netscaler_unknown453
+      type: long
+    - name: netscaler_unknown465
+      type: long
+    - name: new_connection_delta_count
+      type: long
+    - name: next_header_ipv6
+      type: short
+    - name: non_empty_packet_count
+      type: long
+    - name: not_sent_flow_total_count
+      type: long
+    - name: not_sent_layer2_octet_total_count
+      type: long
+    - name: not_sent_octet_total_count
+      type: long
+    - name: not_sent_packet_total_count
+      type: long
+    - name: observation_domain_id
+      type: long
+    - name: observation_domain_name
+      type: keyword
+    - name: observation_point_id
+      type: long
+    - name: observation_point_type
+      type: short
+    - name: observation_time_microseconds
+      type: date
+    - name: observation_time_milliseconds
+      type: date
+    - name: observation_time_nanoseconds
+      type: date
+    - name: observation_time_seconds
+      type: date
+    - name: observed_flow_total_count
+      type: long
+    - name: octet_delta_count
+      type: long
+    - name: octet_delta_sum_of_squares
+      type: long
+    - name: octet_total_count
+      type: long
+    - name: octet_total_sum_of_squares
+      type: long
+    - name: opaque_octets
+      type: short
+    - name: original_exporter_ipv4_address
+      type: ip
+    - name: original_exporter_ipv6_address
+      type: ip
+    - name: original_flows_completed
+      type: long
+    - name: original_flows_initiated
+      type: long
+    - name: original_flows_present
+      type: long
+    - name: original_observation_domain_id
+      type: long
+    - name: os_finger_print
+      type: keyword
+    - name: os_name
+      type: keyword
+    - name: os_version
+      type: keyword
+    - name: p2p_technology
+      type: keyword
+    - name: packet_delta_count
+      type: long
+    - name: packet_total_count
+      type: long
+    - name: padding_octets
+      type: short
+    - name: payload
+      type: keyword
+    - name: payload_entropy
+      type: short
+    - name: payload_length_ipv6
+      type: integer
+    - name: policy_qos_classification_hierarchy
+      type: long
+    - name: policy_qos_queue_index
+      type: long
+    - name: policy_qos_queuedrops
+      type: long
+    - name: policy_qos_queueindex
+      type: long
+    - name: port_id
+      type: long
+    - name: port_range_end
+      type: integer
+    - name: port_range_num_ports
+      type: integer
+    - name: port_range_start
+      type: integer
+    - name: port_range_step_size
+      type: integer
+    - name: post_destination_mac_address
+      type: keyword
+    - name: post_dot1q_customer_vlan_id
+      type: integer
+    - name: post_dot1q_vlan_id
+      type: integer
+    - name: post_ip_class_of_service
+      type: short
+    - name: post_ip_diff_serv_code_point
+      type: short
+    - name: post_ip_precedence
+      type: short
+    - name: post_layer2_octet_delta_count
+      type: long
+    - name: post_layer2_octet_total_count
+      type: long
+    - name: post_mcast_layer2_octet_delta_count
+      type: long
+    - name: post_mcast_layer2_octet_total_count
+      type: long
+    - name: post_mcast_octet_delta_count
+      type: long
+    - name: post_mcast_octet_total_count
+      type: long
+    - name: post_mcast_packet_delta_count
+      type: long
+    - name: post_mcast_packet_total_count
+      type: long
+    - name: post_mpls_top_label_exp
+      type: short
+    - name: post_napt_destination_transport_port
+      type: integer
+    - name: post_napt_source_transport_port
+      type: integer
+    - name: post_nat_destination_ipv4_address
+      type: ip
+    - name: post_nat_destination_ipv6_address
+      type: ip
+    - name: post_nat_source_ipv4_address
+      type: ip
+    - name: post_nat_source_ipv6_address
+      type: ip
+    - name: post_octet_delta_count
+      type: long
+    - name: post_octet_total_count
+      type: long
+    - name: post_packet_delta_count
+      type: long
+    - name: post_packet_total_count
+      type: long
+    - name: post_source_mac_address
+      type: keyword
+    - name: post_vlan_id
+      type: integer
+    - name: private_enterprise_number
+      type: long
+    - name: procera_apn
+      type: keyword
+    - name: procera_base_service
+      type: keyword
+    - name: procera_content_categories
+      type: keyword
+    - name: procera_device_id
+      type: long
+    - name: procera_external_rtt
+      type: integer
+    - name: procera_flow_behavior
+      type: keyword
+    - name: procera_ggsn
+      type: keyword
+    - name: procera_http_content_type
+      type: keyword
+    - name: procera_http_file_length
+      type: long
+    - name: procera_http_language
+      type: keyword
+    - name: procera_http_location
+      type: keyword
+    - name: procera_http_referer
+      type: keyword
+    - name: procera_http_request_method
+      type: keyword
+    - name: procera_http_request_version
+      type: keyword
+    - name: procera_http_response_status
+      type: integer
+    - name: procera_http_url
+      type: keyword
+    - name: procera_http_user_agent
+      type: keyword
+    - name: procera_imsi
+      type: long
+    - name: procera_incoming_octets
+      type: long
+    - name: procera_incoming_packets
+      type: long
+    - name: procera_incoming_shaping_drops
+      type: long
+    - name: procera_incoming_shaping_latency
+      type: integer
+    - name: procera_internal_rtt
+      type: integer
+    - name: procera_local_ipv4_host
+      type: ip
+    - name: procera_local_ipv6_host
+      type: ip
+    - name: procera_msisdn
+      type: long
+    - name: procera_outgoing_octets
+      type: long
+    - name: procera_outgoing_packets
+      type: long
+    - name: procera_outgoing_shaping_drops
+      type: long
+    - name: procera_outgoing_shaping_latency
+      type: integer
+    - name: procera_property
+      type: keyword
+    - name: procera_qoe_incoming_external
+      type: float
+    - name: procera_qoe_incoming_internal
+      type: float
+    - name: procera_qoe_outgoing_external
+      type: float
+    - name: procera_qoe_outgoing_internal
+      type: float
+    - name: procera_rat
+      type: keyword
+    - name: procera_remote_ipv4_host
+      type: ip
+    - name: procera_remote_ipv6_host
+      type: ip
+    - name: procera_rnc
+      type: integer
+    - name: procera_server_hostname
+      type: keyword
+    - name: procera_service
+      type: keyword
+    - name: procera_sgsn
+      type: keyword
+    - name: procera_subscriber_identifier
+      type: keyword
+    - name: procera_template_name
+      type: keyword
+    - name: procera_user_location_information
+      type: keyword
+    - name: protocol_identifier
+      type: short
+    - name: pseudo_wire_control_word
+      type: long
+    - name: pseudo_wire_destination_ipv4_address
+      type: ip
+    - name: pseudo_wire_id
+      type: long
+    - name: pseudo_wire_type
+      type: integer
+    - name: reason
+      type: long
+    - name: reason_text
+      type: keyword
+    - name: relative_error
+      type: double
+    - name: responder_octets
+      type: long
+    - name: responder_packets
+      type: long
+    - name: reverse_absolute_error
+      type: double
+    - name: reverse_anonymization_flags
+      type: integer
+    - name: reverse_anonymization_technique
+      type: integer
+    - name: reverse_application_category_name
+      type: keyword
+    - name: reverse_application_description
+      type: keyword
+    - name: reverse_application_group_name
+      type: keyword
+    - name: reverse_application_id
+      type: keyword
+    - name: reverse_application_name
+      type: keyword
+    - name: reverse_application_sub_category_name
+      type: keyword
+    - name: reverse_average_interarrival_time
+      type: long
+    - name: reverse_bgp_destination_as_number
+      type: long
+    - name: reverse_bgp_next_adjacent_as_number
+      type: long
+    - name: reverse_bgp_next_hop_ipv4_address
+      type: ip
+    - name: reverse_bgp_next_hop_ipv6_address
+      type: ip
+    - name: reverse_bgp_prev_adjacent_as_number
+      type: long
+    - name: reverse_bgp_source_as_number
+      type: long
+    - name: reverse_bgp_validity_state
+      type: short
+    - name: reverse_class_id
+      type: short
+    - name: reverse_class_name
+      type: keyword
+    - name: reverse_classification_engine_id
+      type: short
+    - name: reverse_collection_time_milliseconds
+      type: long
+    - name: reverse_collector_certificate
+      type: keyword
+    - name: reverse_confidence_level
+      type: double
+    - name: reverse_connection_sum_duration_seconds
+      type: long
+    - name: reverse_connection_transaction_id
+      type: long
+    - name: reverse_data_byte_count
+      type: long
+    - name: reverse_data_link_frame_section
+      type: keyword
+    - name: reverse_data_link_frame_size
+      type: integer
+    - name: reverse_data_link_frame_type
+      type: integer
+    - name: reverse_data_records_reliability
+      type: short
+    - name: reverse_delta_flow_count
+      type: long
+    - name: reverse_destination_ipv4_address
+      type: ip
+    - name: reverse_destination_ipv4_prefix
+      type: ip
+    - name: reverse_destination_ipv4_prefix_length
+      type: short
+    - name: reverse_destination_ipv6_address
+      type: ip
+    - name: reverse_destination_ipv6_prefix
+      type: ip
+    - name: reverse_destination_ipv6_prefix_length
+      type: short
+    - name: reverse_destination_mac_address
+      type: keyword
+    - name: reverse_destination_transport_port
+      type: integer
+    - name: reverse_digest_hash_value
+      type: long
+    - name: reverse_distinct_count_of_destination_ip_address
+      type: long
+    - name: reverse_distinct_count_of_destination_ipv4_address
+      type: long
+    - name: reverse_distinct_count_of_destination_ipv6_address
+      type: long
+    - name: reverse_distinct_count_of_source_ip_address
+      type: long
+    - name: reverse_distinct_count_of_source_ipv4_address
+      type: long
+    - name: reverse_distinct_count_of_source_ipv6_address
+      type: long
+    - name: reverse_dot1q_customer_dei
+      type: short
+    - name: reverse_dot1q_customer_destination_mac_address
+      type: keyword
+    - name: reverse_dot1q_customer_priority
+      type: short
+    - name: reverse_dot1q_customer_source_mac_address
+      type: keyword
+    - name: reverse_dot1q_customer_vlan_id
+      type: integer
+    - name: reverse_dot1q_dei
+      type: short
+    - name: reverse_dot1q_priority
+      type: short
+    - name: reverse_dot1q_service_instance_id
+      type: long
+    - name: reverse_dot1q_service_instance_priority
+      type: short
+    - name: reverse_dot1q_service_instance_tag
+      type: keyword
+    - name: reverse_dot1q_vlan_id
+      type: integer
+    - name: reverse_dropped_layer2_octet_delta_count
+      type: long
+    - name: reverse_dropped_layer2_octet_total_count
+      type: long
+    - name: reverse_dropped_octet_delta_count
+      type: long
+    - name: reverse_dropped_octet_total_count
+      type: long
+    - name: reverse_dropped_packet_delta_count
+      type: long
+    - name: reverse_dropped_packet_total_count
+      type: long
+    - name: reverse_dst_traffic_index
+      type: long
+    - name: reverse_egress_broadcast_packet_total_count
+      type: long
+    - name: reverse_egress_interface
+      type: long
+    - name: reverse_egress_interface_type
+      type: long
+    - name: reverse_egress_physical_interface
+      type: long
+    - name: reverse_egress_unicast_packet_total_count
+      type: long
+    - name: reverse_egress_vrfid
+      type: long
+    - name: reverse_encrypted_technology
+      type: keyword
+    - name: reverse_engine_id
+      type: short
+    - name: reverse_engine_type
+      type: short
+    - name: reverse_ethernet_header_length
+      type: short
+    - name: reverse_ethernet_payload_length
+      type: integer
+    - name: reverse_ethernet_total_length
+      type: integer
+    - name: reverse_ethernet_type
+      type: integer
+    - name: reverse_export_sctp_stream_id
+      type: integer
+    - name: reverse_exporter_certificate
+      type: keyword
+    - name: reverse_exporting_process_id
+      type: long
+    - name: reverse_firewall_event
+      type: short
+    - name: reverse_first_non_empty_packet_size
+      type: integer
+    - name: reverse_first_packet_banner
+      type: keyword
+    - name: reverse_flags_and_sampler_id
+      type: long
+    - name: reverse_flow_active_timeout
+      type: integer
+    - name: reverse_flow_attributes
+      type: integer
+    - name: reverse_flow_delta_milliseconds
+      type: long
+    - name: reverse_flow_direction
+      type: short
+    - name: reverse_flow_duration_microseconds
+      type: long
+    - name: reverse_flow_duration_milliseconds
+      type: long
+    - name: reverse_flow_end_delta_microseconds
+      type: long
+    - name: reverse_flow_end_microseconds
+      type: long
+    - name: reverse_flow_end_milliseconds
+      type: long
+    - name: reverse_flow_end_nanoseconds
+      type: long
+    - name: reverse_flow_end_reason
+      type: short
+    - name: reverse_flow_end_seconds
+      type: long
+    - name: reverse_flow_end_sys_up_time
+      type: long
+    - name: reverse_flow_idle_timeout
+      type: integer
+    - name: reverse_flow_label_ipv6
+      type: long
+    - name: reverse_flow_sampling_time_interval
+      type: long
+    - name: reverse_flow_sampling_time_spacing
+      type: long
+    - name: reverse_flow_selected_flow_delta_count
+      type: long
+    - name: reverse_flow_selected_octet_delta_count
+      type: long
+    - name: reverse_flow_selected_packet_delta_count
+      type: long
+    - name: reverse_flow_selector_algorithm
+      type: integer
+    - name: reverse_flow_start_delta_microseconds
+      type: long
+    - name: reverse_flow_start_microseconds
+      type: long
+    - name: reverse_flow_start_milliseconds
+      type: long
+    - name: reverse_flow_start_nanoseconds
+      type: long
+    - name: reverse_flow_start_seconds
+      type: long
+    - name: reverse_flow_start_sys_up_time
+      type: long
+    - name: reverse_forwarding_status
+      type: long
+    - name: reverse_fragment_flags
+      type: short
+    - name: reverse_fragment_identification
+      type: long
+    - name: reverse_fragment_offset
+      type: integer
+    - name: reverse_gre_key
+      type: long
+    - name: reverse_hash_digest_output
+      type: short
+    - name: reverse_hash_flow_domain
+      type: integer
+    - name: reverse_hash_initialiser_value
+      type: long
+    - name: reverse_hash_ip_payload_offset
+      type: long
+    - name: reverse_hash_ip_payload_size
+      type: long
+    - name: reverse_hash_output_range_max
+      type: long
+    - name: reverse_hash_output_range_min
+      type: long
+    - name: reverse_hash_selected_range_max
+      type: long
+    - name: reverse_hash_selected_range_min
+      type: long
+    - name: reverse_icmp_code_ipv4
+      type: short
+    - name: reverse_icmp_code_ipv6
+      type: short
+    - name: reverse_icmp_type_code_ipv4
+      type: integer
+    - name: reverse_icmp_type_code_ipv6
+      type: integer
+    - name: reverse_icmp_type_ipv4
+      type: short
+    - name: reverse_icmp_type_ipv6
+      type: short
+    - name: reverse_igmp_type
+      type: short
+    - name: reverse_ignored_data_record_total_count
+      type: long
+    - name: reverse_ignored_layer2_frame_total_count
+      type: long
+    - name: reverse_ignored_layer2_octet_total_count
+      type: long
+    - name: reverse_information_element_data_type
+      type: short
+    - name: reverse_information_element_description
+      type: keyword
+    - name: reverse_information_element_id
+      type: integer
+    - name: reverse_information_element_index
+      type: integer
+    - name: reverse_information_element_name
+      type: keyword
+    - name: reverse_information_element_range_begin
+      type: long
+    - name: reverse_information_element_range_end
+      type: long
+    - name: reverse_information_element_semantics
+      type: short
+    - name: reverse_information_element_units
+      type: integer
+    - name: reverse_ingress_broadcast_packet_total_count
+      type: long
+    - name: reverse_ingress_interface
+      type: long
+    - name: reverse_ingress_interface_type
+      type: long
+    - name: reverse_ingress_multicast_packet_total_count
+      type: long
+    - name: reverse_ingress_physical_interface
+      type: long
+    - name: reverse_ingress_unicast_packet_total_count
+      type: long
+    - name: reverse_ingress_vrfid
+      type: long
+    - name: reverse_initial_tcp_flags
+      type: short
+    - name: reverse_initiator_octets
+      type: long
+    - name: reverse_initiator_packets
+      type: long
+    - name: reverse_interface_description
+      type: keyword
+    - name: reverse_interface_name
+      type: keyword
+    - name: reverse_intermediate_process_id
+      type: long
+    - name: reverse_ip_class_of_service
+      type: short
+    - name: reverse_ip_diff_serv_code_point
+      type: short
+    - name: reverse_ip_header_length
+      type: short
+    - name: reverse_ip_header_packet_section
+      type: keyword
+    - name: reverse_ip_next_hop_ipv4_address
+      type: ip
+    - name: reverse_ip_next_hop_ipv6_address
+      type: ip
+    - name: reverse_ip_payload_length
+      type: long
+    - name: reverse_ip_payload_packet_section
+      type: keyword
+    - name: reverse_ip_precedence
+      type: short
+    - name: reverse_ip_sec_spi
+      type: long
+    - name: reverse_ip_total_length
+      type: long
+    - name: reverse_ip_ttl
+      type: short
+    - name: reverse_ip_version
+      type: short
+    - name: reverse_ipv4_ihl
+      type: short
+    - name: reverse_ipv4_options
+      type: long
+    - name: reverse_ipv4_router_sc
+      type: ip
+    - name: reverse_ipv6_extension_headers
+      type: long
+    - name: reverse_is_multicast
+      type: short
+    - name: reverse_large_packet_count
+      type: long
+    - name: reverse_layer2_frame_delta_count
+      type: long
+    - name: reverse_layer2_frame_total_count
+      type: long
+    - name: reverse_layer2_octet_delta_count
+      type: long
+    - name: reverse_layer2_octet_delta_sum_of_squares
+      type: long
+    - name: reverse_layer2_octet_total_count
+      type: long
+    - name: reverse_layer2_octet_total_sum_of_squares
+      type: long
+    - name: reverse_layer2_segment_id
+      type: long
+    - name: reverse_layer2packet_section_data
+      type: keyword
+    - name: reverse_layer2packet_section_offset
+      type: integer
+    - name: reverse_layer2packet_section_size
+      type: integer
+    - name: reverse_line_card_id
+      type: long
+    - name: reverse_lower_ci_limit
+      type: double
+    - name: reverse_max_export_seconds
+      type: long
+    - name: reverse_max_flow_end_microseconds
+      type: long
+    - name: reverse_max_flow_end_milliseconds
+      type: long
+    - name: reverse_max_flow_end_nanoseconds
+      type: long
+    - name: reverse_max_flow_end_seconds
+      type: long
+    - name: reverse_max_packet_size
+      type: integer
+    - name: reverse_maximum_ip_total_length
+      type: long
+    - name: reverse_maximum_layer2_total_length
+      type: long
+    - name: reverse_maximum_ttl
+      type: short
+    - name: reverse_message_md5_checksum
+      type: keyword
+    - name: reverse_message_scope
+      type: short
+    - name: reverse_metering_process_id
+      type: long
+    - name: reverse_metro_evc_id
+      type: keyword
+    - name: reverse_metro_evc_type
+      type: short
+    - name: reverse_min_export_seconds
+      type: long
+    - name: reverse_min_flow_start_microseconds
+      type: long
+    - name: reverse_min_flow_start_milliseconds
+      type: long
+    - name: reverse_min_flow_start_nanoseconds
+      type: long
+    - name: reverse_min_flow_start_seconds
+      type: long
+    - name: reverse_minimum_ip_total_length
+      type: long
+    - name: reverse_minimum_layer2_total_length
+      type: long
+    - name: reverse_minimum_ttl
+      type: short
+    - name: reverse_monitoring_interval_end_milli_seconds
+      type: long
+    - name: reverse_monitoring_interval_start_milli_seconds
+      type: long
+    - name: reverse_mpls_label_stack_depth
+      type: long
+    - name: reverse_mpls_label_stack_length
+      type: long
+    - name: reverse_mpls_label_stack_section
+      type: keyword
+    - name: reverse_mpls_label_stack_section10
+      type: keyword
+    - name: reverse_mpls_label_stack_section2
+      type: keyword
+    - name: reverse_mpls_label_stack_section3
+      type: keyword
+    - name: reverse_mpls_label_stack_section4
+      type: keyword
+    - name: reverse_mpls_label_stack_section5
+      type: keyword
+    - name: reverse_mpls_label_stack_section6
+      type: keyword
+    - name: reverse_mpls_label_stack_section7
+      type: keyword
+    - name: reverse_mpls_label_stack_section8
+      type: keyword
+    - name: reverse_mpls_label_stack_section9
+      type: keyword
+    - name: reverse_mpls_payload_length
+      type: long
+    - name: reverse_mpls_payload_packet_section
+      type: keyword
+    - name: reverse_mpls_top_label_exp
+      type: short
+    - name: reverse_mpls_top_label_ipv4_address
+      type: ip
+    - name: reverse_mpls_top_label_ipv6_address
+      type: ip
+    - name: reverse_mpls_top_label_prefix_length
+      type: short
+    - name: reverse_mpls_top_label_stack_section
+      type: keyword
+    - name: reverse_mpls_top_label_ttl
+      type: short
+    - name: reverse_mpls_top_label_type
+      type: short
+    - name: reverse_mpls_vpn_route_distinguisher
+      type: keyword
+    - name: reverse_multicast_replication_factor
+      type: long
+    - name: reverse_nat_event
+      type: short
+    - name: reverse_nat_originating_address_realm
+      type: short
+    - name: reverse_nat_pool_id
+      type: long
+    - name: reverse_nat_pool_name
+      type: keyword
+    - name: reverse_nat_type
+      type: short
+    - name: reverse_new_connection_delta_count
+      type: long
+    - name: reverse_next_header_ipv6
+      type: short
+    - name: reverse_non_empty_packet_count
+      type: long
+    - name: reverse_not_sent_layer2_octet_total_count
+      type: long
+    - name: reverse_observation_domain_name
+      type: keyword
+    - name: reverse_observation_point_id
+      type: long
+    - name: reverse_observation_point_type
+      type: short
+    - name: reverse_observation_time_microseconds
+      type: long
+    - name: reverse_observation_time_milliseconds
+      type: long
+    - name: reverse_observation_time_nanoseconds
+      type: long
+    - name: reverse_observation_time_seconds
+      type: long
+    - name: reverse_octet_delta_count
+      type: long
+    - name: reverse_octet_delta_sum_of_squares
+      type: long
+    - name: reverse_octet_total_count
+      type: long
+    - name: reverse_octet_total_sum_of_squares
+      type: long
+    - name: reverse_opaque_octets
+      type: keyword
+    - name: reverse_original_exporter_ipv4_address
+      type: ip
+    - name: reverse_original_exporter_ipv6_address
+      type: ip
+    - name: reverse_original_flows_completed
+      type: long
+    - name: reverse_original_flows_initiated
+      type: long
+    - name: reverse_original_flows_present
+      type: long
+    - name: reverse_original_observation_domain_id
+      type: long
+    - name: reverse_os_finger_print
+      type: keyword
+    - name: reverse_os_name
+      type: keyword
+    - name: reverse_os_version
+      type: keyword
+    - name: reverse_p2p_technology
+      type: keyword
+    - name: reverse_packet_delta_count
+      type: long
+    - name: reverse_packet_total_count
+      type: long
+    - name: reverse_payload
+      type: keyword
+    - name: reverse_payload_entropy
+      type: short
+    - name: reverse_payload_length_ipv6
+      type: integer
+    - name: reverse_port_id
+      type: long
+    - name: reverse_port_range_end
+      type: integer
+    - name: reverse_port_range_num_ports
+      type: integer
+    - name: reverse_port_range_start
+      type: integer
+    - name: reverse_port_range_step_size
+      type: integer
+    - name: reverse_post_destination_mac_address
+      type: keyword
+    - name: reverse_post_dot1q_customer_vlan_id
+      type: integer
+    - name: reverse_post_dot1q_vlan_id
+      type: integer
+    - name: reverse_post_ip_class_of_service
+      type: short
+    - name: reverse_post_ip_diff_serv_code_point
+      type: short
+    - name: reverse_post_ip_precedence
+      type: short
+    - name: reverse_post_layer2_octet_delta_count
+      type: long
+    - name: reverse_post_layer2_octet_total_count
+      type: long
+    - name: reverse_post_mcast_layer2_octet_delta_count
+      type: long
+    - name: reverse_post_mcast_layer2_octet_total_count
+      type: long
+    - name: reverse_post_mcast_octet_delta_count
+      type: long
+    - name: reverse_post_mcast_octet_total_count
+      type: long
+    - name: reverse_post_mcast_packet_delta_count
+      type: long
+    - name: reverse_post_mcast_packet_total_count
+      type: long
+    - name: reverse_post_mpls_top_label_exp
+      type: short
+    - name: reverse_post_napt_destination_transport_port
+      type: integer
+    - name: reverse_post_napt_source_transport_port
+      type: integer
+    - name: reverse_post_nat_destination_ipv4_address
+      type: ip
+    - name: reverse_post_nat_destination_ipv6_address
+      type: ip
+    - name: reverse_post_nat_source_ipv4_address
+      type: ip
+    - name: reverse_post_nat_source_ipv6_address
+      type: ip
+    - name: reverse_post_octet_delta_count
+      type: long
+    - name: reverse_post_octet_total_count
+      type: long
+    - name: reverse_post_packet_delta_count
+      type: long
+    - name: reverse_post_packet_total_count
+      type: long
+    - name: reverse_post_source_mac_address
+      type: keyword
+    - name: reverse_post_vlan_id
+      type: integer
+    - name: reverse_private_enterprise_number
+      type: long
+    - name: reverse_protocol_identifier
+      type: short
+    - name: reverse_pseudo_wire_control_word
+      type: long
+    - name: reverse_pseudo_wire_destination_ipv4_address
+      type: ip
+    - name: reverse_pseudo_wire_id
+      type: long
+    - name: reverse_pseudo_wire_type
+      type: integer
+    - name: reverse_relative_error
+      type: double
+    - name: reverse_responder_octets
+      type: long
+    - name: reverse_responder_packets
+      type: long
+    - name: reverse_rfc3550_jitter_microseconds
+      type: long
+    - name: reverse_rfc3550_jitter_milliseconds
+      type: long
+    - name: reverse_rfc3550_jitter_nanoseconds
+      type: long
+    - name: reverse_rtp_payload_type
+      type: short
+    - name: reverse_rtp_sequence_number
+      type: integer
+    - name: reverse_sampler_id
+      type: short
+    - name: reverse_sampler_mode
+      type: short
+    - name: reverse_sampler_name
+      type: keyword
+    - name: reverse_sampler_random_interval
+      type: long
+    - name: reverse_sampling_algorithm
+      type: short
+    - name: reverse_sampling_flow_interval
+      type: long
+    - name: reverse_sampling_flow_spacing
+      type: long
+    - name: reverse_sampling_interval
+      type: long
+    - name: reverse_sampling_packet_interval
+      type: long
+    - name: reverse_sampling_packet_space
+      type: long
+    - name: reverse_sampling_population
+      type: long
+    - name: reverse_sampling_probability
+      type: double
+    - name: reverse_sampling_size
+      type: long
+    - name: reverse_sampling_time_interval
+      type: long
+    - name: reverse_sampling_time_space
+      type: long
+    - name: reverse_second_packet_banner
+      type: keyword
+    - name: reverse_section_exported_octets
+      type: integer
+    - name: reverse_section_offset
+      type: integer
+    - name: reverse_selection_sequence_id
+      type: long
+    - name: reverse_selector_algorithm
+      type: integer
+    - name: reverse_selector_id
+      type: long
+    - name: reverse_selector_id_total_flows_observed
+      type: long
+    - name: reverse_selector_id_total_flows_selected
+      type: long
+    - name: reverse_selector_id_total_pkts_observed
+      type: long
+    - name: reverse_selector_id_total_pkts_selected
+      type: long
+    - name: reverse_selector_name
+      type: keyword
+    - name: reverse_session_scope
+      type: short
+    - name: reverse_small_packet_count
+      type: long
+    - name: reverse_source_ipv4_address
+      type: ip
+    - name: reverse_source_ipv4_prefix
+      type: ip
+    - name: reverse_source_ipv4_prefix_length
+      type: short
+    - name: reverse_source_ipv6_address
+      type: ip
+    - name: reverse_source_ipv6_prefix
+      type: ip
+    - name: reverse_source_ipv6_prefix_length
+      type: short
+    - name: reverse_source_mac_address
+      type: keyword
+    - name: reverse_source_transport_port
+      type: integer
+    - name: reverse_src_traffic_index
+      type: long
+    - name: reverse_sta_ipv4_address
+      type: ip
+    - name: reverse_sta_mac_address
+      type: keyword
+    - name: reverse_standard_deviation_interarrival_time
+      type: long
+    - name: reverse_standard_deviation_payload_length
+      type: integer
+    - name: reverse_system_init_time_milliseconds
+      type: long
+    - name: reverse_tcp_ack_total_count
+      type: long
+    - name: reverse_tcp_acknowledgement_number
+      type: long
+    - name: reverse_tcp_control_bits
+      type: integer
+    - name: reverse_tcp_destination_port
+      type: integer
+    - name: reverse_tcp_fin_total_count
+      type: long
+    - name: reverse_tcp_header_length
+      type: short
+    - name: reverse_tcp_options
+      type: long
+    - name: reverse_tcp_psh_total_count
+      type: long
+    - name: reverse_tcp_rst_total_count
+      type: long
+    - name: reverse_tcp_sequence_number
+      type: long
+    - name: reverse_tcp_source_port
+      type: integer
+    - name: reverse_tcp_syn_total_count
+      type: long
+    - name: reverse_tcp_urg_total_count
+      type: long
+    - name: reverse_tcp_urgent_pointer
+      type: integer
+    - name: reverse_tcp_window_scale
+      type: integer
+    - name: reverse_tcp_window_size
+      type: integer
+    - name: reverse_total_length_ipv4
+      type: integer
+    - name: reverse_transport_octet_delta_count
+      type: long
+    - name: reverse_transport_packet_delta_count
+      type: long
+    - name: reverse_tunnel_technology
+      type: keyword
+    - name: reverse_udp_destination_port
+      type: integer
+    - name: reverse_udp_message_length
+      type: integer
+    - name: reverse_udp_source_port
+      type: integer
+    - name: reverse_union_tcp_flags
+      type: short
+    - name: reverse_upper_ci_limit
+      type: double
+    - name: reverse_user_name
+      type: keyword
+    - name: reverse_value_distribution_method
+      type: short
+    - name: reverse_virtual_station_interface_id
+      type: keyword
+    - name: reverse_virtual_station_interface_name
+      type: keyword
+    - name: reverse_virtual_station_name
+      type: keyword
+    - name: reverse_virtual_station_uuid
+      type: keyword
+    - name: reverse_vlan_id
+      type: integer
+    - name: reverse_vr_fname
+      type: keyword
+    - name: reverse_wlan_channel_id
+      type: short
+    - name: reverse_wlan_ssid
+      type: keyword
+    - name: reverse_wtp_mac_address
+      type: keyword
+    - name: rfc3550_jitter_microseconds
+      type: long
+    - name: rfc3550_jitter_milliseconds
+      type: long
+    - name: rfc3550_jitter_nanoseconds
+      type: long
+    - name: rtp_payload_type
+      type: short
+    - name: rtp_sequence_number
+      type: integer
+    - name: sampler_id
+      type: short
+    - name: sampler_mode
+      type: short
+    - name: sampler_name
+      type: keyword
+    - name: sampler_random_interval
+      type: long
+    - name: sampling_algorithm
+      type: short
+    - name: sampling_flow_interval
+      type: long
+    - name: sampling_flow_spacing
+      type: long
+    - name: sampling_interval
+      type: long
+    - name: sampling_packet_interval
+      type: long
+    - name: sampling_packet_space
+      type: long
+    - name: sampling_population
+      type: long
+    - name: sampling_probability
+      type: double
+    - name: sampling_size
+      type: long
+    - name: sampling_time_interval
+      type: long
+    - name: sampling_time_space
+      type: long
+    - name: second_packet_banner
+      type: keyword
+    - name: section_exported_octets
+      type: integer
+    - name: section_offset
+      type: integer
+    - name: selection_sequence_id
+      type: long
+    - name: selector_algorithm
+      type: integer
+    - name: selector_id
+      type: long
+    - name: selector_id_total_flows_observed
+      type: long
+    - name: selector_id_total_flows_selected
+      type: long
+    - name: selector_id_total_pkts_observed
+      type: long
+    - name: selector_id_total_pkts_selected
+      type: long
+    - name: selector_name
+      type: keyword
+    - name: service_name
+      type: keyword
+    - name: session_scope
+      type: short
+    - name: silk_app_label
+      type: integer
+    - name: small_packet_count
+      type: long
+    - name: source_ipv4_address
+      type: ip
+    - name: source_ipv4_prefix
+      type: ip
+    - name: source_ipv4_prefix_length
+      type: short
+    - name: source_ipv6_address
+      type: ip
+    - name: source_ipv6_prefix
+      type: ip
+    - name: source_ipv6_prefix_length
+      type: short
+    - name: source_mac_address
+      type: keyword
+    - name: source_transport_port
+      type: integer
+    - name: source_transport_ports_limit
+      type: integer
+    - name: src_traffic_index
+      type: long
+    - name: ssl_cert_serial_number
+      type: keyword
+    - name: ssl_cert_signature
+      type: keyword
+    - name: ssl_cert_validity_not_after
+      type: keyword
+    - name: ssl_cert_validity_not_before
+      type: keyword
+    - name: ssl_cert_version
+      type: short
+    - name: ssl_certificate_hash
+      type: keyword
+    - name: ssl_cipher
+      type: keyword
+    - name: ssl_client_version
+      type: short
+    - name: ssl_compression_method
+      type: short
+    - name: ssl_object_type
+      type: keyword
+    - name: ssl_object_value
+      type: keyword
+    - name: ssl_public_key_algorithm
+      type: keyword
+    - name: ssl_public_key_length
+      type: keyword
+    - name: ssl_server_cipher
+      type: long
+    - name: ssl_server_name
+      type: keyword
+    - name: sta_ipv4_address
+      type: ip
+    - name: sta_mac_address
+      type: keyword
+    - name: standard_deviation_interarrival_time
+      type: long
+    - name: standard_deviation_payload_length
+      type: short
+    - name: system_init_time_milliseconds
+      type: date
+    - name: tcp_ack_total_count
+      type: long
+    - name: tcp_acknowledgement_number
+      type: long
+    - name: tcp_control_bits
+      type: integer
+    - name: tcp_destination_port
+      type: integer
+    - name: tcp_fin_total_count
+      type: long
+    - name: tcp_header_length
+      type: short
+    - name: tcp_options
+      type: long
+    - name: tcp_psh_total_count
+      type: long
+    - name: tcp_rst_total_count
+      type: long
+    - name: tcp_sequence_number
+      type: long
+    - name: tcp_source_port
+      type: integer
+    - name: tcp_syn_total_count
+      type: long
+    - name: tcp_urg_total_count
+      type: long
+    - name: tcp_urgent_pointer
+      type: integer
+    - name: tcp_window_scale
+      type: integer
+    - name: tcp_window_size
+      type: integer
+    - name: template_id
+      type: integer
+    - name: tftp_filename
+      type: keyword
+    - name: tftp_mode
+      type: keyword
+    - name: timestamp
+      type: long
+    - name: timestamp_absolute_monitoring-interval
+      type: long
+    - name: total_length_ipv4
+      type: integer
+    - name: traffic_type
+      type: short
+    - name: transport_octet_delta_count
+      type: long
+    - name: transport_packet_delta_count
+      type: long
+    - name: tunnel_technology
+      type: keyword
+    - name: udp_destination_port
+      type: integer
+    - name: udp_message_length
+      type: integer
+    - name: udp_source_port
+      type: integer
+    - name: union_tcp_flags
+      type: short
+    - name: upper_ci_limit
+      type: double
+    - name: user_name
+      type: keyword
+    - name: username
+      type: keyword
+    - name: value_distribution_method
+      type: short
+    - name: viptela_vpn_id
+      type: long
+    - name: virtual_station_interface_id
+      type: short
+    - name: virtual_station_interface_name
+      type: keyword
+    - name: virtual_station_name
+      type: keyword
+    - name: virtual_station_uuid
+      type: short
+    - name: vlan_id
+      type: integer
+    - name: vmware_egress_interface_attr
+      type: integer
+    - name: vmware_ingress_interface_attr
+      type: integer
+    - name: vmware_tenant_dest_ipv4
+      type: ip
+    - name: vmware_tenant_dest_ipv6
+      type: ip
+    - name: vmware_tenant_dest_port
+      type: integer
+    - name: vmware_tenant_protocol
+      type: short
+    - name: vmware_tenant_source_ipv4
+      type: ip
+    - name: vmware_tenant_source_ipv6
+      type: ip
+    - name: vmware_tenant_source_port
+      type: integer
+    - name: vmware_vxlan_export_role
+      type: short
+    - name: vpn_identifier
+      type: short
+    - name: vr_fname
+      type: keyword
+    - name: waasoptimization_segment
+      type: short
+    - name: wlan_channel_id
+      type: short
+    - name: wlan_ssid
+      type: keyword
+    - name: wtp_mac_address
+      type: keyword
+    - name: xlate_destination_address_ip_v4
+      type: ip
+    - name: xlate_destination_port
+      type: integer
+    - name: xlate_source_address_ip_v4
+      type: ip
+    - name: xlate_source_port
+      type: integer
diff --git a/packages/netflow/1.4.2/data_stream/log/manifest.yml b/packages/netflow/1.4.2/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..bf706ae5c5
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/manifest.yml
@@ -0,0 +1,80 @@
+title: NetFlow logs
+type: logs
+streams:
+  - input: netflow
+    template_path: netflow.yml.hbs
+    title: Collect NetFlow logs
+    description: Collect NetFlow logs using the netflow input
+    vars:
+      - name: host
+        type: text
+        title: UDP host to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: port
+        type: integer
+        title: UDP port to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: 2055
+      - name: expiration_timeout
+        type: text
+        title: Time duration before an idle session or unused template is expired
+        multi: false
+        required: true
+        show_user: false
+        default: 30m
+      - name: queue_size
+        type: integer
+        title: Maximum number of packets that can be queued for processing
+        multi: false
+        required: true
+        show_user: false
+        default: 8192
+      - name: custom_definitions
+        type: text
+        title: Custom definitions
+        multi: true
+        required: false
+        show_user: false
+        default: ""
+      - name: detect_sequence_reset
+        type: bool
+        title: Whether to detect sequence reset
+        multi: false
+        required: true
+        show_user: false
+        default: true
+      - name: max_message_size
+        type: text
+        title: Maximum size of the message received over UDP
+        multi: false
+        required: true
+        show_user: false
+        default: 10KiB
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: false
+        show_user: false
+        default:
+          - netflow
+          - forwarded
+      - name: timeout
+        type: text
+        title: Read timeout for socket operations
+        multi: false
+        required: false
+        show_user: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/netflow/1.4.2/data_stream/log/sample_event.json b/packages/netflow/1.4.2/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..81958ea26f
--- /dev/null
+++ b/packages/netflow/1.4.2/data_stream/log/sample_event.json
@@ -0,0 +1,118 @@
+{
+    "@timestamp": "2018-07-03T10:47:00.000Z",
+    "agent": {
+        "ephemeral_id": "bec1bb08-373e-4f04-8d79-9d2726ad7a8d",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "client": {
+        "bytes": 719,
+        "packets": 5
+    },
+    "data_stream": {
+        "dataset": "netflow.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "bytes": 0,
+        "packets": 0
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "netflow_flow",
+        "agent_id_status": "verified",
+        "category": "network_session",
+        "created": "2022-01-02T01:42:37.238Z",
+        "dataset": "netflow.log",
+        "ingested": "2022-01-02T01:42:38Z",
+        "kind": "event",
+        "type": [
+            "connection"
+        ]
+    },
+    "flow": {
+        "id": "Vhs9T5k296w",
+        "locality": "internal"
+    },
+    "input": {
+        "type": "netflow"
+    },
+    "netflow": {
+        "application_id": [
+            3,
+            0,
+            0,
+            80
+        ],
+        "art_client_network_time_sum": 0,
+        "art_count_late_responses": 0,
+        "art_count_responses": 0,
+        "art_count_retransmissions": 0,
+        "art_count_transactions": 0,
+        "art_network_time_sum": 0,
+        "art_response_time_sum": 0,
+        "art_server_network_time_sum": 0,
+        "art_server_response_time_maximum": 0,
+        "art_server_response_time_sum": 0,
+        "art_total_response_time_sum": 0,
+        "art_total_transaction_time_sum": 0,
+        "biflow_direction": 1,
+        "connection_sum_duration_seconds": 0,
+        "egress_interface": 13,
+        "exporter": {
+            "address": "172.18.0.7:58241",
+            "source_id": 512,
+            "timestamp": "2018-07-03T10:47:00.000Z",
+            "uptime_millis": 0,
+            "version": 10
+        },
+        "flow_end_sys_up_time": 564184158,
+        "flow_start_sys_up_time": 564184140,
+        "ingress_interface": 10,
+        "ingress_vrfid": 0,
+        "initiator_octets": 719,
+        "initiator_packets": 5,
+        "ip_diff_serv_code_point": 0,
+        "ip_ttl": 49,
+        "new_connection_delta_count": 1,
+        "protocol_identifier": 6,
+        "responder_octets": 0,
+        "responder_packets": 0,
+        "type": "netflow_flow",
+        "vlan_id": 0,
+        "waasoptimization_segment": 16
+    },
+    "network": {
+        "bytes": 719,
+        "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+        "direction": "unknown",
+        "iana_number": "6",
+        "packets": 5,
+        "transport": "tcp"
+    },
+    "observer": {
+        "ip": "172.18.0.7"
+    },
+    "server": {
+        "bytes": 0,
+        "packets": 0
+    },
+    "source": {
+        "bytes": 719,
+        "packets": 5
+    },
+    "tags": [
+        "netflow",
+        "forwarded"
+    ]
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/docs/README.md b/packages/netflow/1.4.2/docs/README.md
new file mode 100755
index 0000000000..0809adb495
--- /dev/null
+++ b/packages/netflow/1.4.2/docs/README.md
@@ -0,0 +1,1783 @@
+# Netflow Integration
+
+This integration is for receiving NetFlow and IPFIX flow records over UDP. It
+supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow 
+versions older than 9, fields are mapped automatically to NetFlow v9.
+
+It includes the following dataset:
+
+- `log` dataset
+
+## Compatibility
+
+## Logs
+
+### log
+
+The `log` dataset collects netflow logs.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |
+| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword |
+| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword |
+| agent.version | Version of the agent. | keyword |
+| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| as.organization.name | Organization name. | keyword |
+| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| client.as.organization.name | Organization name. | keyword |
+| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.geo.city_name | City name. | keyword |
+| client.geo.continent_name | Name of the continent. | keyword |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| client.geo.region_iso_code | Region ISO code. | keyword |
+| client.geo.region_name | Region name. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip |
+| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long |
+| client.packets | Packets sent from the client to the server. | long |
+| client.port | Port of the client. | long |
+| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| client.user.email | User email address. | keyword |
+| client.user.full_name | User's full name, if available. | keyword |
+| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text |
+| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| client.user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| client.user.group.name | Name of the group. | keyword |
+| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword |
+| client.user.id | Unique identifier of the user. | keyword |
+| client.user.name | Short name or login of the user. | keyword |
+| client.user.name.text | Multi-field of `client.user.name`. | match_only_text |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.image.tag | Container image tags. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.locality | Whether the destination IP is private or public. | keyword |
+| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.email | User email address. | keyword |
+| destination.user.full_name | User's full name, if available. | keyword |
+| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text |
+| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| destination.user.group.name | Name of the group. | keyword |
+| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object |
+| dns.answers.class | The class of DNS data contained in this resource record. | keyword |
+| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword |
+| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword |
+| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword |
+| dns.question.class | The class of records being queried. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip |
+| dns.response_code | The DNS response code. | keyword |
+| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.code | Error code describing the error. | keyword |
+| error.id | Unique identifier for the error. | keyword |
+| error.message | Error message. | match_only_text |
+| error.stack_trace | The stack trace of this error in plain text. | wildcard |
+| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text |
+| error.type | The type of the error, for example the class name of the exception. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
+| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date |
+| file.created | File creation time. Note that not all filesystems store the creation time. | date |
+| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date |
+| file.device | Device that is the source of the file. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.gid | Primary group ID (GID) of the file. | keyword |
+| file.group | Primary group name of the file. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.hash.sha512 | SHA512 hash. | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.mode | Mode of the file in octal representation. | keyword |
+| file.mtime | Last time the file content was modified. | date |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.owner | File owner's username. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.target_path | Target path for symlinks. | keyword |
+| file.target_path.text | Multi-field of `file.target_path`. | match_only_text |
+| file.type | File type (file, dir, or symlink). | keyword |
+| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword |
+| flow.id | Hash of source and destination IPs. | keyword |
+| flow.locality | Identifies whether the flow involved public IP addresses or only private address. | keyword |
+| geo.city_name | City name. | keyword |
+| geo.continent_name | Name of the continent. | keyword |
+| geo.country_iso_code | Country ISO code. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.location | Longitude and latitude. | geo_point |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_iso_code | Region ISO code. | keyword |
+| geo.region_name | Region name. | keyword |
+| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| group.id | Unique identifier for the group on the system/platform. | keyword |
+| group.name | Name of the group. | keyword |
+| hash.md5 | MD5 hash. | keyword |
+| hash.sha1 | SHA1 hash. | keyword |
+| hash.sha256 | SHA256 hash. | keyword |
+| hash.sha512 | SHA512 hash. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.geo.city_name | City name. | keyword |
+| host.geo.continent_name | Name of the continent. | keyword |
+| host.geo.country_iso_code | Country ISO code. | keyword |
+| host.geo.country_name | Country name. | keyword |
+| host.geo.location | Longitude and latitude. | geo_point |
+| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| host.geo.region_iso_code | Region ISO code. | keyword |
+| host.geo.region_name | Region name. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.full | Operating system name, including the version or code name. | keyword |
+| host.os.full.text | Multi-field of `host.os.full`. | match_only_text |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| host.uptime | Seconds the host has been up. | long |
+| http.request.body.bytes | Size in bytes of the request body. | long |
+| http.request.body.content | The full HTTP request body. | wildcard |
+| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text |
+| http.request.bytes | Total size in bytes of the request (body and headers). | long |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.bytes | Size in bytes of the response body. | long |
+| http.response.body.content | The full HTTP response body. | wildcard |
+| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text |
+| http.response.bytes | Total size in bytes of the response (body and headers). | long |
+| http.response.status_code | HTTP response status code. | long |
+| http.version | HTTP version. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.origin.file.line | The line number of the file containing the source code which originated the log event. | long |
+| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword |
+| log.origin.function | The name of the function or method which originated the log event. | keyword |
+| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| netflow.absolute_error |  | double |
+| netflow.address_pool_high_threshold |  | long |
+| netflow.address_pool_low_threshold |  | long |
+| netflow.address_port_mapping_high_threshold |  | long |
+| netflow.address_port_mapping_low_threshold |  | long |
+| netflow.address_port_mapping_per_user_high_threshold |  | long |
+| netflow.afc_protocol |  | integer |
+| netflow.afc_protocol_name |  | keyword |
+| netflow.anonymization_flags |  | integer |
+| netflow.anonymization_technique |  | integer |
+| netflow.application_business-relevance |  | long |
+| netflow.application_category_name |  | keyword |
+| netflow.application_description |  | keyword |
+| netflow.application_group_name |  | keyword |
+| netflow.application_http_uri_statistics |  | short |
+| netflow.application_http_user-agent |  | short |
+| netflow.application_id |  | short |
+| netflow.application_name |  | keyword |
+| netflow.application_sub_category_name |  | keyword |
+| netflow.application_traffic-class |  | long |
+| netflow.art_client_network_time_maximum |  | long |
+| netflow.art_client_network_time_minimum |  | long |
+| netflow.art_client_network_time_sum |  | long |
+| netflow.art_clientpackets |  | long |
+| netflow.art_count_late_responses |  | long |
+| netflow.art_count_new_connections |  | long |
+| netflow.art_count_responses |  | long |
+| netflow.art_count_responses_histogram_bucket1 |  | long |
+| netflow.art_count_responses_histogram_bucket2 |  | long |
+| netflow.art_count_responses_histogram_bucket3 |  | long |
+| netflow.art_count_responses_histogram_bucket4 |  | long |
+| netflow.art_count_responses_histogram_bucket5 |  | long |
+| netflow.art_count_responses_histogram_bucket6 |  | long |
+| netflow.art_count_responses_histogram_bucket7 |  | long |
+| netflow.art_count_retransmissions |  | long |
+| netflow.art_count_transactions |  | long |
+| netflow.art_network_time_maximum |  | long |
+| netflow.art_network_time_minimum |  | long |
+| netflow.art_network_time_sum |  | long |
+| netflow.art_response_time_maximum |  | long |
+| netflow.art_response_time_minimum |  | long |
+| netflow.art_response_time_sum |  | long |
+| netflow.art_server_network_time_maximum |  | long |
+| netflow.art_server_network_time_minimum |  | long |
+| netflow.art_server_network_time_sum |  | long |
+| netflow.art_server_response_time_maximum |  | long |
+| netflow.art_server_response_time_minimum |  | long |
+| netflow.art_server_response_time_sum |  | long |
+| netflow.art_serverpackets |  | long |
+| netflow.art_total_response_time_maximum |  | long |
+| netflow.art_total_response_time_minimum |  | long |
+| netflow.art_total_response_time_sum |  | long |
+| netflow.art_total_transaction_time_maximum |  | long |
+| netflow.art_total_transaction_time_minimum |  | long |
+| netflow.art_total_transaction_time_sum |  | long |
+| netflow.assembled_fragment_count |  | long |
+| netflow.audit_counter |  | long |
+| netflow.average_interarrival_time |  | long |
+| netflow.bgp_destination_as_number |  | long |
+| netflow.bgp_next_adjacent_as_number |  | long |
+| netflow.bgp_next_hop_ipv4_address |  | ip |
+| netflow.bgp_next_hop_ipv6_address |  | ip |
+| netflow.bgp_prev_adjacent_as_number |  | long |
+| netflow.bgp_source_as_number |  | long |
+| netflow.bgp_validity_state |  | short |
+| netflow.biflow_direction |  | short |
+| netflow.bind_ipv4_address |  | ip |
+| netflow.bind_transport_port |  | integer |
+| netflow.class_id |  | long |
+| netflow.class_name |  | keyword |
+| netflow.classification_engine_id |  | short |
+| netflow.collection_time_milliseconds |  | date |
+| netflow.collector_certificate |  | short |
+| netflow.collector_ipv4_address |  | ip |
+| netflow.collector_ipv6_address |  | ip |
+| netflow.collector_transport_port |  | integer |
+| netflow.common_properties_id |  | long |
+| netflow.confidence_level |  | double |
+| netflow.conn_ipv4_address |  | ip |
+| netflow.conn_transport_port |  | integer |
+| netflow.connection_sum_duration_seconds |  | long |
+| netflow.connection_transaction_id |  | long |
+| netflow.conntrack_id |  | long |
+| netflow.data_byte_count |  | long |
+| netflow.data_link_frame_section |  | short |
+| netflow.data_link_frame_size |  | integer |
+| netflow.data_link_frame_type |  | integer |
+| netflow.data_records_reliability |  | boolean |
+| netflow.delta_flow_count |  | long |
+| netflow.destination_ipv4_address |  | ip |
+| netflow.destination_ipv4_prefix |  | ip |
+| netflow.destination_ipv4_prefix_length |  | short |
+| netflow.destination_ipv6_address |  | ip |
+| netflow.destination_ipv6_prefix |  | ip |
+| netflow.destination_ipv6_prefix_length |  | short |
+| netflow.destination_mac_address |  | keyword |
+| netflow.destination_transport_port |  | integer |
+| netflow.digest_hash_value |  | long |
+| netflow.distinct_count_of_destination_ip_address |  | long |
+| netflow.distinct_count_of_destination_ipv4_address |  | long |
+| netflow.distinct_count_of_destination_ipv6_address |  | long |
+| netflow.distinct_count_of_source_ip_address |  | long |
+| netflow.distinct_count_of_source_ipv4_address |  | long |
+| netflow.distinct_count_of_source_ipv6_address |  | long |
+| netflow.dns_authoritative |  | short |
+| netflow.dns_cname |  | keyword |
+| netflow.dns_id |  | integer |
+| netflow.dns_mx_exchange |  | keyword |
+| netflow.dns_mx_preference |  | integer |
+| netflow.dns_nsd_name |  | keyword |
+| netflow.dns_nx_domain |  | short |
+| netflow.dns_ptrd_name |  | keyword |
+| netflow.dns_qname |  | keyword |
+| netflow.dns_qr_type |  | integer |
+| netflow.dns_query_response |  | short |
+| netflow.dns_rr_section |  | short |
+| netflow.dns_soa_expire |  | long |
+| netflow.dns_soa_minimum |  | long |
+| netflow.dns_soa_refresh |  | long |
+| netflow.dns_soa_retry |  | long |
+| netflow.dns_soa_serial |  | long |
+| netflow.dns_soam_name |  | keyword |
+| netflow.dns_soar_name |  | keyword |
+| netflow.dns_srv_port |  | integer |
+| netflow.dns_srv_priority |  | integer |
+| netflow.dns_srv_target |  | integer |
+| netflow.dns_srv_weight |  | integer |
+| netflow.dns_ttl |  | long |
+| netflow.dns_txt_data |  | keyword |
+| netflow.dot1q_customer_dei |  | boolean |
+| netflow.dot1q_customer_destination_mac_address |  | keyword |
+| netflow.dot1q_customer_priority |  | short |
+| netflow.dot1q_customer_source_mac_address |  | keyword |
+| netflow.dot1q_customer_vlan_id |  | integer |
+| netflow.dot1q_dei |  | boolean |
+| netflow.dot1q_priority |  | short |
+| netflow.dot1q_service_instance_id |  | long |
+| netflow.dot1q_service_instance_priority |  | short |
+| netflow.dot1q_service_instance_tag |  | short |
+| netflow.dot1q_vlan_id |  | integer |
+| netflow.dropped_layer2_octet_delta_count |  | long |
+| netflow.dropped_layer2_octet_total_count |  | long |
+| netflow.dropped_octet_delta_count |  | long |
+| netflow.dropped_octet_total_count |  | long |
+| netflow.dropped_packet_delta_count |  | long |
+| netflow.dropped_packet_total_count |  | long |
+| netflow.dst_traffic_index |  | long |
+| netflow.egress_broadcast_packet_total_count |  | long |
+| netflow.egress_interface |  | long |
+| netflow.egress_interface_type |  | long |
+| netflow.egress_physical_interface |  | long |
+| netflow.egress_unicast_packet_total_count |  | long |
+| netflow.egress_vrfid |  | long |
+| netflow.encrypted_technology |  | keyword |
+| netflow.engine_id |  | short |
+| netflow.engine_type |  | short |
+| netflow.ethernet_header_length |  | short |
+| netflow.ethernet_payload_length |  | integer |
+| netflow.ethernet_total_length |  | integer |
+| netflow.ethernet_type |  | integer |
+| netflow.expired_fragment_count |  | long |
+| netflow.export_interface |  | long |
+| netflow.export_protocol_version |  | short |
+| netflow.export_sctp_stream_id |  | integer |
+| netflow.export_transport_protocol |  | short |
+| netflow.exported_flow_record_total_count |  | long |
+| netflow.exported_message_total_count |  | long |
+| netflow.exported_octet_total_count |  | long |
+| netflow.exporter.address | Exporter's network address in IP:port format. | keyword |
+| netflow.exporter.source_id | Observation domain ID to which this record belongs. | long |
+| netflow.exporter.timestamp | Time and date of export. | date |
+| netflow.exporter.uptime_millis | How long the exporter process has been running, in milliseconds. | long |
+| netflow.exporter.version | NetFlow version used. | integer |
+| netflow.exporter_certificate |  | short |
+| netflow.exporter_ipv4_address |  | ip |
+| netflow.exporter_ipv6_address |  | ip |
+| netflow.exporter_transport_port |  | integer |
+| netflow.exporting_process_id |  | long |
+| netflow.external_address_realm |  | short |
+| netflow.firewall_event |  | short |
+| netflow.first_eight_non_empty_packet_directions |  | short |
+| netflow.first_non_empty_packet_size |  | integer |
+| netflow.first_packet_banner |  | keyword |
+| netflow.flags_and_sampler_id |  | long |
+| netflow.flow_active_timeout |  | integer |
+| netflow.flow_attributes |  | integer |
+| netflow.flow_direction |  | short |
+| netflow.flow_duration_microseconds |  | long |
+| netflow.flow_duration_milliseconds |  | long |
+| netflow.flow_end_delta_microseconds |  | long |
+| netflow.flow_end_microseconds |  | date |
+| netflow.flow_end_milliseconds |  | date |
+| netflow.flow_end_nanoseconds |  | date |
+| netflow.flow_end_reason |  | short |
+| netflow.flow_end_seconds |  | date |
+| netflow.flow_end_sys_up_time |  | long |
+| netflow.flow_id |  | long |
+| netflow.flow_idle_timeout |  | integer |
+| netflow.flow_key_indicator |  | long |
+| netflow.flow_label_ipv6 |  | long |
+| netflow.flow_sampling_time_interval |  | long |
+| netflow.flow_sampling_time_spacing |  | long |
+| netflow.flow_selected_flow_delta_count |  | long |
+| netflow.flow_selected_octet_delta_count |  | long |
+| netflow.flow_selected_packet_delta_count |  | long |
+| netflow.flow_selector_algorithm |  | integer |
+| netflow.flow_start_delta_microseconds |  | long |
+| netflow.flow_start_microseconds |  | date |
+| netflow.flow_start_milliseconds |  | date |
+| netflow.flow_start_nanoseconds |  | date |
+| netflow.flow_start_seconds |  | date |
+| netflow.flow_start_sys_up_time |  | long |
+| netflow.flow_table_flush_event_count |  | long |
+| netflow.flow_table_peak_count |  | long |
+| netflow.forwarding_status |  | short |
+| netflow.fragment_flags |  | short |
+| netflow.fragment_identification |  | long |
+| netflow.fragment_offset |  | integer |
+| netflow.fw_blackout_secs |  | long |
+| netflow.fw_configured_value |  | long |
+| netflow.fw_cts_src_sgt |  | long |
+| netflow.fw_event_level |  | long |
+| netflow.fw_event_level_id |  | long |
+| netflow.fw_ext_event |  | integer |
+| netflow.fw_ext_event_alt |  | long |
+| netflow.fw_ext_event_desc |  | keyword |
+| netflow.fw_half_open_count |  | long |
+| netflow.fw_half_open_high |  | long |
+| netflow.fw_half_open_rate |  | long |
+| netflow.fw_max_sessions |  | long |
+| netflow.fw_rule |  | keyword |
+| netflow.fw_summary_pkt_count |  | long |
+| netflow.fw_zone_pair_id |  | long |
+| netflow.fw_zone_pair_name |  | long |
+| netflow.global_address_mapping_high_threshold |  | long |
+| netflow.gre_key |  | long |
+| netflow.hash_digest_output |  | boolean |
+| netflow.hash_flow_domain |  | integer |
+| netflow.hash_initialiser_value |  | long |
+| netflow.hash_ip_payload_offset |  | long |
+| netflow.hash_ip_payload_size |  | long |
+| netflow.hash_output_range_max |  | long |
+| netflow.hash_output_range_min |  | long |
+| netflow.hash_selected_range_max |  | long |
+| netflow.hash_selected_range_min |  | long |
+| netflow.http_content_type |  | keyword |
+| netflow.http_message_version |  | keyword |
+| netflow.http_reason_phrase |  | keyword |
+| netflow.http_request_host |  | keyword |
+| netflow.http_request_method |  | keyword |
+| netflow.http_request_target |  | keyword |
+| netflow.http_status_code |  | integer |
+| netflow.http_user_agent |  | keyword |
+| netflow.icmp_code_ipv4 |  | short |
+| netflow.icmp_code_ipv6 |  | short |
+| netflow.icmp_type_code_ipv4 |  | integer |
+| netflow.icmp_type_code_ipv6 |  | integer |
+| netflow.icmp_type_ipv4 |  | short |
+| netflow.icmp_type_ipv6 |  | short |
+| netflow.igmp_type |  | short |
+| netflow.ignored_data_record_total_count |  | long |
+| netflow.ignored_layer2_frame_total_count |  | long |
+| netflow.ignored_layer2_octet_total_count |  | long |
+| netflow.ignored_octet_total_count |  | long |
+| netflow.ignored_packet_total_count |  | long |
+| netflow.information_element_data_type |  | short |
+| netflow.information_element_description |  | keyword |
+| netflow.information_element_id |  | integer |
+| netflow.information_element_index |  | integer |
+| netflow.information_element_name |  | keyword |
+| netflow.information_element_range_begin |  | long |
+| netflow.information_element_range_end |  | long |
+| netflow.information_element_semantics |  | short |
+| netflow.information_element_units |  | integer |
+| netflow.ingress_broadcast_packet_total_count |  | long |
+| netflow.ingress_interface |  | long |
+| netflow.ingress_interface_type |  | long |
+| netflow.ingress_multicast_packet_total_count |  | long |
+| netflow.ingress_physical_interface |  | long |
+| netflow.ingress_unicast_packet_total_count |  | long |
+| netflow.ingress_vrfid |  | long |
+| netflow.initial_tcp_flags |  | short |
+| netflow.initiator_octets |  | long |
+| netflow.initiator_packets |  | long |
+| netflow.interface_description |  | keyword |
+| netflow.interface_name |  | keyword |
+| netflow.intermediate_process_id |  | long |
+| netflow.internal_address_realm |  | short |
+| netflow.ip_class_of_service |  | short |
+| netflow.ip_diff_serv_code_point |  | short |
+| netflow.ip_header_length |  | short |
+| netflow.ip_header_packet_section |  | short |
+| netflow.ip_next_hop_ipv4_address |  | ip |
+| netflow.ip_next_hop_ipv6_address |  | ip |
+| netflow.ip_payload_length |  | long |
+| netflow.ip_payload_packet_section |  | short |
+| netflow.ip_precedence |  | short |
+| netflow.ip_sec_spi |  | long |
+| netflow.ip_total_length |  | long |
+| netflow.ip_ttl |  | short |
+| netflow.ip_version |  | short |
+| netflow.ipv4_ihl |  | short |
+| netflow.ipv4_options |  | long |
+| netflow.ipv4_router_sc |  | ip |
+| netflow.ipv6_extension_headers |  | long |
+| netflow.is_multicast |  | short |
+| netflow.ixia_browser_id |  | short |
+| netflow.ixia_browser_name |  | keyword |
+| netflow.ixia_device_id |  | short |
+| netflow.ixia_device_name |  | keyword |
+| netflow.ixia_dns_answer |  | keyword |
+| netflow.ixia_dns_classes |  | keyword |
+| netflow.ixia_dns_query |  | keyword |
+| netflow.ixia_dns_record_txt |  | keyword |
+| netflow.ixia_dst_as_name |  | keyword |
+| netflow.ixia_dst_city_name |  | keyword |
+| netflow.ixia_dst_country_code |  | keyword |
+| netflow.ixia_dst_country_name |  | keyword |
+| netflow.ixia_dst_latitude |  | float |
+| netflow.ixia_dst_longitude |  | float |
+| netflow.ixia_dst_region_code |  | keyword |
+| netflow.ixia_dst_region_node |  | keyword |
+| netflow.ixia_encrypt_cipher |  | keyword |
+| netflow.ixia_encrypt_key_length |  | integer |
+| netflow.ixia_encrypt_type |  | keyword |
+| netflow.ixia_http_host_name |  | keyword |
+| netflow.ixia_http_uri |  | keyword |
+| netflow.ixia_http_user_agent |  | keyword |
+| netflow.ixia_imsi_subscriber |  | keyword |
+| netflow.ixia_l7_app_id |  | long |
+| netflow.ixia_l7_app_name |  | keyword |
+| netflow.ixia_latency |  | long |
+| netflow.ixia_rev_octet_delta_count |  | long |
+| netflow.ixia_rev_packet_delta_count |  | long |
+| netflow.ixia_src_as_name |  | keyword |
+| netflow.ixia_src_city_name |  | keyword |
+| netflow.ixia_src_country_code |  | keyword |
+| netflow.ixia_src_country_name |  | keyword |
+| netflow.ixia_src_latitude |  | float |
+| netflow.ixia_src_longitude |  | float |
+| netflow.ixia_src_region_code |  | keyword |
+| netflow.ixia_src_region_name |  | keyword |
+| netflow.ixia_threat_ipv4 |  | ip |
+| netflow.ixia_threat_ipv6 |  | ip |
+| netflow.ixia_threat_type |  | keyword |
+| netflow.large_packet_count |  | long |
+| netflow.layer2_frame_delta_count |  | long |
+| netflow.layer2_frame_total_count |  | long |
+| netflow.layer2_octet_delta_count |  | long |
+| netflow.layer2_octet_delta_sum_of_squares |  | long |
+| netflow.layer2_octet_total_count |  | long |
+| netflow.layer2_octet_total_sum_of_squares |  | long |
+| netflow.layer2_segment_id |  | long |
+| netflow.layer2packet_section_data |  | short |
+| netflow.layer2packet_section_offset |  | integer |
+| netflow.layer2packet_section_size |  | integer |
+| netflow.line_card_id |  | long |
+| netflow.log_op |  | short |
+| netflow.lower_ci_limit |  | double |
+| netflow.mark |  | long |
+| netflow.max_bib_entries |  | long |
+| netflow.max_entries_per_user |  | long |
+| netflow.max_export_seconds |  | date |
+| netflow.max_flow_end_microseconds |  | date |
+| netflow.max_flow_end_milliseconds |  | date |
+| netflow.max_flow_end_nanoseconds |  | date |
+| netflow.max_flow_end_seconds |  | date |
+| netflow.max_fragments_pending_reassembly |  | long |
+| netflow.max_packet_size |  | integer |
+| netflow.max_session_entries |  | long |
+| netflow.max_subscribers |  | long |
+| netflow.maximum_ip_total_length |  | long |
+| netflow.maximum_layer2_total_length |  | long |
+| netflow.maximum_ttl |  | short |
+| netflow.mean_flow_rate |  | long |
+| netflow.mean_packet_rate |  | long |
+| netflow.message_md5_checksum |  | short |
+| netflow.message_scope |  | short |
+| netflow.metering_process_id |  | long |
+| netflow.metro_evc_id |  | keyword |
+| netflow.metro_evc_type |  | short |
+| netflow.mib_capture_time_semantics |  | short |
+| netflow.mib_context_engine_id |  | short |
+| netflow.mib_context_name |  | keyword |
+| netflow.mib_index_indicator |  | long |
+| netflow.mib_module_name |  | keyword |
+| netflow.mib_object_description |  | keyword |
+| netflow.mib_object_identifier |  | short |
+| netflow.mib_object_name |  | keyword |
+| netflow.mib_object_syntax |  | keyword |
+| netflow.mib_object_value_bits |  | short |
+| netflow.mib_object_value_counter |  | long |
+| netflow.mib_object_value_gauge |  | long |
+| netflow.mib_object_value_integer |  | integer |
+| netflow.mib_object_value_ip_address |  | ip |
+| netflow.mib_object_value_octet_string |  | short |
+| netflow.mib_object_value_oid |  | short |
+| netflow.mib_object_value_time_ticks |  | long |
+| netflow.mib_object_value_unsigned |  | long |
+| netflow.mib_sub_identifier |  | long |
+| netflow.min_export_seconds |  | date |
+| netflow.min_flow_start_microseconds |  | date |
+| netflow.min_flow_start_milliseconds |  | date |
+| netflow.min_flow_start_nanoseconds |  | date |
+| netflow.min_flow_start_seconds |  | date |
+| netflow.minimum_ip_total_length |  | long |
+| netflow.minimum_layer2_total_length |  | long |
+| netflow.minimum_ttl |  | short |
+| netflow.mobile_imsi |  | keyword |
+| netflow.mobile_msisdn |  | keyword |
+| netflow.monitoring_interval_end_milli_seconds |  | date |
+| netflow.monitoring_interval_start_milli_seconds |  | date |
+| netflow.mpls_label_stack_depth |  | long |
+| netflow.mpls_label_stack_length |  | long |
+| netflow.mpls_label_stack_section |  | short |
+| netflow.mpls_label_stack_section10 |  | short |
+| netflow.mpls_label_stack_section2 |  | short |
+| netflow.mpls_label_stack_section3 |  | short |
+| netflow.mpls_label_stack_section4 |  | short |
+| netflow.mpls_label_stack_section5 |  | short |
+| netflow.mpls_label_stack_section6 |  | short |
+| netflow.mpls_label_stack_section7 |  | short |
+| netflow.mpls_label_stack_section8 |  | short |
+| netflow.mpls_label_stack_section9 |  | short |
+| netflow.mpls_payload_length |  | long |
+| netflow.mpls_payload_packet_section |  | short |
+| netflow.mpls_top_label_exp |  | short |
+| netflow.mpls_top_label_ipv4_address |  | ip |
+| netflow.mpls_top_label_ipv6_address |  | ip |
+| netflow.mpls_top_label_prefix_length |  | short |
+| netflow.mpls_top_label_stack_section |  | short |
+| netflow.mpls_top_label_ttl |  | short |
+| netflow.mpls_top_label_type |  | short |
+| netflow.mpls_vpn_route_distinguisher |  | short |
+| netflow.mptcp_address_id |  | short |
+| netflow.mptcp_flags |  | short |
+| netflow.mptcp_initial_data_sequence_number |  | long |
+| netflow.mptcp_maximum_segment_size |  | integer |
+| netflow.mptcp_receiver_token |  | long |
+| netflow.multicast_replication_factor |  | long |
+| netflow.nat_event |  | short |
+| netflow.nat_inside_svcid |  | integer |
+| netflow.nat_instance_id |  | long |
+| netflow.nat_originating_address_realm |  | short |
+| netflow.nat_outside_svcid |  | integer |
+| netflow.nat_pool_id |  | long |
+| netflow.nat_pool_name |  | keyword |
+| netflow.nat_quota_exceeded_event |  | long |
+| netflow.nat_sub_string |  | keyword |
+| netflow.nat_threshold_event |  | long |
+| netflow.nat_type |  | short |
+| netflow.netscale_ica_client_version |  | keyword |
+| netflow.netscaler_aaa_username |  | keyword |
+| netflow.netscaler_app_name |  | keyword |
+| netflow.netscaler_app_name_app_id |  | long |
+| netflow.netscaler_app_name_incarnation_number |  | long |
+| netflow.netscaler_app_template_name |  | keyword |
+| netflow.netscaler_app_unit_name_app_id |  | long |
+| netflow.netscaler_application_startup_duration |  | long |
+| netflow.netscaler_application_startup_time |  | long |
+| netflow.netscaler_cache_redir_client_connection_core_id |  | long |
+| netflow.netscaler_cache_redir_client_connection_transaction_id |  | long |
+| netflow.netscaler_client_rtt |  | long |
+| netflow.netscaler_connection_chain_hop_count |  | long |
+| netflow.netscaler_connection_chain_id |  | short |
+| netflow.netscaler_connection_id |  | long |
+| netflow.netscaler_current_license_consumed |  | long |
+| netflow.netscaler_db_clt_host_name |  | keyword |
+| netflow.netscaler_db_database_name |  | keyword |
+| netflow.netscaler_db_login_flags |  | long |
+| netflow.netscaler_db_protocol_name |  | short |
+| netflow.netscaler_db_req_string |  | keyword |
+| netflow.netscaler_db_req_type |  | short |
+| netflow.netscaler_db_resp_length |  | long |
+| netflow.netscaler_db_resp_status |  | long |
+| netflow.netscaler_db_resp_status_string |  | keyword |
+| netflow.netscaler_db_user_name |  | keyword |
+| netflow.netscaler_flow_flags |  | long |
+| netflow.netscaler_http_client_interaction_end_time |  | keyword |
+| netflow.netscaler_http_client_interaction_start_time |  | keyword |
+| netflow.netscaler_http_client_render_end_time |  | keyword |
+| netflow.netscaler_http_client_render_start_time |  | keyword |
+| netflow.netscaler_http_content_type |  | keyword |
+| netflow.netscaler_http_domain_name |  | keyword |
+| netflow.netscaler_http_req_authorization |  | keyword |
+| netflow.netscaler_http_req_cookie |  | keyword |
+| netflow.netscaler_http_req_forw_fb |  | long |
+| netflow.netscaler_http_req_forw_lb |  | long |
+| netflow.netscaler_http_req_host |  | keyword |
+| netflow.netscaler_http_req_method |  | keyword |
+| netflow.netscaler_http_req_rcv_fb |  | long |
+| netflow.netscaler_http_req_rcv_lb |  | long |
+| netflow.netscaler_http_req_referer |  | keyword |
+| netflow.netscaler_http_req_url |  | keyword |
+| netflow.netscaler_http_req_user_agent |  | keyword |
+| netflow.netscaler_http_req_via |  | keyword |
+| netflow.netscaler_http_req_xforwarded_for |  | keyword |
+| netflow.netscaler_http_res_forw_fb |  | long |
+| netflow.netscaler_http_res_forw_lb |  | long |
+| netflow.netscaler_http_res_location |  | keyword |
+| netflow.netscaler_http_res_rcv_fb |  | long |
+| netflow.netscaler_http_res_rcv_lb |  | long |
+| netflow.netscaler_http_res_set_cookie |  | keyword |
+| netflow.netscaler_http_res_set_cookie2 |  | keyword |
+| netflow.netscaler_http_rsp_len |  | long |
+| netflow.netscaler_http_rsp_status |  | integer |
+| netflow.netscaler_ica_app_module_path |  | keyword |
+| netflow.netscaler_ica_app_process_id |  | long |
+| netflow.netscaler_ica_application_name |  | keyword |
+| netflow.netscaler_ica_application_termination_time |  | long |
+| netflow.netscaler_ica_application_termination_type |  | integer |
+| netflow.netscaler_ica_channel_id1 |  | long |
+| netflow.netscaler_ica_channel_id1_bytes |  | long |
+| netflow.netscaler_ica_channel_id2 |  | long |
+| netflow.netscaler_ica_channel_id2_bytes |  | long |
+| netflow.netscaler_ica_channel_id3 |  | long |
+| netflow.netscaler_ica_channel_id3_bytes |  | long |
+| netflow.netscaler_ica_channel_id4 |  | long |
+| netflow.netscaler_ica_channel_id4_bytes |  | long |
+| netflow.netscaler_ica_channel_id5 |  | long |
+| netflow.netscaler_ica_channel_id5_bytes |  | long |
+| netflow.netscaler_ica_client_host_name |  | keyword |
+| netflow.netscaler_ica_client_ip |  | ip |
+| netflow.netscaler_ica_client_launcher |  | integer |
+| netflow.netscaler_ica_client_side_rto_count |  | integer |
+| netflow.netscaler_ica_client_side_window_size |  | integer |
+| netflow.netscaler_ica_client_type |  | integer |
+| netflow.netscaler_ica_clientside_delay |  | long |
+| netflow.netscaler_ica_clientside_jitter |  | long |
+| netflow.netscaler_ica_clientside_packets_retransmit |  | integer |
+| netflow.netscaler_ica_clientside_rtt |  | long |
+| netflow.netscaler_ica_clientside_rx_bytes |  | long |
+| netflow.netscaler_ica_clientside_srtt |  | long |
+| netflow.netscaler_ica_clientside_tx_bytes |  | long |
+| netflow.netscaler_ica_connection_priority |  | integer |
+| netflow.netscaler_ica_device_serial_no |  | long |
+| netflow.netscaler_ica_domain_name |  | keyword |
+| netflow.netscaler_ica_flags |  | long |
+| netflow.netscaler_ica_host_delay |  | long |
+| netflow.netscaler_ica_l7_client_latency |  | long |
+| netflow.netscaler_ica_l7_server_latency |  | long |
+| netflow.netscaler_ica_launch_mechanism |  | integer |
+| netflow.netscaler_ica_network_update_end_time |  | long |
+| netflow.netscaler_ica_network_update_start_time |  | long |
+| netflow.netscaler_ica_rtt |  | long |
+| netflow.netscaler_ica_server_name |  | keyword |
+| netflow.netscaler_ica_server_side_rto_count |  | integer |
+| netflow.netscaler_ica_server_side_window_size |  | integer |
+| netflow.netscaler_ica_serverside_delay |  | long |
+| netflow.netscaler_ica_serverside_jitter |  | long |
+| netflow.netscaler_ica_serverside_packets_retransmit |  | integer |
+| netflow.netscaler_ica_serverside_rtt |  | long |
+| netflow.netscaler_ica_serverside_srtt |  | long |
+| netflow.netscaler_ica_session_end_time |  | long |
+| netflow.netscaler_ica_session_guid |  | short |
+| netflow.netscaler_ica_session_reconnects |  | short |
+| netflow.netscaler_ica_session_setup_time |  | long |
+| netflow.netscaler_ica_session_update_begin_sec |  | long |
+| netflow.netscaler_ica_session_update_end_sec |  | long |
+| netflow.netscaler_ica_username |  | keyword |
+| netflow.netscaler_license_type |  | short |
+| netflow.netscaler_main_page_core_id |  | long |
+| netflow.netscaler_main_page_id |  | long |
+| netflow.netscaler_max_license_count |  | long |
+| netflow.netscaler_msi_client_cookie |  | short |
+| netflow.netscaler_round_trip_time |  | long |
+| netflow.netscaler_server_ttfb |  | long |
+| netflow.netscaler_server_ttlb |  | long |
+| netflow.netscaler_syslog_message |  | keyword |
+| netflow.netscaler_syslog_priority |  | short |
+| netflow.netscaler_syslog_timestamp |  | long |
+| netflow.netscaler_transaction_id |  | long |
+| netflow.netscaler_unknown270 |  | long |
+| netflow.netscaler_unknown271 |  | long |
+| netflow.netscaler_unknown272 |  | long |
+| netflow.netscaler_unknown273 |  | long |
+| netflow.netscaler_unknown274 |  | long |
+| netflow.netscaler_unknown275 |  | long |
+| netflow.netscaler_unknown276 |  | long |
+| netflow.netscaler_unknown277 |  | long |
+| netflow.netscaler_unknown278 |  | long |
+| netflow.netscaler_unknown279 |  | long |
+| netflow.netscaler_unknown280 |  | long |
+| netflow.netscaler_unknown281 |  | long |
+| netflow.netscaler_unknown282 |  | long |
+| netflow.netscaler_unknown283 |  | long |
+| netflow.netscaler_unknown284 |  | long |
+| netflow.netscaler_unknown285 |  | long |
+| netflow.netscaler_unknown286 |  | long |
+| netflow.netscaler_unknown287 |  | long |
+| netflow.netscaler_unknown288 |  | long |
+| netflow.netscaler_unknown289 |  | long |
+| netflow.netscaler_unknown290 |  | long |
+| netflow.netscaler_unknown291 |  | long |
+| netflow.netscaler_unknown292 |  | long |
+| netflow.netscaler_unknown293 |  | long |
+| netflow.netscaler_unknown294 |  | long |
+| netflow.netscaler_unknown295 |  | long |
+| netflow.netscaler_unknown296 |  | long |
+| netflow.netscaler_unknown297 |  | long |
+| netflow.netscaler_unknown298 |  | long |
+| netflow.netscaler_unknown299 |  | long |
+| netflow.netscaler_unknown300 |  | long |
+| netflow.netscaler_unknown301 |  | long |
+| netflow.netscaler_unknown302 |  | long |
+| netflow.netscaler_unknown303 |  | long |
+| netflow.netscaler_unknown304 |  | long |
+| netflow.netscaler_unknown305 |  | long |
+| netflow.netscaler_unknown306 |  | long |
+| netflow.netscaler_unknown307 |  | long |
+| netflow.netscaler_unknown308 |  | long |
+| netflow.netscaler_unknown309 |  | long |
+| netflow.netscaler_unknown310 |  | long |
+| netflow.netscaler_unknown311 |  | long |
+| netflow.netscaler_unknown312 |  | long |
+| netflow.netscaler_unknown313 |  | long |
+| netflow.netscaler_unknown314 |  | long |
+| netflow.netscaler_unknown315 |  | long |
+| netflow.netscaler_unknown316 |  | keyword |
+| netflow.netscaler_unknown317 |  | long |
+| netflow.netscaler_unknown318 |  | long |
+| netflow.netscaler_unknown319 |  | keyword |
+| netflow.netscaler_unknown320 |  | integer |
+| netflow.netscaler_unknown321 |  | long |
+| netflow.netscaler_unknown322 |  | long |
+| netflow.netscaler_unknown323 |  | integer |
+| netflow.netscaler_unknown324 |  | integer |
+| netflow.netscaler_unknown325 |  | integer |
+| netflow.netscaler_unknown326 |  | integer |
+| netflow.netscaler_unknown327 |  | long |
+| netflow.netscaler_unknown328 |  | integer |
+| netflow.netscaler_unknown329 |  | integer |
+| netflow.netscaler_unknown330 |  | integer |
+| netflow.netscaler_unknown331 |  | integer |
+| netflow.netscaler_unknown332 |  | long |
+| netflow.netscaler_unknown333 |  | keyword |
+| netflow.netscaler_unknown334 |  | keyword |
+| netflow.netscaler_unknown335 |  | long |
+| netflow.netscaler_unknown336 |  | long |
+| netflow.netscaler_unknown337 |  | long |
+| netflow.netscaler_unknown338 |  | long |
+| netflow.netscaler_unknown339 |  | long |
+| netflow.netscaler_unknown340 |  | long |
+| netflow.netscaler_unknown341 |  | long |
+| netflow.netscaler_unknown342 |  | long |
+| netflow.netscaler_unknown343 |  | long |
+| netflow.netscaler_unknown344 |  | long |
+| netflow.netscaler_unknown345 |  | long |
+| netflow.netscaler_unknown346 |  | long |
+| netflow.netscaler_unknown347 |  | long |
+| netflow.netscaler_unknown348 |  | integer |
+| netflow.netscaler_unknown349 |  | keyword |
+| netflow.netscaler_unknown350 |  | keyword |
+| netflow.netscaler_unknown351 |  | keyword |
+| netflow.netscaler_unknown352 |  | integer |
+| netflow.netscaler_unknown353 |  | long |
+| netflow.netscaler_unknown354 |  | long |
+| netflow.netscaler_unknown355 |  | long |
+| netflow.netscaler_unknown356 |  | long |
+| netflow.netscaler_unknown357 |  | long |
+| netflow.netscaler_unknown363 |  | short |
+| netflow.netscaler_unknown383 |  | short |
+| netflow.netscaler_unknown391 |  | long |
+| netflow.netscaler_unknown398 |  | long |
+| netflow.netscaler_unknown404 |  | long |
+| netflow.netscaler_unknown405 |  | long |
+| netflow.netscaler_unknown427 |  | long |
+| netflow.netscaler_unknown429 |  | short |
+| netflow.netscaler_unknown432 |  | short |
+| netflow.netscaler_unknown433 |  | short |
+| netflow.netscaler_unknown453 |  | long |
+| netflow.netscaler_unknown465 |  | long |
+| netflow.new_connection_delta_count |  | long |
+| netflow.next_header_ipv6 |  | short |
+| netflow.non_empty_packet_count |  | long |
+| netflow.not_sent_flow_total_count |  | long |
+| netflow.not_sent_layer2_octet_total_count |  | long |
+| netflow.not_sent_octet_total_count |  | long |
+| netflow.not_sent_packet_total_count |  | long |
+| netflow.observation_domain_id |  | long |
+| netflow.observation_domain_name |  | keyword |
+| netflow.observation_point_id |  | long |
+| netflow.observation_point_type |  | short |
+| netflow.observation_time_microseconds |  | date |
+| netflow.observation_time_milliseconds |  | date |
+| netflow.observation_time_nanoseconds |  | date |
+| netflow.observation_time_seconds |  | date |
+| netflow.observed_flow_total_count |  | long |
+| netflow.octet_delta_count |  | long |
+| netflow.octet_delta_sum_of_squares |  | long |
+| netflow.octet_total_count |  | long |
+| netflow.octet_total_sum_of_squares |  | long |
+| netflow.opaque_octets |  | short |
+| netflow.original_exporter_ipv4_address |  | ip |
+| netflow.original_exporter_ipv6_address |  | ip |
+| netflow.original_flows_completed |  | long |
+| netflow.original_flows_initiated |  | long |
+| netflow.original_flows_present |  | long |
+| netflow.original_observation_domain_id |  | long |
+| netflow.os_finger_print |  | keyword |
+| netflow.os_name |  | keyword |
+| netflow.os_version |  | keyword |
+| netflow.p2p_technology |  | keyword |
+| netflow.packet_delta_count |  | long |
+| netflow.packet_total_count |  | long |
+| netflow.padding_octets |  | short |
+| netflow.payload |  | keyword |
+| netflow.payload_entropy |  | short |
+| netflow.payload_length_ipv6 |  | integer |
+| netflow.policy_qos_classification_hierarchy |  | long |
+| netflow.policy_qos_queue_index |  | long |
+| netflow.policy_qos_queuedrops |  | long |
+| netflow.policy_qos_queueindex |  | long |
+| netflow.port_id |  | long |
+| netflow.port_range_end |  | integer |
+| netflow.port_range_num_ports |  | integer |
+| netflow.port_range_start |  | integer |
+| netflow.port_range_step_size |  | integer |
+| netflow.post_destination_mac_address |  | keyword |
+| netflow.post_dot1q_customer_vlan_id |  | integer |
+| netflow.post_dot1q_vlan_id |  | integer |
+| netflow.post_ip_class_of_service |  | short |
+| netflow.post_ip_diff_serv_code_point |  | short |
+| netflow.post_ip_precedence |  | short |
+| netflow.post_layer2_octet_delta_count |  | long |
+| netflow.post_layer2_octet_total_count |  | long |
+| netflow.post_mcast_layer2_octet_delta_count |  | long |
+| netflow.post_mcast_layer2_octet_total_count |  | long |
+| netflow.post_mcast_octet_delta_count |  | long |
+| netflow.post_mcast_octet_total_count |  | long |
+| netflow.post_mcast_packet_delta_count |  | long |
+| netflow.post_mcast_packet_total_count |  | long |
+| netflow.post_mpls_top_label_exp |  | short |
+| netflow.post_napt_destination_transport_port |  | integer |
+| netflow.post_napt_source_transport_port |  | integer |
+| netflow.post_nat_destination_ipv4_address |  | ip |
+| netflow.post_nat_destination_ipv6_address |  | ip |
+| netflow.post_nat_source_ipv4_address |  | ip |
+| netflow.post_nat_source_ipv6_address |  | ip |
+| netflow.post_octet_delta_count |  | long |
+| netflow.post_octet_total_count |  | long |
+| netflow.post_packet_delta_count |  | long |
+| netflow.post_packet_total_count |  | long |
+| netflow.post_source_mac_address |  | keyword |
+| netflow.post_vlan_id |  | integer |
+| netflow.private_enterprise_number |  | long |
+| netflow.procera_apn |  | keyword |
+| netflow.procera_base_service |  | keyword |
+| netflow.procera_content_categories |  | keyword |
+| netflow.procera_device_id |  | long |
+| netflow.procera_external_rtt |  | integer |
+| netflow.procera_flow_behavior |  | keyword |
+| netflow.procera_ggsn |  | keyword |
+| netflow.procera_http_content_type |  | keyword |
+| netflow.procera_http_file_length |  | long |
+| netflow.procera_http_language |  | keyword |
+| netflow.procera_http_location |  | keyword |
+| netflow.procera_http_referer |  | keyword |
+| netflow.procera_http_request_method |  | keyword |
+| netflow.procera_http_request_version |  | keyword |
+| netflow.procera_http_response_status |  | integer |
+| netflow.procera_http_url |  | keyword |
+| netflow.procera_http_user_agent |  | keyword |
+| netflow.procera_imsi |  | long |
+| netflow.procera_incoming_octets |  | long |
+| netflow.procera_incoming_packets |  | long |
+| netflow.procera_incoming_shaping_drops |  | long |
+| netflow.procera_incoming_shaping_latency |  | integer |
+| netflow.procera_internal_rtt |  | integer |
+| netflow.procera_local_ipv4_host |  | ip |
+| netflow.procera_local_ipv6_host |  | ip |
+| netflow.procera_msisdn |  | long |
+| netflow.procera_outgoing_octets |  | long |
+| netflow.procera_outgoing_packets |  | long |
+| netflow.procera_outgoing_shaping_drops |  | long |
+| netflow.procera_outgoing_shaping_latency |  | integer |
+| netflow.procera_property |  | keyword |
+| netflow.procera_qoe_incoming_external |  | float |
+| netflow.procera_qoe_incoming_internal |  | float |
+| netflow.procera_qoe_outgoing_external |  | float |
+| netflow.procera_qoe_outgoing_internal |  | float |
+| netflow.procera_rat |  | keyword |
+| netflow.procera_remote_ipv4_host |  | ip |
+| netflow.procera_remote_ipv6_host |  | ip |
+| netflow.procera_rnc |  | integer |
+| netflow.procera_server_hostname |  | keyword |
+| netflow.procera_service |  | keyword |
+| netflow.procera_sgsn |  | keyword |
+| netflow.procera_subscriber_identifier |  | keyword |
+| netflow.procera_template_name |  | keyword |
+| netflow.procera_user_location_information |  | keyword |
+| netflow.protocol_identifier |  | short |
+| netflow.pseudo_wire_control_word |  | long |
+| netflow.pseudo_wire_destination_ipv4_address |  | ip |
+| netflow.pseudo_wire_id |  | long |
+| netflow.pseudo_wire_type |  | integer |
+| netflow.reason |  | long |
+| netflow.reason_text |  | keyword |
+| netflow.relative_error |  | double |
+| netflow.responder_octets |  | long |
+| netflow.responder_packets |  | long |
+| netflow.reverse_absolute_error |  | double |
+| netflow.reverse_anonymization_flags |  | integer |
+| netflow.reverse_anonymization_technique |  | integer |
+| netflow.reverse_application_category_name |  | keyword |
+| netflow.reverse_application_description |  | keyword |
+| netflow.reverse_application_group_name |  | keyword |
+| netflow.reverse_application_id |  | keyword |
+| netflow.reverse_application_name |  | keyword |
+| netflow.reverse_application_sub_category_name |  | keyword |
+| netflow.reverse_average_interarrival_time |  | long |
+| netflow.reverse_bgp_destination_as_number |  | long |
+| netflow.reverse_bgp_next_adjacent_as_number |  | long |
+| netflow.reverse_bgp_next_hop_ipv4_address |  | ip |
+| netflow.reverse_bgp_next_hop_ipv6_address |  | ip |
+| netflow.reverse_bgp_prev_adjacent_as_number |  | long |
+| netflow.reverse_bgp_source_as_number |  | long |
+| netflow.reverse_bgp_validity_state |  | short |
+| netflow.reverse_class_id |  | short |
+| netflow.reverse_class_name |  | keyword |
+| netflow.reverse_classification_engine_id |  | short |
+| netflow.reverse_collection_time_milliseconds |  | long |
+| netflow.reverse_collector_certificate |  | keyword |
+| netflow.reverse_confidence_level |  | double |
+| netflow.reverse_connection_sum_duration_seconds |  | long |
+| netflow.reverse_connection_transaction_id |  | long |
+| netflow.reverse_data_byte_count |  | long |
+| netflow.reverse_data_link_frame_section |  | keyword |
+| netflow.reverse_data_link_frame_size |  | integer |
+| netflow.reverse_data_link_frame_type |  | integer |
+| netflow.reverse_data_records_reliability |  | short |
+| netflow.reverse_delta_flow_count |  | long |
+| netflow.reverse_destination_ipv4_address |  | ip |
+| netflow.reverse_destination_ipv4_prefix |  | ip |
+| netflow.reverse_destination_ipv4_prefix_length |  | short |
+| netflow.reverse_destination_ipv6_address |  | ip |
+| netflow.reverse_destination_ipv6_prefix |  | ip |
+| netflow.reverse_destination_ipv6_prefix_length |  | short |
+| netflow.reverse_destination_mac_address |  | keyword |
+| netflow.reverse_destination_transport_port |  | integer |
+| netflow.reverse_digest_hash_value |  | long |
+| netflow.reverse_distinct_count_of_destination_ip_address |  | long |
+| netflow.reverse_distinct_count_of_destination_ipv4_address |  | long |
+| netflow.reverse_distinct_count_of_destination_ipv6_address |  | long |
+| netflow.reverse_distinct_count_of_source_ip_address |  | long |
+| netflow.reverse_distinct_count_of_source_ipv4_address |  | long |
+| netflow.reverse_distinct_count_of_source_ipv6_address |  | long |
+| netflow.reverse_dot1q_customer_dei |  | short |
+| netflow.reverse_dot1q_customer_destination_mac_address |  | keyword |
+| netflow.reverse_dot1q_customer_priority |  | short |
+| netflow.reverse_dot1q_customer_source_mac_address |  | keyword |
+| netflow.reverse_dot1q_customer_vlan_id |  | integer |
+| netflow.reverse_dot1q_dei |  | short |
+| netflow.reverse_dot1q_priority |  | short |
+| netflow.reverse_dot1q_service_instance_id |  | long |
+| netflow.reverse_dot1q_service_instance_priority |  | short |
+| netflow.reverse_dot1q_service_instance_tag |  | keyword |
+| netflow.reverse_dot1q_vlan_id |  | integer |
+| netflow.reverse_dropped_layer2_octet_delta_count |  | long |
+| netflow.reverse_dropped_layer2_octet_total_count |  | long |
+| netflow.reverse_dropped_octet_delta_count |  | long |
+| netflow.reverse_dropped_octet_total_count |  | long |
+| netflow.reverse_dropped_packet_delta_count |  | long |
+| netflow.reverse_dropped_packet_total_count |  | long |
+| netflow.reverse_dst_traffic_index |  | long |
+| netflow.reverse_egress_broadcast_packet_total_count |  | long |
+| netflow.reverse_egress_interface |  | long |
+| netflow.reverse_egress_interface_type |  | long |
+| netflow.reverse_egress_physical_interface |  | long |
+| netflow.reverse_egress_unicast_packet_total_count |  | long |
+| netflow.reverse_egress_vrfid |  | long |
+| netflow.reverse_encrypted_technology |  | keyword |
+| netflow.reverse_engine_id |  | short |
+| netflow.reverse_engine_type |  | short |
+| netflow.reverse_ethernet_header_length |  | short |
+| netflow.reverse_ethernet_payload_length |  | integer |
+| netflow.reverse_ethernet_total_length |  | integer |
+| netflow.reverse_ethernet_type |  | integer |
+| netflow.reverse_export_sctp_stream_id |  | integer |
+| netflow.reverse_exporter_certificate |  | keyword |
+| netflow.reverse_exporting_process_id |  | long |
+| netflow.reverse_firewall_event |  | short |
+| netflow.reverse_first_non_empty_packet_size |  | integer |
+| netflow.reverse_first_packet_banner |  | keyword |
+| netflow.reverse_flags_and_sampler_id |  | long |
+| netflow.reverse_flow_active_timeout |  | integer |
+| netflow.reverse_flow_attributes |  | integer |
+| netflow.reverse_flow_delta_milliseconds |  | long |
+| netflow.reverse_flow_direction |  | short |
+| netflow.reverse_flow_duration_microseconds |  | long |
+| netflow.reverse_flow_duration_milliseconds |  | long |
+| netflow.reverse_flow_end_delta_microseconds |  | long |
+| netflow.reverse_flow_end_microseconds |  | long |
+| netflow.reverse_flow_end_milliseconds |  | long |
+| netflow.reverse_flow_end_nanoseconds |  | long |
+| netflow.reverse_flow_end_reason |  | short |
+| netflow.reverse_flow_end_seconds |  | long |
+| netflow.reverse_flow_end_sys_up_time |  | long |
+| netflow.reverse_flow_idle_timeout |  | integer |
+| netflow.reverse_flow_label_ipv6 |  | long |
+| netflow.reverse_flow_sampling_time_interval |  | long |
+| netflow.reverse_flow_sampling_time_spacing |  | long |
+| netflow.reverse_flow_selected_flow_delta_count |  | long |
+| netflow.reverse_flow_selected_octet_delta_count |  | long |
+| netflow.reverse_flow_selected_packet_delta_count |  | long |
+| netflow.reverse_flow_selector_algorithm |  | integer |
+| netflow.reverse_flow_start_delta_microseconds |  | long |
+| netflow.reverse_flow_start_microseconds |  | long |
+| netflow.reverse_flow_start_milliseconds |  | long |
+| netflow.reverse_flow_start_nanoseconds |  | long |
+| netflow.reverse_flow_start_seconds |  | long |
+| netflow.reverse_flow_start_sys_up_time |  | long |
+| netflow.reverse_forwarding_status |  | long |
+| netflow.reverse_fragment_flags |  | short |
+| netflow.reverse_fragment_identification |  | long |
+| netflow.reverse_fragment_offset |  | integer |
+| netflow.reverse_gre_key |  | long |
+| netflow.reverse_hash_digest_output |  | short |
+| netflow.reverse_hash_flow_domain |  | integer |
+| netflow.reverse_hash_initialiser_value |  | long |
+| netflow.reverse_hash_ip_payload_offset |  | long |
+| netflow.reverse_hash_ip_payload_size |  | long |
+| netflow.reverse_hash_output_range_max |  | long |
+| netflow.reverse_hash_output_range_min |  | long |
+| netflow.reverse_hash_selected_range_max |  | long |
+| netflow.reverse_hash_selected_range_min |  | long |
+| netflow.reverse_icmp_code_ipv4 |  | short |
+| netflow.reverse_icmp_code_ipv6 |  | short |
+| netflow.reverse_icmp_type_code_ipv4 |  | integer |
+| netflow.reverse_icmp_type_code_ipv6 |  | integer |
+| netflow.reverse_icmp_type_ipv4 |  | short |
+| netflow.reverse_icmp_type_ipv6 |  | short |
+| netflow.reverse_igmp_type |  | short |
+| netflow.reverse_ignored_data_record_total_count |  | long |
+| netflow.reverse_ignored_layer2_frame_total_count |  | long |
+| netflow.reverse_ignored_layer2_octet_total_count |  | long |
+| netflow.reverse_information_element_data_type |  | short |
+| netflow.reverse_information_element_description |  | keyword |
+| netflow.reverse_information_element_id |  | integer |
+| netflow.reverse_information_element_index |  | integer |
+| netflow.reverse_information_element_name |  | keyword |
+| netflow.reverse_information_element_range_begin |  | long |
+| netflow.reverse_information_element_range_end |  | long |
+| netflow.reverse_information_element_semantics |  | short |
+| netflow.reverse_information_element_units |  | integer |
+| netflow.reverse_ingress_broadcast_packet_total_count |  | long |
+| netflow.reverse_ingress_interface |  | long |
+| netflow.reverse_ingress_interface_type |  | long |
+| netflow.reverse_ingress_multicast_packet_total_count |  | long |
+| netflow.reverse_ingress_physical_interface |  | long |
+| netflow.reverse_ingress_unicast_packet_total_count |  | long |
+| netflow.reverse_ingress_vrfid |  | long |
+| netflow.reverse_initial_tcp_flags |  | short |
+| netflow.reverse_initiator_octets |  | long |
+| netflow.reverse_initiator_packets |  | long |
+| netflow.reverse_interface_description |  | keyword |
+| netflow.reverse_interface_name |  | keyword |
+| netflow.reverse_intermediate_process_id |  | long |
+| netflow.reverse_ip_class_of_service |  | short |
+| netflow.reverse_ip_diff_serv_code_point |  | short |
+| netflow.reverse_ip_header_length |  | short |
+| netflow.reverse_ip_header_packet_section |  | keyword |
+| netflow.reverse_ip_next_hop_ipv4_address |  | ip |
+| netflow.reverse_ip_next_hop_ipv6_address |  | ip |
+| netflow.reverse_ip_payload_length |  | long |
+| netflow.reverse_ip_payload_packet_section |  | keyword |
+| netflow.reverse_ip_precedence |  | short |
+| netflow.reverse_ip_sec_spi |  | long |
+| netflow.reverse_ip_total_length |  | long |
+| netflow.reverse_ip_ttl |  | short |
+| netflow.reverse_ip_version |  | short |
+| netflow.reverse_ipv4_ihl |  | short |
+| netflow.reverse_ipv4_options |  | long |
+| netflow.reverse_ipv4_router_sc |  | ip |
+| netflow.reverse_ipv6_extension_headers |  | long |
+| netflow.reverse_is_multicast |  | short |
+| netflow.reverse_large_packet_count |  | long |
+| netflow.reverse_layer2_frame_delta_count |  | long |
+| netflow.reverse_layer2_frame_total_count |  | long |
+| netflow.reverse_layer2_octet_delta_count |  | long |
+| netflow.reverse_layer2_octet_delta_sum_of_squares |  | long |
+| netflow.reverse_layer2_octet_total_count |  | long |
+| netflow.reverse_layer2_octet_total_sum_of_squares |  | long |
+| netflow.reverse_layer2_segment_id |  | long |
+| netflow.reverse_layer2packet_section_data |  | keyword |
+| netflow.reverse_layer2packet_section_offset |  | integer |
+| netflow.reverse_layer2packet_section_size |  | integer |
+| netflow.reverse_line_card_id |  | long |
+| netflow.reverse_lower_ci_limit |  | double |
+| netflow.reverse_max_export_seconds |  | long |
+| netflow.reverse_max_flow_end_microseconds |  | long |
+| netflow.reverse_max_flow_end_milliseconds |  | long |
+| netflow.reverse_max_flow_end_nanoseconds |  | long |
+| netflow.reverse_max_flow_end_seconds |  | long |
+| netflow.reverse_max_packet_size |  | integer |
+| netflow.reverse_maximum_ip_total_length |  | long |
+| netflow.reverse_maximum_layer2_total_length |  | long |
+| netflow.reverse_maximum_ttl |  | short |
+| netflow.reverse_message_md5_checksum |  | keyword |
+| netflow.reverse_message_scope |  | short |
+| netflow.reverse_metering_process_id |  | long |
+| netflow.reverse_metro_evc_id |  | keyword |
+| netflow.reverse_metro_evc_type |  | short |
+| netflow.reverse_min_export_seconds |  | long |
+| netflow.reverse_min_flow_start_microseconds |  | long |
+| netflow.reverse_min_flow_start_milliseconds |  | long |
+| netflow.reverse_min_flow_start_nanoseconds |  | long |
+| netflow.reverse_min_flow_start_seconds |  | long |
+| netflow.reverse_minimum_ip_total_length |  | long |
+| netflow.reverse_minimum_layer2_total_length |  | long |
+| netflow.reverse_minimum_ttl |  | short |
+| netflow.reverse_monitoring_interval_end_milli_seconds |  | long |
+| netflow.reverse_monitoring_interval_start_milli_seconds |  | long |
+| netflow.reverse_mpls_label_stack_depth |  | long |
+| netflow.reverse_mpls_label_stack_length |  | long |
+| netflow.reverse_mpls_label_stack_section |  | keyword |
+| netflow.reverse_mpls_label_stack_section10 |  | keyword |
+| netflow.reverse_mpls_label_stack_section2 |  | keyword |
+| netflow.reverse_mpls_label_stack_section3 |  | keyword |
+| netflow.reverse_mpls_label_stack_section4 |  | keyword |
+| netflow.reverse_mpls_label_stack_section5 |  | keyword |
+| netflow.reverse_mpls_label_stack_section6 |  | keyword |
+| netflow.reverse_mpls_label_stack_section7 |  | keyword |
+| netflow.reverse_mpls_label_stack_section8 |  | keyword |
+| netflow.reverse_mpls_label_stack_section9 |  | keyword |
+| netflow.reverse_mpls_payload_length |  | long |
+| netflow.reverse_mpls_payload_packet_section |  | keyword |
+| netflow.reverse_mpls_top_label_exp |  | short |
+| netflow.reverse_mpls_top_label_ipv4_address |  | ip |
+| netflow.reverse_mpls_top_label_ipv6_address |  | ip |
+| netflow.reverse_mpls_top_label_prefix_length |  | short |
+| netflow.reverse_mpls_top_label_stack_section |  | keyword |
+| netflow.reverse_mpls_top_label_ttl |  | short |
+| netflow.reverse_mpls_top_label_type |  | short |
+| netflow.reverse_mpls_vpn_route_distinguisher |  | keyword |
+| netflow.reverse_multicast_replication_factor |  | long |
+| netflow.reverse_nat_event |  | short |
+| netflow.reverse_nat_originating_address_realm |  | short |
+| netflow.reverse_nat_pool_id |  | long |
+| netflow.reverse_nat_pool_name |  | keyword |
+| netflow.reverse_nat_type |  | short |
+| netflow.reverse_new_connection_delta_count |  | long |
+| netflow.reverse_next_header_ipv6 |  | short |
+| netflow.reverse_non_empty_packet_count |  | long |
+| netflow.reverse_not_sent_layer2_octet_total_count |  | long |
+| netflow.reverse_observation_domain_name |  | keyword |
+| netflow.reverse_observation_point_id |  | long |
+| netflow.reverse_observation_point_type |  | short |
+| netflow.reverse_observation_time_microseconds |  | long |
+| netflow.reverse_observation_time_milliseconds |  | long |
+| netflow.reverse_observation_time_nanoseconds |  | long |
+| netflow.reverse_observation_time_seconds |  | long |
+| netflow.reverse_octet_delta_count |  | long |
+| netflow.reverse_octet_delta_sum_of_squares |  | long |
+| netflow.reverse_octet_total_count |  | long |
+| netflow.reverse_octet_total_sum_of_squares |  | long |
+| netflow.reverse_opaque_octets |  | keyword |
+| netflow.reverse_original_exporter_ipv4_address |  | ip |
+| netflow.reverse_original_exporter_ipv6_address |  | ip |
+| netflow.reverse_original_flows_completed |  | long |
+| netflow.reverse_original_flows_initiated |  | long |
+| netflow.reverse_original_flows_present |  | long |
+| netflow.reverse_original_observation_domain_id |  | long |
+| netflow.reverse_os_finger_print |  | keyword |
+| netflow.reverse_os_name |  | keyword |
+| netflow.reverse_os_version |  | keyword |
+| netflow.reverse_p2p_technology |  | keyword |
+| netflow.reverse_packet_delta_count |  | long |
+| netflow.reverse_packet_total_count |  | long |
+| netflow.reverse_payload |  | keyword |
+| netflow.reverse_payload_entropy |  | short |
+| netflow.reverse_payload_length_ipv6 |  | integer |
+| netflow.reverse_port_id |  | long |
+| netflow.reverse_port_range_end |  | integer |
+| netflow.reverse_port_range_num_ports |  | integer |
+| netflow.reverse_port_range_start |  | integer |
+| netflow.reverse_port_range_step_size |  | integer |
+| netflow.reverse_post_destination_mac_address |  | keyword |
+| netflow.reverse_post_dot1q_customer_vlan_id |  | integer |
+| netflow.reverse_post_dot1q_vlan_id |  | integer |
+| netflow.reverse_post_ip_class_of_service |  | short |
+| netflow.reverse_post_ip_diff_serv_code_point |  | short |
+| netflow.reverse_post_ip_precedence |  | short |
+| netflow.reverse_post_layer2_octet_delta_count |  | long |
+| netflow.reverse_post_layer2_octet_total_count |  | long |
+| netflow.reverse_post_mcast_layer2_octet_delta_count |  | long |
+| netflow.reverse_post_mcast_layer2_octet_total_count |  | long |
+| netflow.reverse_post_mcast_octet_delta_count |  | long |
+| netflow.reverse_post_mcast_octet_total_count |  | long |
+| netflow.reverse_post_mcast_packet_delta_count |  | long |
+| netflow.reverse_post_mcast_packet_total_count |  | long |
+| netflow.reverse_post_mpls_top_label_exp |  | short |
+| netflow.reverse_post_napt_destination_transport_port |  | integer |
+| netflow.reverse_post_napt_source_transport_port |  | integer |
+| netflow.reverse_post_nat_destination_ipv4_address |  | ip |
+| netflow.reverse_post_nat_destination_ipv6_address |  | ip |
+| netflow.reverse_post_nat_source_ipv4_address |  | ip |
+| netflow.reverse_post_nat_source_ipv6_address |  | ip |
+| netflow.reverse_post_octet_delta_count |  | long |
+| netflow.reverse_post_octet_total_count |  | long |
+| netflow.reverse_post_packet_delta_count |  | long |
+| netflow.reverse_post_packet_total_count |  | long |
+| netflow.reverse_post_source_mac_address |  | keyword |
+| netflow.reverse_post_vlan_id |  | integer |
+| netflow.reverse_private_enterprise_number |  | long |
+| netflow.reverse_protocol_identifier |  | short |
+| netflow.reverse_pseudo_wire_control_word |  | long |
+| netflow.reverse_pseudo_wire_destination_ipv4_address |  | ip |
+| netflow.reverse_pseudo_wire_id |  | long |
+| netflow.reverse_pseudo_wire_type |  | integer |
+| netflow.reverse_relative_error |  | double |
+| netflow.reverse_responder_octets |  | long |
+| netflow.reverse_responder_packets |  | long |
+| netflow.reverse_rfc3550_jitter_microseconds |  | long |
+| netflow.reverse_rfc3550_jitter_milliseconds |  | long |
+| netflow.reverse_rfc3550_jitter_nanoseconds |  | long |
+| netflow.reverse_rtp_payload_type |  | short |
+| netflow.reverse_rtp_sequence_number |  | integer |
+| netflow.reverse_sampler_id |  | short |
+| netflow.reverse_sampler_mode |  | short |
+| netflow.reverse_sampler_name |  | keyword |
+| netflow.reverse_sampler_random_interval |  | long |
+| netflow.reverse_sampling_algorithm |  | short |
+| netflow.reverse_sampling_flow_interval |  | long |
+| netflow.reverse_sampling_flow_spacing |  | long |
+| netflow.reverse_sampling_interval |  | long |
+| netflow.reverse_sampling_packet_interval |  | long |
+| netflow.reverse_sampling_packet_space |  | long |
+| netflow.reverse_sampling_population |  | long |
+| netflow.reverse_sampling_probability |  | double |
+| netflow.reverse_sampling_size |  | long |
+| netflow.reverse_sampling_time_interval |  | long |
+| netflow.reverse_sampling_time_space |  | long |
+| netflow.reverse_second_packet_banner |  | keyword |
+| netflow.reverse_section_exported_octets |  | integer |
+| netflow.reverse_section_offset |  | integer |
+| netflow.reverse_selection_sequence_id |  | long |
+| netflow.reverse_selector_algorithm |  | integer |
+| netflow.reverse_selector_id |  | long |
+| netflow.reverse_selector_id_total_flows_observed |  | long |
+| netflow.reverse_selector_id_total_flows_selected |  | long |
+| netflow.reverse_selector_id_total_pkts_observed |  | long |
+| netflow.reverse_selector_id_total_pkts_selected |  | long |
+| netflow.reverse_selector_name |  | keyword |
+| netflow.reverse_session_scope |  | short |
+| netflow.reverse_small_packet_count |  | long |
+| netflow.reverse_source_ipv4_address |  | ip |
+| netflow.reverse_source_ipv4_prefix |  | ip |
+| netflow.reverse_source_ipv4_prefix_length |  | short |
+| netflow.reverse_source_ipv6_address |  | ip |
+| netflow.reverse_source_ipv6_prefix |  | ip |
+| netflow.reverse_source_ipv6_prefix_length |  | short |
+| netflow.reverse_source_mac_address |  | keyword |
+| netflow.reverse_source_transport_port |  | integer |
+| netflow.reverse_src_traffic_index |  | long |
+| netflow.reverse_sta_ipv4_address |  | ip |
+| netflow.reverse_sta_mac_address |  | keyword |
+| netflow.reverse_standard_deviation_interarrival_time |  | long |
+| netflow.reverse_standard_deviation_payload_length |  | integer |
+| netflow.reverse_system_init_time_milliseconds |  | long |
+| netflow.reverse_tcp_ack_total_count |  | long |
+| netflow.reverse_tcp_acknowledgement_number |  | long |
+| netflow.reverse_tcp_control_bits |  | integer |
+| netflow.reverse_tcp_destination_port |  | integer |
+| netflow.reverse_tcp_fin_total_count |  | long |
+| netflow.reverse_tcp_header_length |  | short |
+| netflow.reverse_tcp_options |  | long |
+| netflow.reverse_tcp_psh_total_count |  | long |
+| netflow.reverse_tcp_rst_total_count |  | long |
+| netflow.reverse_tcp_sequence_number |  | long |
+| netflow.reverse_tcp_source_port |  | integer |
+| netflow.reverse_tcp_syn_total_count |  | long |
+| netflow.reverse_tcp_urg_total_count |  | long |
+| netflow.reverse_tcp_urgent_pointer |  | integer |
+| netflow.reverse_tcp_window_scale |  | integer |
+| netflow.reverse_tcp_window_size |  | integer |
+| netflow.reverse_total_length_ipv4 |  | integer |
+| netflow.reverse_transport_octet_delta_count |  | long |
+| netflow.reverse_transport_packet_delta_count |  | long |
+| netflow.reverse_tunnel_technology |  | keyword |
+| netflow.reverse_udp_destination_port |  | integer |
+| netflow.reverse_udp_message_length |  | integer |
+| netflow.reverse_udp_source_port |  | integer |
+| netflow.reverse_union_tcp_flags |  | short |
+| netflow.reverse_upper_ci_limit |  | double |
+| netflow.reverse_user_name |  | keyword |
+| netflow.reverse_value_distribution_method |  | short |
+| netflow.reverse_virtual_station_interface_id |  | keyword |
+| netflow.reverse_virtual_station_interface_name |  | keyword |
+| netflow.reverse_virtual_station_name |  | keyword |
+| netflow.reverse_virtual_station_uuid |  | keyword |
+| netflow.reverse_vlan_id |  | integer |
+| netflow.reverse_vr_fname |  | keyword |
+| netflow.reverse_wlan_channel_id |  | short |
+| netflow.reverse_wlan_ssid |  | keyword |
+| netflow.reverse_wtp_mac_address |  | keyword |
+| netflow.rfc3550_jitter_microseconds |  | long |
+| netflow.rfc3550_jitter_milliseconds |  | long |
+| netflow.rfc3550_jitter_nanoseconds |  | long |
+| netflow.rtp_payload_type |  | short |
+| netflow.rtp_sequence_number |  | integer |
+| netflow.sampler_id |  | short |
+| netflow.sampler_mode |  | short |
+| netflow.sampler_name |  | keyword |
+| netflow.sampler_random_interval |  | long |
+| netflow.sampling_algorithm |  | short |
+| netflow.sampling_flow_interval |  | long |
+| netflow.sampling_flow_spacing |  | long |
+| netflow.sampling_interval |  | long |
+| netflow.sampling_packet_interval |  | long |
+| netflow.sampling_packet_space |  | long |
+| netflow.sampling_population |  | long |
+| netflow.sampling_probability |  | double |
+| netflow.sampling_size |  | long |
+| netflow.sampling_time_interval |  | long |
+| netflow.sampling_time_space |  | long |
+| netflow.second_packet_banner |  | keyword |
+| netflow.section_exported_octets |  | integer |
+| netflow.section_offset |  | integer |
+| netflow.selection_sequence_id |  | long |
+| netflow.selector_algorithm |  | integer |
+| netflow.selector_id |  | long |
+| netflow.selector_id_total_flows_observed |  | long |
+| netflow.selector_id_total_flows_selected |  | long |
+| netflow.selector_id_total_pkts_observed |  | long |
+| netflow.selector_id_total_pkts_selected |  | long |
+| netflow.selector_name |  | keyword |
+| netflow.service_name |  | keyword |
+| netflow.session_scope |  | short |
+| netflow.silk_app_label |  | integer |
+| netflow.small_packet_count |  | long |
+| netflow.source_ipv4_address |  | ip |
+| netflow.source_ipv4_prefix |  | ip |
+| netflow.source_ipv4_prefix_length |  | short |
+| netflow.source_ipv6_address |  | ip |
+| netflow.source_ipv6_prefix |  | ip |
+| netflow.source_ipv6_prefix_length |  | short |
+| netflow.source_mac_address |  | keyword |
+| netflow.source_transport_port |  | integer |
+| netflow.source_transport_ports_limit |  | integer |
+| netflow.src_traffic_index |  | long |
+| netflow.ssl_cert_serial_number |  | keyword |
+| netflow.ssl_cert_signature |  | keyword |
+| netflow.ssl_cert_validity_not_after |  | keyword |
+| netflow.ssl_cert_validity_not_before |  | keyword |
+| netflow.ssl_cert_version |  | short |
+| netflow.ssl_certificate_hash |  | keyword |
+| netflow.ssl_cipher |  | keyword |
+| netflow.ssl_client_version |  | short |
+| netflow.ssl_compression_method |  | short |
+| netflow.ssl_object_type |  | keyword |
+| netflow.ssl_object_value |  | keyword |
+| netflow.ssl_public_key_algorithm |  | keyword |
+| netflow.ssl_public_key_length |  | keyword |
+| netflow.ssl_server_cipher |  | long |
+| netflow.ssl_server_name |  | keyword |
+| netflow.sta_ipv4_address |  | ip |
+| netflow.sta_mac_address |  | keyword |
+| netflow.standard_deviation_interarrival_time |  | long |
+| netflow.standard_deviation_payload_length |  | short |
+| netflow.system_init_time_milliseconds |  | date |
+| netflow.tcp_ack_total_count |  | long |
+| netflow.tcp_acknowledgement_number |  | long |
+| netflow.tcp_control_bits |  | integer |
+| netflow.tcp_destination_port |  | integer |
+| netflow.tcp_fin_total_count |  | long |
+| netflow.tcp_header_length |  | short |
+| netflow.tcp_options |  | long |
+| netflow.tcp_psh_total_count |  | long |
+| netflow.tcp_rst_total_count |  | long |
+| netflow.tcp_sequence_number |  | long |
+| netflow.tcp_source_port |  | integer |
+| netflow.tcp_syn_total_count |  | long |
+| netflow.tcp_urg_total_count |  | long |
+| netflow.tcp_urgent_pointer |  | integer |
+| netflow.tcp_window_scale |  | integer |
+| netflow.tcp_window_size |  | integer |
+| netflow.template_id |  | integer |
+| netflow.tftp_filename |  | keyword |
+| netflow.tftp_mode |  | keyword |
+| netflow.timestamp |  | long |
+| netflow.timestamp_absolute_monitoring-interval |  | long |
+| netflow.total_length_ipv4 |  | integer |
+| netflow.traffic_type |  | short |
+| netflow.transport_octet_delta_count |  | long |
+| netflow.transport_packet_delta_count |  | long |
+| netflow.tunnel_technology |  | keyword |
+| netflow.type | The type of NetFlow record described by this event. | keyword |
+| netflow.udp_destination_port |  | integer |
+| netflow.udp_message_length |  | integer |
+| netflow.udp_source_port |  | integer |
+| netflow.union_tcp_flags |  | short |
+| netflow.upper_ci_limit |  | double |
+| netflow.user_name |  | keyword |
+| netflow.username |  | keyword |
+| netflow.value_distribution_method |  | short |
+| netflow.viptela_vpn_id |  | long |
+| netflow.virtual_station_interface_id |  | short |
+| netflow.virtual_station_interface_name |  | keyword |
+| netflow.virtual_station_name |  | keyword |
+| netflow.virtual_station_uuid |  | short |
+| netflow.vlan_id |  | integer |
+| netflow.vmware_egress_interface_attr |  | integer |
+| netflow.vmware_ingress_interface_attr |  | integer |
+| netflow.vmware_tenant_dest_ipv4 |  | ip |
+| netflow.vmware_tenant_dest_ipv6 |  | ip |
+| netflow.vmware_tenant_dest_port |  | integer |
+| netflow.vmware_tenant_protocol |  | short |
+| netflow.vmware_tenant_source_ipv4 |  | ip |
+| netflow.vmware_tenant_source_ipv6 |  | ip |
+| netflow.vmware_tenant_source_port |  | integer |
+| netflow.vmware_vxlan_export_role |  | short |
+| netflow.vpn_identifier |  | short |
+| netflow.vr_fname |  | keyword |
+| netflow.waasoptimization_segment |  | short |
+| netflow.wlan_channel_id |  | short |
+| netflow.wlan_ssid |  | keyword |
+| netflow.wtp_mac_address |  | keyword |
+| netflow.xlate_destination_address_ip_v4 |  | ip |
+| netflow.xlate_destination_port |  | integer |
+| netflow.xlate_source_address_ip_v4 |  | ip |
+| netflow.xlate_source_port |  | integer |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| observer.geo.city_name | City name. | keyword |
+| observer.geo.continent_name | Name of the continent. | keyword |
+| observer.geo.country_iso_code | Country ISO code. | keyword |
+| observer.geo.country_name | Country name. | keyword |
+| observer.geo.location | Longitude and latitude. | geo_point |
+| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| observer.geo.region_iso_code | Region ISO code. | keyword |
+| observer.geo.region_name | Region name. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| observer.os.full | Operating system name, including the version or code name. | keyword |
+| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text |
+| observer.os.kernel | Operating system kernel version as a raw string. | keyword |
+| observer.os.name | Operating system name, without the version. | keyword |
+| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text |
+| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| observer.os.version | Operating system version as a raw string. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.serial_number | Observer serial number. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| organization.id | Unique identifier for the organization. | keyword |
+| organization.name | Organization name. | keyword |
+| organization.name.text | Multi-field of `organization.name`. | match_only_text |
+| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| os.full | Operating system name, including the version or code name. | keyword |
+| os.full.text | Multi-field of `os.full`. | match_only_text |
+| os.kernel | Operating system kernel version as a raw string. | keyword |
+| os.name | Operating system name, without the version. | keyword |
+| os.name.text | Multi-field of `os.name`. | match_only_text |
+| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| os.version | Operating system version as a raw string. | keyword |
+| package.architecture | Package architecture. | keyword |
+| package.checksum | Checksum of the installed package for verification. | keyword |
+| package.description | Description of the package. | keyword |
+| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword |
+| package.installed | Time when package was installed. | date |
+| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword |
+| package.name | Package name | keyword |
+| package.path | Path where the package is installed. | keyword |
+| package.size | Package size in bytes. | long |
+| package.version | Package version | keyword |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha1 | SHA1 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.hash.sha512 | SHA512 hash. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.pid | Process id. | long |
+| process.pgid | Identifier of the group of processes the process belongs to. | long |
+| process.pid | Process id. | long |
+| process.start | The time the process started. | date |
+| process.thread.id | Thread ID. | long |
+| process.thread.name | Thread name. | keyword |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.title.text | Multi-field of `process.title`. | match_only_text |
+| process.uptime | Seconds the process has been up. | long |
+| process.working_directory | The working directory of the process. | keyword |
+| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text |
+| related.ip | All of the IPs seen on your event. | ip |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| server.as.organization.name | Organization name. | keyword |
+| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text |
+| server.bytes | Bytes sent from the server to the client. | long |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.geo.city_name | City name. | keyword |
+| server.geo.continent_name | Name of the continent. | keyword |
+| server.geo.country_iso_code | Country ISO code. | keyword |
+| server.geo.country_name | Country name. | keyword |
+| server.geo.location | Longitude and latitude. | geo_point |
+| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| server.geo.region_iso_code | Region ISO code. | keyword |
+| server.geo.region_name | Region name. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long |
+| server.packets | Packets sent from the server to the client. | long |
+| server.port | Port of the server. | long |
+| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| server.user.email | User email address. | keyword |
+| server.user.full_name | User's full name, if available. | keyword |
+| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text |
+| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| server.user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| server.user.group.name | Name of the group. | keyword |
+| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword |
+| server.user.id | Unique identifier of the user. | keyword |
+| server.user.name | Short name or login of the user. | keyword |
+| server.user.name.text | Multi-field of `server.user.name`. | match_only_text |
+| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword |
+| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword |
+| service.state | Current state of the service. | keyword |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.locality | Whether the source IP is private or public. | keyword |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.email | User email address. | keyword |
+| source.user.full_name | User's full name, if available. | keyword |
+| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text |
+| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword |
+| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword |
+| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword |
+| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword |
+| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text |
+| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword |
+| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| url.username | Username of the request. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.group.name | Name of the group. | keyword |
+| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json
new file mode 100755
index 0000000000..500e9291d4
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json
@@ -0,0 +1,68 @@
+{
+  "attributes": {
+    "description": "Netflow Top N flows",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Top-N",
+    "version": 1
+  },
+  "id": "netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e",
+      "name": "panel_8",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json
new file mode 100755
index 0000000000..ef5543cef1
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json
@@ -0,0 +1,88 @@
+{
+  "attributes": {
+    "description": "Overview of Netflow",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"13\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"14\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":16,\"y\":12},\"panelIndex\":\"15\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":32,\"y\":12},\"panelIndex\":\"21\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"22\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"23\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"24\",\"panelRefName\":\"panel_8\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_9\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"26\",\"panelRefName\":\"panel_10\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":16,\"x\":16,\"y\":28},\"panelIndex\":\"27\",\"panelRefName\":\"panel_11\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_12\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Overview",
+    "version": 1
+  },
+  "id": "netflow-34e26884-161a-4448-9556-43b5bf2f62a2",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761",
+      "name": "panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02",
+      "name": "panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163",
+      "name": "panel_11",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f",
+      "name": "panel_12",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json
new file mode 100755
index 0000000000..6127738813
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json
@@ -0,0 +1,228 @@
+{
+  "attributes": {
+    "description": "Netflow traffic analysis",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":84},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":108},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":108},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":84},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":24,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":24,\"y\":28},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":52},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":16,\"x\":24,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":0,\"y\":76},\"panelIndex\":\"21\",\"panelRefName\":\"panel_17\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":24,\"y\":76},\"panelIndex\":\"22\",\"panelRefName\":\"panel_18\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":100},\"panelIndex\":\"23\",\"panelRefName\":\"panel_19\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":24,\"y\":100},\"panelIndex\":\"24\",\"panelRefName\":\"panel_20\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_21\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"26\",\"panelRefName\":\"panel_22\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"27\",\"panelRefName\":\"panel_23\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"28\",\"panelRefName\":\"panel_24\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":8,\"x\":40,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_25\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"30\",\"w\":8,\"x\":16,\"y\":28},\"panelIndex\":\"30\",\"panelRefName\":\"panel_26\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"31\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"31\",\"panelRefName\":\"panel_27\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"34\",\"w\":24,\"x\":24,\"y\":116},\"panelIndex\":\"34\",\"panelRefName\":\"panel_28\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"35\",\"w\":24,\"x\":0,\"y\":116},\"panelIndex\":\"35\",\"panelRefName\":\"panel_29\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"38\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"38\",\"panelRefName\":\"panel_30\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"42\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"42\",\"panelRefName\":\"panel_31\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"44\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"44\",\"panelRefName\":\"panel_32\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"45\",\"w\":24,\"x\":0,\"y\":68},\"panelIndex\":\"45\",\"panelRefName\":\"panel_33\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"47\",\"w\":24,\"x\":24,\"y\":68},\"panelIndex\":\"47\",\"panelRefName\":\"panel_34\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"48\",\"w\":8,\"x\":16,\"y\":52},\"panelIndex\":\"48\",\"panelRefName\":\"panel_35\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"49\",\"w\":8,\"x\":40,\"y\":52},\"panelIndex\":\"49\",\"panelRefName\":\"panel_36\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"50\",\"w\":8,\"x\":40,\"y\":76},\"panelIndex\":\"50\",\"panelRefName\":\"panel_37\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"51\",\"w\":8,\"x\":40,\"y\":100},\"panelIndex\":\"51\",\"panelRefName\":\"panel_38\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"52\",\"w\":8,\"x\":16,\"y\":100},\"panelIndex\":\"52\",\"panelRefName\":\"panel_39\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"53\",\"w\":8,\"x\":16,\"y\":76},\"panelIndex\":\"53\",\"panelRefName\":\"panel_40\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Traffic Analysis",
+    "version": 1
+  },
+  "id": "netflow-38012abe-c611-4124-8497-381fcd85acc8",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f",
+      "name": "panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050",
+      "name": "panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56",
+      "name": "panel_11",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4",
+      "name": "panel_12",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7",
+      "name": "panel_13",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4",
+      "name": "panel_14",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a",
+      "name": "panel_15",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957",
+      "name": "panel_16",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2",
+      "name": "panel_17",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60",
+      "name": "panel_18",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f",
+      "name": "panel_19",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2",
+      "name": "panel_20",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890",
+      "name": "panel_21",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2",
+      "name": "panel_22",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03",
+      "name": "panel_23",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be",
+      "name": "panel_24",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645",
+      "name": "panel_25",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b",
+      "name": "panel_26",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda",
+      "name": "panel_27",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76",
+      "name": "panel_28",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0",
+      "name": "panel_29",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f",
+      "name": "panel_30",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9",
+      "name": "panel_31",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb",
+      "name": "panel_32",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f",
+      "name": "panel_33",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c",
+      "name": "panel_34",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87",
+      "name": "panel_35",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2",
+      "name": "panel_36",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6",
+      "name": "panel_37",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7",
+      "name": "panel_38",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95",
+      "name": "panel_39",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819",
+      "name": "panel_40",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json
new file mode 100755
index 0000000000..7255b0b0c4
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json
@@ -0,0 +1,48 @@
+{
+  "attributes": {
+    "description": "Netflow geo location",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"mapCenter\":[20.632784250388028,16.69921875],\"mapZoom\":2},\"gridData\":{\"h\":24,\"i\":\"16\",\"w\":32,\"x\":16,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"18\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"19\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"20\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Geo Location",
+    "version": 1
+  },
+  "id": "netflow-77326664-23be-4bf1-a126-6d7e60cfc024",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_4",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json
new file mode 100755
index 0000000000..a3808c243b
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json
@@ -0,0 +1,43 @@
+{
+  "attributes": {
+    "description": "Netflow flow records",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":36,\"x\":12,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"network.transport\",\"network.bytes\",\"network.packets\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Flow records",
+    "version": 1
+  },
+  "id": "netflow-94972700-de4a-4272-9143-2fa8d4981365",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a",
+      "name": "panel_3",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json
new file mode 100755
index 0000000000..8fc896464c
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json
@@ -0,0 +1,48 @@
+{
+  "attributes": {
+    "description": "Netflow conversation partners",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Conversation Partners",
+    "version": 1
+  },
+  "id": "netflow-acd7a630-0c71-4840-bc9e-4a3801374a32",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_4",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json
new file mode 100755
index 0000000000..bfb19867bb
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json
@@ -0,0 +1,63 @@
+{
+  "attributes": {
+    "description": "Autonomous systems Netflow",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Autonomous Systems",
+    "version": 1
+  },
+  "id": "netflow-c64665f9-d222-421e-90b0-c7310d944b8a",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f7808e70-df2a-4532-a350-966704567c24",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671",
+      "name": "panel_7",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json b/packages/netflow/1.4.2/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json
new file mode 100755
index 0000000000..34d6058e4e
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json
@@ -0,0 +1,63 @@
+{
+  "attributes": {
+    "description": "Netflow exporters",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "optionsJSON": "{\"darkTheme\":false}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs Netflow] Flow Exporters",
+    "version": 1
+  },
+  "id": "netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600",
+      "name": "panel_7",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json b/packages/netflow/1.4.2/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json
new file mode 100755
index 0000000000..080d02e6e4
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "columns": [
+      "source.ip",
+      "source.port",
+      "destination.ip",
+      "destination.port",
+      "network.transport",
+      "network.bytes",
+      "network.packets"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"netflow.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "Flow Records [Logs Netflow]",
+    "version": 1
+  },
+  "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json b/packages/netflow/1.4.2/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json
new file mode 100755
index 0000000000..15ee68b6b0
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "VLAN Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"VLANs\",\"field\":\"netflow.vlan_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"VLAN Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json b/packages/netflow/1.4.2/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json
new file mode 100755
index 0000000000..0c822a66f6
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Autonomous Systems [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Autonomous Systems [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json b/packages/netflow/1.4.2/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json
new file mode 100755
index 0000000000..886dc6a202
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Sources (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json b/packages/netflow/1.4.2/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json
new file mode 100755
index 0000000000..683d048cc4
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Source Ports (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json b/packages/netflow/1.4.2/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json
new file mode 100755
index 0000000000..f0ce29dbf9
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Autonomous Systems (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json b/packages/netflow/1.4.2/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json
new file mode 100755
index 0000000000..68d4cc4942
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Ingress Interfaces (flow records) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Ingress Interface\",\"field\":\"netflow.ingress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Ingress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json b/packages/netflow/1.4.2/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json
new file mode 100755
index 0000000000..63e009df26
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Sources [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Sources [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json b/packages/netflow/1.4.2/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json
new file mode 100755
index 0000000000..fad8c3c64b
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Sources and Ports (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Sources and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json b/packages/netflow/1.4.2/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json
new file mode 100755
index 0000000000..19b0ba6504
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "VLANs (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json b/packages/netflow/1.4.2/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json
new file mode 100755
index 0000000000..f1745390dd
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "City Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cities\",\"field\":\"destination.geo.city_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"City Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json b/packages/netflow/1.4.2/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json
new file mode 100755
index 0000000000..b994a999b3
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Ingress Interfaces (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json b/packages/netflow/1.4.2/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json
new file mode 100755
index 0000000000..493b9c113a
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Types of Service (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type of Service\",\"field\":\"netflow.ip_class_of_service\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json b/packages/netflow/1.4.2/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json
new file mode 100755
index 0000000000..8d723b9f6b
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Cities (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json b/packages/netflow/1.4.2/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json
new file mode 100755
index 0000000000..3ae87ee515
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Source Ports (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json b/packages/netflow/1.4.2/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json
new file mode 100755
index 0000000000..427764a8d4
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Countries and Cities (flow records) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Countries and Cities (flow records) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json b/packages/netflow/1.4.2/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json
new file mode 100755
index 0000000000..1f548f3f7b
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destinations (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json b/packages/netflow/1.4.2/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json
new file mode 100755
index 0000000000..185b0f1fe7
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Protocols [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Protocols [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json b/packages/netflow/1.4.2/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json
new file mode 100755
index 0000000000..1b5f875b7b
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "TCP Flags Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"TCP Flag States\",\"field\":\"netflow.tcp_control_bits\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"TCP Flags Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json b/packages/netflow/1.4.2/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json
new file mode 100755
index 0000000000..2cf30c10aa
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Autonomous Systems (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json b/packages/netflow/1.4.2/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json
new file mode 100755
index 0000000000..0b9bc316e9
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Flow Exporters (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Flow Exporters (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json b/packages/netflow/1.4.2/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json
new file mode 100755
index 0000000000..2b41a7db6e
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Destination Ports [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destination Ports [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json b/packages/netflow/1.4.2/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json
new file mode 100755
index 0000000000..604a5b0405
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Source Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json b/packages/netflow/1.4.2/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json
new file mode 100755
index 0000000000..4c9486232a
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Ports (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json b/packages/netflow/1.4.2/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json
new file mode 100755
index 0000000000..e8bacff99f
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Version (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Version (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json b/packages/netflow/1.4.2/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json
new file mode 100755
index 0000000000..f62f821bc6
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Ports (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json b/packages/netflow/1.4.2/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json
new file mode 100755
index 0000000000..9a30c91d06
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Flow Exporters (flow records) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Flow Exporters (flow records) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json b/packages/netflow/1.4.2/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json
new file mode 100755
index 0000000000..532a6d4d1f
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Egress Interfaces (flow records) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Egress Interface\",\"field\":\"netflow.egress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Egress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json b/packages/netflow/1.4.2/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json
new file mode 100755
index 0000000000..2f7206eabc
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Flow Records [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timeline\",\"extended_bounds\":{},\"field\":\"event.end\",\"interval\":\"s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Flow Records\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"histogram\"}"
+  },
+  "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json b/packages/netflow/1.4.2/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json
new file mode 100755
index 0000000000..039347b2f6
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Cities [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Cities [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json b/packages/netflow/1.4.2/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json
new file mode 100755
index 0000000000..f679b4abaa
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Destinations [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destinations [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json b/packages/netflow/1.4.2/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json
new file mode 100755
index 0000000000..e9fb888529
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "TCP Flags (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TCP Flags\",\"field\":\"netflow.tcp_control_bits\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":255},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json b/packages/netflow/1.4.2/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json
new file mode 100755
index 0000000000..f4318fc5a2
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Countries and Cities (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Countries and Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json b/packages/netflow/1.4.2/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json
new file mode 100755
index 0000000000..234699f43a
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Countries (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json b/packages/netflow/1.4.2/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json
new file mode 100755
index 0000000000..757b83c3f3
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "TCP Flags (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json b/packages/netflow/1.4.2/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json
new file mode 100755
index 0000000000..cb7106478b
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Country Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Countries\",\"field\":\"destination.geo.country_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Country Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json b/packages/netflow/1.4.2/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json
new file mode 100755
index 0000000000..3eb1b5b6a0
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destinations and Ports (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destinations and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json b/packages/netflow/1.4.2/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json
new file mode 100755
index 0000000000..39e740819e
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destinations (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json b/packages/netflow/1.4.2/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json
new file mode 100755
index 0000000000..2c0f33d4c4
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Sources (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json b/packages/netflow/1.4.2/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json
new file mode 100755
index 0000000000..d1827ba987
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Types of Service (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json b/packages/netflow/1.4.2/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json
new file mode 100755
index 0000000000..2ea0e2c11d
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Source Autonomous Systems (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json b/packages/netflow/1.4.2/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json
new file mode 100755
index 0000000000..d1963d5620
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Cities (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json b/packages/netflow/1.4.2/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json
new file mode 100755
index 0000000000..f9d200151c
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "VLANs (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"VLAN\",\"field\":\"netflow.vlan_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json b/packages/netflow/1.4.2/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json
new file mode 100755
index 0000000000..2483db9b37
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Egress Interfaces (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json b/packages/netflow/1.4.2/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json
new file mode 100755
index 0000000000..8128f6ad66
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "TCP Flags (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json b/packages/netflow/1.4.2/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json
new file mode 100755
index 0000000000..367aadf04a
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Countries (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json b/packages/netflow/1.4.2/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json
new file mode 100755
index 0000000000..c94d66bf80
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Types of Service (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json b/packages/netflow/1.4.2/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json
new file mode 100755
index 0000000000..2c2e783cca
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "VLANs (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json b/packages/netflow/1.4.2/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json
new file mode 100755
index 0000000000..600eb6d102
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Cities (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json b/packages/netflow/1.4.2/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json
new file mode 100755
index 0000000000..138532d583
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Autonomous Systems (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json b/packages/netflow/1.4.2/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json
new file mode 100755
index 0000000000..e8b944aff7
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "IP Version and Protocols (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Version\",\"field\":\"network.type\",\"missingBucket\":true,\"missingBucketLabel\":\"unset ip version\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"sum\",\"format\":{\"id\":\"bytes\"},\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"IP Version and Protocols (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json b/packages/netflow/1.4.2/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json
new file mode 100755
index 0000000000..c8ea4cc9fa
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destinations and Sources (flow records) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destinations and Sources (flow records) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json b/packages/netflow/1.4.2/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json
new file mode 100755
index 0000000000..3a0931608d
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Port Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Destination Port Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json b/packages/netflow/1.4.2/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json
new file mode 100755
index 0000000000..26c3a704cc
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Locality (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locality\",\"field\":\"flow.locality\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Locality (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json b/packages/netflow/1.4.2/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json
new file mode 100755
index 0000000000..6820b08333
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Direction (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Direction\",\"field\":\"network.direction\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Direction (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json b/packages/netflow/1.4.2/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json
new file mode 100755
index 0000000000..8f51ff3b08
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Flow Records [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json b/packages/netflow/1.4.2/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json
new file mode 100755
index 0000000000..f43311ac5f
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination and Source Ports (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destination and Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json b/packages/netflow/1.4.2/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json
new file mode 100755
index 0000000000..4a1c38d701
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Flow Exporters [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Flow Exporters [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json b/packages/netflow/1.4.2/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json
new file mode 100755
index 0000000000..75afe86d89
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Ports (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json b/packages/netflow/1.4.2/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json
new file mode 100755
index 0000000000..e81d9fcfea
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Autonomous Systems (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json b/packages/netflow/1.4.2/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json
new file mode 100755
index 0000000000..283c3b72e6
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Ingress Interfaces (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json b/packages/netflow/1.4.2/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json
new file mode 100755
index 0000000000..fbc293dc8c
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Countries (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json b/packages/netflow/1.4.2/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json
new file mode 100755
index 0000000000..357ec15753
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Dashboard Navigation [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Overview](#/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2) | [Conversation Partners](#/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32) | [Traffic Analysis](#/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8) | [Top-N](#/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c) | [Geo Location](#/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024) | [Autonomous Systems](#/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a) | [Flow Exporters](#/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425) | [Raw Flow Records](#/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365)\\n***\"},\"title\":\"Dashboard Navigation [Logs Netflow]\",\"type\":\"markdown\"}"
+  },
+  "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json b/packages/netflow/1.4.2/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json
new file mode 100755
index 0000000000..f9888b556e
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Autonomous System Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Autonomous Systems\",\"field\":\"destination.as.organization.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Autonomous System Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json b/packages/netflow/1.4.2/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json
new file mode 100755
index 0000000000..dc64d535ab
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destinations (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json b/packages/netflow/1.4.2/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json
new file mode 100755
index 0000000000..a47625da10
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Source Port Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Ports\",\"field\":\"source.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Port Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json b/packages/netflow/1.4.2/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json
new file mode 100755
index 0000000000..b481841378
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destinations and Sources (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destinations and Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json b/packages/netflow/1.4.2/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json
new file mode 100755
index 0000000000..988989c810
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Count [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"fontSize\":\"32\",\"handleNoResults\":true},\"title\":\"Destination Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json b/packages/netflow/1.4.2/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json
new file mode 100755
index 0000000000..f7e4a91883
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Top Source Ports [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Source Ports [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json b/packages/netflow/1.4.2/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json
new file mode 100755
index 0000000000..7e67198ced
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Conversation Partners [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Conversation Partners [Logs Netflow]\",\"type\":\"table\"}"
+  },
+  "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json
new file mode 100755
index 0000000000..621f27c18c
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "ToS Count [Logs Netflow]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Types of Service\",\"field\":\"netflow.ip_class_of_service\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"ToS Count [Logs Netflow]\",\"type\":\"metric\"}"
+  },
+  "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85.json
new file mode 100755
index 0000000000..5d555b8534
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination Geo Location Heatmap [Logs Netflow]",
+    "uiStateJSON": "{\"mapCenter\":[8.407168163601076,9.4921875]}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Location\",\"field\":\"destination.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":\"16\",\"heatMaxZoom\":16,\"heatMinOpacity\":\"0.32\",\"heatNormalizeData\":true,\"heatRadius\":\"24\",\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Destination Geo Location Heatmap [Logs Netflow]\",\"type\":\"tile_map\"}"
+  },
+  "id": "netflow-f4c8cb5a-7336-449e-ab99-6e867b435b85",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json
new file mode 100755
index 0000000000..961c3eb2ac
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination and Source Ports (flow records) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destination and Source Ports (flow records) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json
new file mode 100755
index 0000000000..86706c6854
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Source Ports (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json
new file mode 100755
index 0000000000..c8502370f0
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Source Autonomous Systems (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json
new file mode 100755
index 0000000000..d9e28e2c12
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Autonomous Systems (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json
new file mode 100755
index 0000000000..45fd4ac9f8
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Destination and Source ASs (flow records) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination AS\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source AS\",\"field\":\"source.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Destination and Source ASs (flow records) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-f7808e70-df2a-4532-a350-966704567c24",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json b/packages/netflow/1.4.2/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json
new file mode 100755
index 0000000000..770cb9521b
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json
@@ -0,0 +1,15 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Egress Interfaces (packets) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}"
+  },
+  "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7",
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json b/packages/netflow/1.4.2/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json
new file mode 100755
index 0000000000..a573b6ca49
--- /dev/null
+++ b/packages/netflow/1.4.2/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Sources (bytes) [Logs Netflow]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\"},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}"
+  },
+  "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56",
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netflow/1.4.2/manifest.yml b/packages/netflow/1.4.2/manifest.yml
new file mode 100755
index 0000000000..a1adeef09b
--- /dev/null
+++ b/packages/netflow/1.4.2/manifest.yml
@@ -0,0 +1,23 @@
+format_version: 1.0.0
+name: netflow
+title: NetFlow Records
+version: 1.4.2
+license: basic
+description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent.
+type: integration
+categories:
+  - network
+  - security
+release: ga
+conditions:
+  kibana.version: ^7.14.0 || ^8.0.0
+policy_templates:
+  - name: netflow
+    title: NetFlow logs
+    description: Collect Netflow logs from networks via UDP
+    inputs:
+      - type: netflow
+        title: Collect NetFlow logs
+        description: Collecting NetFlow logs using the netflow input
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/netskope/0.1.2/changelog.yml b/packages/netskope/0.1.2/changelog.yml
new file mode 100755
index 0000000000..9ee3850eb1
--- /dev/null
+++ b/packages/netskope/0.1.2/changelog.yml
@@ -0,0 +1,16 @@
+# newer versions go on top
+- version: "0.1.2"
+  changes:
+    - description: Fix boolean conversion logic to accept "true", "false", "yes", and "no" as strings. Correct the type of `is_alert` and `is_web_universal_connector` to boolean.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3110
+- version: "0.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2638
diff --git a/packages/netskope/0.1.2/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/netskope/0.1.2/data_stream/alerts/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..bc587e50a3
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/agent/stream/tcp.yml.hbs
@@ -0,0 +1,18 @@
+host: "{{listen_address}}:{{listen_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/netskope/0.1.2/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/0.1.2/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..b9e9af61d8
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,296 @@
+---
+description: Pipeline for Netskope alerts
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - json: 
+      field: message
+      add_to_root: true
+      add_to_root_conflict_strategy: replace
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: netskope.alerts.policy.actions
+      ignore_failure: true
+  - append: 
+      field: related.ip
+      value: "{{{destination.ip}}}"
+      if: ctx?.destination?.ip != null
+      ignore_failure: true
+  - append: 
+      field: related.ip
+      value: "{{{netskope.alerts.user.ip}}}"
+      if: ctx?.netskope?.alerts?.user?.ip != null
+      ignore_failure: true
+  - append:
+      field: related.ip
+      value: "{{{source.ip}}}"
+      if: ctx?.source?.ip != null
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: "{{{destination.domain}}}" 
+      if: ctx?.destination?.domain != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: "{{{destination.domain}}}" 
+      if: ctx?.netskope?.alerts?.domain != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: "{{{host.hostname}}}" 
+      if: ctx?.host?.hostname != null
+      allow_duplicates: false
+      ignore_failure: true
+  - user_agent:
+      field: user_agent.original
+      ignore_failure: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+  - geoip:
+      field: netskope.alerts.user.ip
+      target_field: netskope.alerts.user.geo
+      ignore_missing: true
+  - uri_parts:
+      field: netskope.alerts.url
+      target_field: netskope.alerts.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - uri_parts:
+      field: netskope.alerts.web.url
+      target_field: netskope.alerts.web.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - remove:
+      field: netskope.alerts.page.url
+      if: ctx?.netskope?.alerts?.page?.url == ' '
+  - uri_parts:
+      field: netskope.alerts.page.url
+      target_field: netskope.alerts.page.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - uri_parts:
+      field: netskope.alerts.login.url
+      target_field: netskope.alerts.login.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - uri_parts:
+      field: netskope.alerts.referer
+      target_field: netskope.alerts.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.managed.app
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.managed?.app?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.managed.app
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.managed?.app?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_alert
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_alert?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_alert
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_alert?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_malicious
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_malicious?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_malicious
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_malicious?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.aggregated.user
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.aggregated?.user?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.aggregated.user
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.aggregated?.user?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.bypass.traffic
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.bypass?.traffic?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.bypass.traffic
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.bypass?.traffic?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_user_generated
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_user_generated?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_user_generated
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_user_generated?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.dlp.is_unique_count
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.dlp?.is_unique_count?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.dlp.is_unique_count
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.dlp?.is_unique_count?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_file_passwd_protected
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_file_passwd_protected?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_file_passwd_protected
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_file_passwd_protected?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_web_universal_connector
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_web_universal_connector?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.is_web_universal_connector
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_web_universal_connector?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.acked
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.acked?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.acked
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.acked?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.obfuscate
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.obfuscate?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.obfuscate
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.obfuscate?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.ml_detection
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.ml_detection?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.ml_detection
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.ml_detection?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.shared.is_shared
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.shared?.is_shared?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.alerts.shared.is_shared
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.alerts?.shared?.is_shared?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - lowercase:
+      ignore_failure: true
+      field: network.protocol
+  - script:
+      if: ctx?.file?.mime_type != null
+      lang: painless
+      source: >-
+        def parts = ctx.file.mime_type;
+        if (parts != null && parts.size() > 0) {
+          List l = new ArrayList();
+          for (entry in parts.entrySet()) {
+            l.add(entry.getValue());
+          }
+          List setList = new ArrayList(new HashSet(l));
+          ctx.file.mime_type = setList;
+        }
+  - script:
+      if: ctx?.user?.email != null
+      lang: painless
+      source: >-
+        def parts = ctx.user.email;
+        if (parts != null && parts.size() > 0) {
+          List l = new ArrayList();
+          for (entry in parts.entrySet()) {
+            l.add(entry.getValue());
+          }
+          List setList = new ArrayList(new HashSet(l));
+          ctx.user.email = setList;
+        }
+  - script:
+      if: ctx?.netskope?.alerts?.quarantine?.app != null
+      lang: painless
+      source: >-
+        def parts = ctx.netskope.alerts.quarantine.app;
+        if (parts != null && parts.size() > 0) {
+          List l = new ArrayList();
+          for (entry in parts.entrySet()) {
+            l.add(entry.getValue());
+          }
+          List setList = new ArrayList(new HashSet(l));
+          ctx.netskope.alerts.quarantine.app = setList;
+        }
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "" || object == "null") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/netskope/0.1.2/data_stream/alerts/fields/agent.yml b/packages/netskope/0.1.2/data_stream/alerts/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/netskope/0.1.2/data_stream/alerts/fields/base-fields.yml b/packages/netskope/0.1.2/data_stream/alerts/fields/base-fields.yml
new file mode 100755
index 0000000000..df7e82b799
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: netskope
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: netskope.alerts
diff --git a/packages/netskope/0.1.2/data_stream/alerts/fields/ecs.yml b/packages/netskope/0.1.2/data_stream/alerts/fields/ecs.yml
new file mode 100755
index 0000000000..e5cddd8524
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/fields/ecs.yml
@@ -0,0 +1,213 @@
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: |-
+    The cloud account or organization id used to identify different entities in a multi-tenant environment.
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+  name: cloud.account.id
+  type: keyword
+- description: |-
+    The cloud account name or alias used to identify different entities in a multi-tenant environment.
+    Examples: AWS account name, Google Cloud ORG display name.
+  name: cloud.account.name
+  type: keyword
+- description: |-
+    The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
+    Examples: app engine, app service, cloud run, fargate, lambda.
+  name: cloud.service.name
+  type: keyword
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    The domain name of the destination system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: destination.domain
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    Postal code associated with the location.
+    Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+  name: destination.geo.postal_code
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: The time zone of the location, such as IANA time zone name.
+  name: destination.geo.timezone
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: MD5 hash.
+  name: file.hash.md5
+  type: keyword
+- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
+  name: file.mime_type
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    File size in bytes.
+    Only relevant when `file.type` is "file".
+  name: file.size
+  type: long
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: host.os.name
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    Postal code associated with the location.
+    Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+  name: source.geo.postal_code
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: The time zone of the location, such as IANA time zone name.
+  name: source.geo.timezone
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: MD5 hash.
+  name: threat.indicator.file.hash.md5
+  type: keyword
+- description: SHA1 hash.
+  name: threat.indicator.file.hash.sha1
+  type: keyword
+- description: SHA256 hash.
+  name: threat.indicator.file.hash.sha256
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Name of the group.
+  name: user.group.name
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Array of user roles at the time of the event.
+  name: user.roles
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/netskope/0.1.2/data_stream/alerts/fields/fields.yml b/packages/netskope/0.1.2/data_stream/alerts/fields/fields.yml
new file mode 100755
index 0000000000..33542d9154
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/fields/fields.yml
@@ -0,0 +1,1856 @@
+- name: netskope.alerts
+  type: group
+  fields:
+    - name: access_method
+      type: keyword
+      description: |
+        Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc.
+    - name: account
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Account ID (usually is account number as provided by the cloud provider).
+        - name: name
+          type: keyword
+          description: |
+            Account name - in case of AWS this is the instance name set by user. For others, account name is provided by cloud provider.
+    - name: acked
+      type: boolean
+      description: |
+        Whether user acknowledged the alert or not.
+    - name: acting
+      type: group
+      fields:
+        - name: role
+          type: keyword
+          description: |
+            N/A
+    - name: action
+      type: keyword
+      description: |
+        Action taken on the event for the policy.
+    - name: activities
+      type: array
+      description: |
+        N/A
+    - name: activity
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            Description of the user performed activity.
+        - name: status
+          type: keyword
+          description: |
+            Displayed when the user is denied access while performing some activity.
+        - name: type
+          type: keyword
+          description: |
+            Displayed when only admins can perform the activity in question.
+    - name: agg
+      type: group
+      fields:
+        - name: window
+          type: long
+          description: |
+            N/A
+    - name: aggregated
+      type: group
+      fields:
+        - name: user
+          type: boolean
+          description: |
+            N/A
+    - name: alert
+      type: group
+      fields:
+        - name: affected.entities
+          type: keyword
+          description: |
+            N/A
+        - name: category
+          type: keyword
+          description: |
+            N/A
+        - name: description
+          type: keyword
+          description: |
+            N/A
+        - name: detection.stage
+          type: keyword
+          description: |
+            N/A
+        - name: id
+          type: keyword
+          description: |
+            Hash of alert generated from code.
+        - name: name
+          type: keyword
+          description: |
+            Name of the alert.
+        - name: notes
+          type: keyword
+          description: |
+            N/A
+        - name: query
+          type: keyword
+          description: |
+            N/A
+        - name: score
+          type: long
+          description: |
+            N/A
+        - name: source
+          type: keyword
+          description: |
+            N/A
+        - name: status
+          type: keyword
+          description: |
+            N/A
+        - name: type
+          type: keyword
+          description: |
+            Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection.
+        - name: window
+          type: long
+          description: |
+            N/A
+    - name: algorithm
+      type: keyword
+      description: |
+        N/A
+    - name: anomaly
+      type: group
+      fields:
+        - name: efficacy
+          type: keyword
+          description: |
+            Full anomaly details for debugging.
+        - name: fields
+          type: keyword
+          description: |
+            Name(s) and values(s) of the anomalous fields, usually there's going to be only one in the list.
+        - name: id
+          type: keyword
+          description: |
+            N/A
+        - name: magnitude
+          type: double
+          description: |
+            N/A
+        - name: type
+          type: keyword
+          description: |
+            Type of UBA alert.
+    - name: app
+      type: group
+      fields:
+        - name: suite
+          type: keyword
+          description: |
+            N/A
+        - name: app_name
+          type: keyword
+          description: |
+            N/A
+        - name: name
+          type: keyword
+          description: |
+            Specific cloud application used by the user (e.g. app = Dropbox).
+        - name: activity
+          type: keyword
+          description: |
+            N/A
+        - name: category
+          type: keyword
+          description: |
+            N/A
+        - name: region
+          type: keyword
+          description: |
+            N/A
+        - name: session.id
+          type: keyword
+          description: |
+            Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain.
+    - name: asn
+      type: long
+      description: |
+        N/A
+    - name: asset
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+        - name: object.id
+          type: keyword
+          description: |
+            N/A
+    - name: attachment
+      type: keyword
+      description: |
+        File name.
+    - name: audit
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google.
+        - name: type
+          type: keyword
+          description: |
+            The sub category in audit according to SaaS / IaaS apps.
+    - name: bin
+      type: group
+      fields:
+        - name: timestamp
+          type: long
+          description: |
+            Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour).
+    - name: breach
+      type: group
+      fields:
+        - name: description
+          type: keyword
+          description: |
+            N/A
+        - name: date
+          type: double
+          description: |
+            Breach date for compromised credentials.
+        - name: id
+          type: keyword
+          description: |
+            Breach ID for compromised credentials.
+        - name: media_references
+          type: keyword
+          description: |
+            Media references of breach.
+        - name: score
+          type: long
+          description: |
+            Breach score for compromised credentials.
+        - name: target_references
+          type: keyword
+          description: |
+            Breach target references for compromised credentials.
+    - name: browser
+      type: group
+      fields:
+        - name: session.id
+          type: keyword
+          description: |
+            Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session.
+    - name: bucket
+      type: keyword
+      description: |
+        N/A
+    - name: bypass
+      type: group
+      fields:
+        - name: traffic
+          type: boolean
+          description: |
+            Tells if traffic is bypassed by Netskope.
+    - name: category
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            N/A
+        - name: id
+          type: keyword
+          description: |
+            Matching category ID according to policy. Populated for both cloud and web traffic.
+    - name: cci
+      type: keyword
+      description: |
+        N/A
+    - name: ccl
+      type: keyword
+      description: |
+        Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL.
+    - name: channel
+      type: keyword
+      description: |
+        Channel of the user for slack and slack enterprise apps.
+    - name: cloud
+      type: group
+      fields:
+        - name: provider
+          type: keyword
+          description: |
+            N/A
+    - name: compliance
+      type: group
+      fields:
+        - name: standards
+          type: keyword
+          description: |
+            N/A
+    - name: compute
+      type: group
+      fields:
+        - name: instance
+          type: keyword
+          description: |
+            N/A
+    - name: connection
+      type: group
+      fields:
+        - name: duration
+          type: long
+          description: |
+            Duration of the connection in milliseconds. Useful for querying long-lived sessions.
+        - name: endtime
+          type: long
+          description: |
+            Connection end time.
+        - name: id
+          type: keyword
+          description: |
+            Each connection has a unique ID. Shows the ID for the connection event.
+        - name: starttime
+          type: long
+          description: |
+            Connection start time.
+    - name: created_at
+      type: keyword
+      description: |
+        N/A
+    - name: count
+      type: long
+      description: |
+        Number of raw log lines/events sessionized or suppressed during the suppressed interval.
+    - name: data
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            Content type of upload/download.
+        - name: version
+          type: long
+          description: |
+            N/A
+    - name: description
+      type: keyword
+      description: |
+        N/A
+    - name: destination
+      type: group
+      fields:
+        - name: geoip_src
+          type: long
+          description: |
+            Source from where the location of Destination IP was derived.
+    - name: detected-file-type
+      type: keyword
+      description: |
+        N/A
+    - name: detection
+      type: group
+      fields:
+        - name: engine
+          type: keyword
+          description: |
+            Customer exposed detection engine name.
+        - name: type
+          type: keyword
+          description: |
+            Same as malware type. Duplicate.
+    - name: device
+      type: group
+      fields:
+        - name: classification
+          type: keyword
+          description: |
+            Designation of device as determined by the Netskope Client as to whether the device is managed or not.
+        - name: name
+          type: keyword
+          description: |
+            Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc.
+    - name: dlp
+      type: group
+      fields:
+        - name: file
+          type: keyword
+          description: |
+            File/Object name extracted from the file/object.
+        - name: fingerprint.classification
+          type: keyword
+          description: |
+            Fingerprint classification.
+        - name: fingerprint.match
+          type: keyword
+          description: |
+            Fingerprint classification match file name.
+        - name: fingerprint.score
+          type: long
+          description: |
+            Fingerprint classification score.
+        - name: fv
+          type: long
+          description: |
+            N/A
+        - name: incident.id
+          type: keyword
+          description: |
+            Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID.
+        - name: is_unique_count
+          type: boolean
+          description: |
+            True or false depending upon if rule is unique counted per rule data.
+        - name: mail.parent.id
+          type: keyword
+          description: |
+            N/A
+        - name: parent.id
+          type: keyword
+          description: |
+            Incident ID associated with main container (or non-container) file that was scanned.
+        - name: profile
+          type: keyword
+          description: |
+            DLP profile name.
+        - name: rule.count
+          type: long
+          description: |
+            Count of rule hits.
+        - name: rule.score
+          type: long
+          description: |
+            DLP rule score for weighted dictionaries.
+        - name: rule.severity
+          type: keyword
+          description: |
+            Severity of rule.
+        - name: unique_count
+          type: long
+          description: |
+            Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted.
+        - name: rule.name
+          type: keyword
+          description: |
+            DLP rule that triggered.
+    - name: doc
+      type: group
+      fields:
+        - name: count
+          type: long
+          description: |
+            N/A
+    - name: domain
+      type: keyword
+      description: |
+        Domain value. This will hold the host header value or SNI or extracted from absolute URI.
+    - name: domain_shared_with
+      type: keyword
+      description: |
+        N/A
+    - name: download
+      type: group
+      fields:
+        - name: app
+          type: keyword
+          description: |
+            Applicable to only data exfiltration. Download App (App in the download event).
+    - name: drive
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: dynamic
+      type: group
+      fields:
+        - name: classification
+          type: keyword
+          description: |
+            URLs were categorized by NSURLC machine or not.
+    - name: elastic_key
+      type: keyword
+      description: |
+        N/A
+    - name: email
+      type: group
+      fields:
+        - name: source
+          type: keyword
+          description: |
+            N/A
+    - name: encrypt
+      type: group
+      fields:
+        - name: failure
+          type: keyword
+          description: |
+            Reason of failure while encrypting.
+    - name: encryption
+      type: group
+      fields:
+        - name: service.key
+          type: keyword
+          description: |
+            N/A
+    - name: enterprise
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            EnterpriseID in case of Slack for Enterprise.
+        - name: name
+          type: keyword
+          description: |
+            Enterprise name in case of Slack for Enterprise.
+    - name: entity
+      type: group
+      fields:
+        - name: list
+          type: array
+          description: |
+            N/A
+        - name: type
+          type: keyword
+          description: |
+            N/A
+        - name: value
+          type: keyword
+          description: |
+            N/A
+    - name: event_source_channel
+      type: keyword
+      description: |
+        N/A
+    - name: event
+      type: group
+      fields:
+        - name: detail
+          type: keyword
+          description: |
+            N/A
+        - name: id
+          type: keyword
+          description: |
+            N/A
+        - name: type
+          type: keyword
+          description: |
+            Anomaly type.
+    - name: exposure
+      type: keyword
+      description: |
+        Exposure of a document.
+    - name: external
+      type: group
+      fields:
+        - name: collaborator.count
+          type: long
+          description: |
+            Count of external collaborators on a file/folder. Supported for some apps.
+        - name: email
+          type: long
+          description: |
+            N/A
+    - name: feature
+      type: group
+      fields:
+        - name: description
+          type: keyword
+          description: |
+            N/A
+        - name: id
+          type: keyword
+          description: |
+            N/A
+        - name: name
+          type: keyword
+          description: |
+            N/A
+    - name: file
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            N/A
+        - name: id
+          type: keyword
+          description: |
+            Unique identifier of the file.
+        - name: lang
+          type: keyword
+          description: |
+            Language of the file.
+        - name: password.protected
+          type: keyword
+          description: |
+            N/A
+        - name: path.orignal
+          type: keyword
+          description: |
+            If the file is moved, then keep original path of the file in this field.
+        - name: size
+          type: long
+          description: |
+            Size of the file in bytes.
+        - name: type
+          type: keyword
+          description: |
+            File type.
+    - name: flow_status
+      type: keyword
+      description: |
+        N/A
+    - name: from
+      type: group
+      fields:
+        - name: logs
+          type: keyword
+          description: |
+            Shows if the event was generated from the Risk Insights log.
+        - name: object
+          type: keyword
+          description: |
+            Initial name of an object that has been renamed, copied or moved.
+        - name: storage
+          type: keyword
+          description: |
+            N/A
+        - name: user_category
+          type: keyword
+          description: |
+            Type of from_user.
+    - name: gateway
+      type: keyword
+      description: |
+        N/A
+    - name: graph
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: http_status
+      type: keyword
+      description: |
+        N/A
+    - name: http_transaction_count
+      type: long
+      description: |
+        HTTP transaction count.
+    - name: iaas
+      type: group
+      fields:
+        - name: asset.tags
+          type: keyword
+          description: |
+            List of tags associated with the asset for which alert is raised. Each tag is a key/value pair.
+        - name: remediated
+          type: keyword
+          description: |
+            N/A
+    - name: iam
+      type: group
+      fields:
+        - name: session
+          type: keyword
+          description: |
+            N/A
+    - name: id
+      type: keyword
+      description: |
+        N/A
+    - name: insertion_epoch_timestamp
+      type: long
+      description: |
+        Insertion timestamp.
+    - name: instance_name
+      type: keyword
+      description: |
+        Instance associated with an organization application instance.
+    - name: instance
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Unique ID associated with an organization application instance.
+        - name: name
+          type: keyword
+          description: |
+            Instance name associated with an organization application instance.
+        - name: type
+          type: keyword
+          description: |
+            Instance type.
+    - name: internal
+      type: group
+      fields:
+        - name: collaborator.count
+          type: long
+          description: |
+            Count of internal collaborators on a file/folder. Supported for some apps.
+    - name: ip
+      type: group
+      fields:
+        - name: protocol
+          type: keyword
+          description: |
+            N/A
+    - name: ipblock
+      type: keyword
+      description: |
+        IPblock that caused the alert.
+    - name: is_alert
+      type: boolean
+      description: |
+        Indicates whether alert is generated or not. Populated as yes for all alerts.
+    - name: is_file_passwd_protected
+      type: boolean
+      description: |
+        Tells if the file is password protected.
+    - name: is_malicious
+      type: boolean
+      description: |
+        Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert.
+    - name: is_two_factor_auth
+      type: keyword
+      description: |
+        N/A
+    - name: is_universal_connector
+      type: keyword
+      description: |
+        N/A
+    - name: is_user_generated
+      type: boolean
+      description: |
+        Tells whether it is user generated page event.
+    - name: is_web_universal_connector
+      type: boolean
+      description: |
+        N/A
+    - name: isp
+      type: keyword
+      description: |
+        N/A
+    - name: item
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: justification
+      type: group
+      fields:
+        - name: reason
+          type: keyword
+          description: |
+            Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box.
+        - name: type
+          type: keyword
+          description: |
+            Type of justification provided by user when user bypasses the policy block.
+    - name: last
+      type: group
+      fields:
+        - name: app
+          type: keyword
+          description: |
+            Last application (app in the first/older event). Applies to only proximity anomaly alert.
+        - name: coordinates
+          type: keyword
+          description: |
+            Last location coordinates(latitude, longitude). Applies to only proximity alert.
+        - name: country
+          type: keyword
+          description: |
+            Last location (Country). Applies to only proximity anomaly alert.
+        - name: device
+          type: keyword
+          description: |
+            Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert.
+        - name: location
+          type: keyword
+          description: |
+            Last location (City). Applies to only proximity anomaly alert.
+        - name: modified_timestamp
+          type: long
+          description: |
+            Timestamp when alert is acknowledged.
+        - name: region
+          type: keyword
+          description: |
+            Applies to only proximity anomaly alert.
+        - name: timestamp
+          type: long
+          description: |
+            Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert.
+    - name: latency
+      type: group
+      fields:
+        - name: max
+          type: long
+          description: |
+            Max latency for a connection in milliseconds.
+        - name: min
+          type: long
+          description: |
+            Min latency for a connection in milliseconds.
+        - name: total
+          type: long
+          description: |
+            Total latency from proxy to app in milliseconds.
+    - name: legal_hold
+      type: group
+      fields:
+        - name: custodian_name
+          type: keyword
+          description: |
+            Custodian name of legal hold profile.
+        - name: destination.app
+          type: keyword
+          description: |
+            Destination appname of legalhold action.
+        - name: destination.instance
+          type: keyword
+          description: |
+            Destination instance of legal hold action.
+        - name: file.id
+          type: keyword
+          description: |
+            File ID of legal hold file.
+        - name: file.name
+          type: keyword
+          description: |
+            File name of legal hold file.
+        - name: file.name_original
+          type: keyword
+          description: |
+            Original filename of legal hold file.
+        - name: file.path
+          type: keyword
+          description: |
+            File path of legal hold file.
+        - name: profile_name
+          type: keyword
+          description: |
+            Legal hold profile name.
+        - name: shared
+          type: keyword
+          description: |
+            Shared type of legal hold file.
+        - name: shared_with
+          type: keyword
+          description: |
+            User shared with the legal hold file.
+        - name: version
+          type: keyword
+          description: |
+            File version of original file.
+    - name: list
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: local
+      type: group
+      fields:
+        - name: md5
+          type: keyword
+          description: |
+            md5 hash of file generated by Malware engine.
+        - name: sha1
+          type: keyword
+          description: |
+            sha1 hash of file generated by Malware engine.
+        - name: sha256
+          type: keyword
+          description: |
+            sha256 hash of file generated by Malware engine.
+    - name: log
+      type: group
+      fields:
+        - name: file.name
+          type: keyword
+          description: |
+            Log file name for Risk Insights.
+    - name: login
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            Salesforce login type.
+        - name: url
+          type: flattened
+          description: |
+            Salesforce login URL.
+    - name: malsite
+      type: group
+      fields:
+        - name: active
+          type: long
+          description: |
+            Since how many days malsite is Active.
+        - name: as.number
+          type: keyword
+          description: |
+            Malsite ASN Number.
+        - name: category
+          type: keyword
+          description: |
+            Category of malsite [ Phishing / Botnet / Malicous URL, etc. ].
+        - name: city
+          type: keyword
+          description: |
+            Malsite city.
+        - name: confidence
+          type: long
+          description: |
+            Malsite confidence score.
+        - name: consecutive
+          type: long
+          description: |
+            How many times that malsite is seen.
+        - name: country
+          type: keyword
+          description: |
+            Malsite country.
+        - name: dns.server
+          type: keyword
+          description: |
+            DNS server of the malsite URL/Domain/IP.
+        - name: first_seen
+          type: long
+          description: |
+            Malsite first seen timestamp.
+        - name: hostility
+          type: long
+          description: |
+            Malsite hostility score.
+        - name: id
+          type: keyword
+          description: |
+            Malicious Site ID - Hash of threat match value.
+        - name: ip_host
+          type: keyword
+          description: |
+            Malsite IP.
+        - name: isp
+          type: keyword
+          description: |
+            Malsite ISP info.
+        - name: last.seen
+          type: long
+          description: |
+            Malsite last seen timestamp.
+        - name: latitude
+          type: double
+          description: |
+            Latitude plot of the Malsite URL/IP/Domain.
+        - name: longitude
+          type: double
+          description: |
+            Longitude plot of the Malsite URL/IP/Domain.
+        - name: region
+          type: keyword
+          description: |
+            Region of the malsite URL/IP/Domain.
+        - name: reputation
+          type: double
+          description: |
+            Reputation score of Malsite IP/Domain/URL.
+    - name: malware
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            md5 hash of the malware name as provided by the scan engine.
+        - name: name
+          type: keyword
+          description: |
+            Netskope detection name.
+        - name: profile
+          type: keyword
+          description: |
+            tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure.
+        - name: severity
+          type: keyword
+          description: |
+            Malware severity.
+        - name: type
+          type: keyword
+          description: |
+            Malware Type.
+    - name: managed
+      type: group
+      fields:
+        - name: app
+          type: boolean
+          description: |
+            Whether or not the app in question is managed.
+    - name: management
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Management ID.
+    - name: matched
+      type: group
+      fields:
+        - name: username
+          type: keyword
+          description: |
+            N/A
+    - name: matrix
+      type: group
+      fields:
+        - name: columns
+          type: keyword
+          description: |
+            N/A
+        - name: rows
+          type: keyword
+          description: |
+            N/A
+    - name: md5
+      type: keyword
+      description: |
+        md5 of the file.
+    - name: md5_list
+      type: keyword
+      description: |
+        List of md5 hashes specific to the files that are part of custom sequence policy alert.
+    - name: mime
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            MIME type of the file.
+    - name: ml_detection
+      type: boolean
+      description: |
+        N/A
+    - name: modified
+      type: group
+      fields:
+        - name: timestamp
+          type: long
+          description: |
+            Timestamp corresponding to the modification time of the entity (file, etc.).
+        - name: date
+          type: long
+          description: |
+            N/A
+    - name: netskope_pop
+      type: keyword
+      description: |
+        N/A
+    - name: network
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            N/A
+        - name: security.group
+          type: array
+          description: |
+            N/A
+    - name: new
+      type: group
+      fields:
+        - name: value
+          type: keyword
+          description: |
+            New value for a given file for salesforce.com.
+    - name: nonzero
+      type: group
+      fields:
+        - name: entries
+          type: long
+          description: |
+            N/A
+        - name: percentage
+          type: double
+          description: |
+            N/A
+    - name: notify
+      type: group
+      fields:
+        - name: template
+          type: keyword
+          description: |
+            N/A
+    - name: ns_activity
+      type: keyword
+      description: |
+        Maps app activity to Netskope standard activity.
+    - name: ns_device_uid
+      type: keyword
+      description: |
+        Device identifiers on macOS and Windows.
+    - name: numbytes
+      type: long
+      description: |
+        Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes.
+    - name: obfuscate
+      type: boolean
+      description: |
+        N/A
+    - name: object
+      type: group
+      fields:
+        - name: count
+          type: long
+          description: |
+            Displayed when the activity is Delete. Shows the number of objects being deleted.
+        - name: id
+          type: keyword
+          description: |
+            Unique ID associated with an object.
+        - name: name
+          type: keyword
+          description: |
+            Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc.
+        - name: type
+          type: keyword
+          description: |
+            Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc.
+    - name: old
+      type: group
+      fields:
+        - name: value
+          type: keyword
+          description: |
+            Old value for a given file for salesforce.com.
+    - name: org
+      type: keyword
+      description: |
+        Search for events from a specific organization. Organization name is derived from the user ID.
+    - name: organization
+      type: group
+      fields:
+        - name: unit
+          type: keyword
+          description: |
+            Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application.
+    - name: orig_ty
+      type: keyword
+      description: |
+        Event Type of original event.
+    - name: original
+      type: group
+      fields:
+        - name: file_path
+          type: keyword
+          description: |
+            If the file is moved, then keep original path of the file in this field.
+    - name: os_version_hostname
+      type: keyword
+      description: |
+        Host and OS Version that caused the alert. Concatenation of 2 fields (hostname and os).
+    - name: other
+      type: group
+      fields:
+        - name: categories
+          type: keyword
+          description: |
+            N/A
+    - name: owner
+      type: keyword
+      description: |
+        Owner of the file.
+    - name: page
+      type: group
+      fields:
+        - name: url
+          type: flattened
+          description: |
+            The URL of the originating page.
+        - name: site
+          type: keyword
+          description: |
+            N/A
+    - name: parameters
+      type: keyword
+      description: |
+        N/A
+    - name: parent
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: path
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: policy
+      type: group
+      fields:
+        - name: actions
+          type: keyword
+          description: |
+            N/A
+        - name: id
+          type: keyword
+          description: |
+            The Netskope internal ID for the policy created by an admin.
+        - name: name
+          type: keyword
+          description: |
+            Predefined or Custom policy name.
+    - name: pretty
+      type: group
+      fields:
+        - name: sourcetype
+          type: keyword
+          description: |
+            N/A
+    - name: processing
+      type: group
+      fields:
+        - name: time
+          type: long
+          description: |
+            N/A
+    - name: profile
+      type: group
+      fields:
+        - name: emails
+          type: keyword
+          description: |
+            List of profile emails per policy.
+        - name: id
+          type: keyword
+          description: |
+            Anomaly profile ID.
+    - name: quarantine
+      type: group
+      fields:
+        - name: action.reason
+          type: keyword
+          description: |
+            Reason for the action taken for quarantine.
+        - name: admin
+          type: keyword
+          description: |
+            Quarantine profile custodian email/name.
+        - name: app
+          type: keyword
+          description: |
+            Quarantine app name.
+        - name: failure
+          type: keyword
+          description: |
+            Reason of failure.
+        - name: file.id
+          type: keyword
+          description: |
+            File ID of the quarantined file.
+        - name: file.name
+          type: keyword
+          description: |
+            File name of the quarantine file.
+        - name: instance
+          type: keyword
+          description: |
+            Quarantine instance name.
+        - name: original.file.name
+          type: keyword
+          description: |
+            Original file name which got quarantined.
+        - name: original.file.path
+          type: keyword
+          description: |
+            Original file path which got quarantined.
+        - name: original.shared
+          type: keyword
+          description: |
+            Original file shared user details.
+        - name: original.version
+          type: keyword
+          description: |
+            Original version of file which got quarantined.
+        - name: profile
+          type: group
+          fields:
+            - name: name
+              type: keyword
+              description: |
+                Quarantine profile name of policy for quarantine action.
+            - name: id
+              type: keyword
+              description: |
+                Quarantine profile ID.
+        - name: shared.with
+          type: keyword
+          description: |
+            N/A
+    - name: referer
+      type: keyword
+      description: |
+        Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic.
+    - name: region
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Region ID (as provided by the cloud provider).
+        - name: name
+          type: keyword
+          description: |
+            N/A
+    - name: reladb
+      type: keyword
+      description: |
+        N/A
+    - name: repo
+      type: keyword
+      description: |
+        N/A
+    - name: request
+      type: group
+      fields:
+        - name: cnt
+          type: long
+          description: |
+            Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection.
+        - name: id
+          type: keyword
+          description: |
+            Unique request ID for the event.
+    - name: resource
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            Category of resource as defined in DOM.
+        - name: group
+          type: keyword
+          description: |
+            N/A
+    - name: resources
+      type: keyword
+      description: |
+        N/A
+    - name: response
+      type: group
+      fields:
+        - name: cnt
+          type: long
+          description: |
+            Total number of HTTP responses (equal to number of transaction events for this page event) from server to client.
+        - name: content.length
+          type: long
+          description: |
+            N/A
+        - name: content.type
+          type: keyword
+          description: |
+            N/A
+    - name: retro
+      type: group
+      fields:
+        - name: scan.name
+          type: keyword
+          description: |
+            Retro scan name.
+    - name: risk_level
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            This field is set by both role-based access (RBA) and MLAD.
+        - name: tag
+          type: keyword
+          description: |
+            Corresponding field to risk_level_id. Name.
+    - name: role
+      type: keyword
+      description: |
+        Roles for Box.
+    - name: rule
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: sa
+      type: group
+      fields:
+        - name: rule.id
+          type: keyword
+          description: |
+            CSA rule ID.
+        - name: rule.name
+          type: keyword
+          description: |
+            CSA rule name.
+        - name: profile.id
+          type: keyword
+          description: |
+            CSA profile ID.
+        - name: profile.name
+          type: keyword
+          description: |
+            CSA profile name.
+        - name: rule.remediation
+          type: keyword
+          description: |
+            N/A
+        - name: rule.severity
+          type: keyword
+          description: |
+            Rule severity.
+    - name: scan
+      type: group
+      fields:
+        - name: time
+          type: long
+          description: |
+            Time when the scan is done.
+        - name: type
+          type: keyword
+          description: |
+            Generated during retroactive scan or new ongoing activity.
+    - name: scopes
+      type: keyword
+      description: |
+        List of permissions for google apps.
+    - name: serial
+      type: keyword
+      description: |
+        N/A
+    - name: server
+      type: group
+      fields:
+        - name: bytes
+          type: long
+          description: |
+            Total number of downloaded from server to client.
+    - name: session
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Populated by Risk Insights.
+    - name: severity
+      type: group
+      fields:
+        - name: level
+          type: keyword
+          description: |
+            Severity used by watchlist and malware alerts.
+        - name: id
+          type: keyword
+          description: |
+            Severity ID used by watchlist and malware alerts.
+    - name: malsite
+      type: group
+      fields:
+        - name: severity.level
+          type: keyword
+          description: |
+            Severity level of the Malsite ( High / Med / Low).
+    - name: severity
+      type: group
+      fields:
+        - name: level_id
+          type: long
+          description: |
+            If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the Zvelo DB Malsite Category.
+    - name: sfwder
+      type: keyword
+      description: |
+        N/A
+    - name: shared_type
+      type: keyword
+      description: |
+        N/A
+    - name: shared
+      type: group
+      fields:
+        - name: credential.user
+          type: keyword
+          description: |
+            Applicable to only shared credentials. User with whom the credentials are shared with.
+        - name: domains
+          type: keyword
+          description: |
+            List of domains of users the document is shared with.
+        - name: is_shared
+          type: boolean
+          description: |
+            If the file is shared or not.
+        - name: type
+          type: keyword
+          description: |
+            Shared Type.
+        - name: with
+          type: keyword
+          description: |
+            Array of emails with whom a document is shared with.
+    - name: site
+      type: keyword
+      description: |
+        For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com".
+    - name: source
+      type: group
+      fields:
+        - name: geoip_src
+          type: long
+          description: |
+            Source from where the location of Source IP was derived.
+    - name: srcip2
+      type: keyword
+      description: |
+        N/A
+    - name: ssl
+      type: group
+      fields:
+        - name: decrypt.policy
+          type: keyword
+          description: |
+            Applicable to only bypass events. There are 2 ways to create rules for bypass:
+            Bypass due to Exception Configuration
+            Bypass due to SSL Decrypt Policy
+            The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event.
+    - name: start_time
+      type: long
+      description: |
+        Start time for alert time period.
+    - name: statistics
+      type: long
+      description: |
+        This field & summary field go together. This field will either tell count or size of files. File size is in bytes.
+    - name: storage_service_bucket
+      type: keyword
+      description: |
+        N/A
+    - name: sub
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            Workplace by Facebook post sub category (files, comments, status etc).
+    - name: summary
+      type: keyword
+      description: |
+        Tells whether anomaly was measured from count or size of files.
+    - name: suppression
+      type: group
+      fields:
+        - name: end.time
+          type: long
+          description: |
+            When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.
+        - name: key
+          type: keyword
+          description: |
+            To limit the number of events. Example: Suppress block event for browse.
+        - name: start.time
+          type: long
+          description: |
+            When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.
+    - name: target
+      type: group
+      fields:
+        - name: entity.key
+          type: keyword
+          description: |
+            N/A
+        - name: entity.type
+          type: keyword
+          description: |
+            N/A
+        - name: entity.value
+          type: keyword
+          description: |
+            N/A
+    - name: team
+      type: keyword
+      description: |
+        Slack team name.
+    - name: telemetry
+      type: group
+      fields:
+        - name: app
+          type: keyword
+          description: |
+            Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field.
+    - name: temp
+      type: group
+      fields:
+        - name: user
+          type: keyword
+          description: |
+            N/A
+    - name: tenant
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Tenant id.
+    - name: threat
+      type: group
+      fields:
+        - name: match.value
+          type: keyword
+          description: |
+            N/A
+        - name: match.field
+          type: keyword
+          description: |
+            Threat match field, either from domain or URL or IP.
+        - name: source.id
+          type: keyword
+          description: |
+            Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb.
+    - name: threshold
+      type: group
+      fields:
+        - name: time
+          type: long
+          description: |
+            Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time.
+        - name: value
+          type: long
+          description: |
+            Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type.
+    - name: title
+      type: keyword
+      description: |
+        Title of the file.
+    - name: to
+      type: group
+      fields:
+        - name: object
+          type: keyword
+          description: |
+            Changed name of an object that has been renamed, copied, or moved.
+        - name: storage
+          type: keyword
+          description: |
+            N/A
+        - name: user
+          type: keyword
+          description: |
+            Used when a file is moved from user A to user B. Shows the email address of user B.
+        - name: user_category
+          type: keyword
+          description: |
+            Type of user to which move is done.
+    - name: total
+      type: group
+      fields:
+        - name: collaborator.count
+          type: long
+          description: |
+            Count of collaborators on a file/folder. Supported for some apps.
+    - name: traffic
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights.
+    - name: transaction
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Unique ID for a given request/response.
+    - name: transformation
+      type: keyword
+      description: |
+        N/A
+    - name: tss
+      type: group
+      fields:
+        - name: mode
+          type: keyword
+          description: |
+            Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection.
+        - name: version
+          type: long
+          description: |
+            N/A
+    - name: tunnel
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Shows the Client installation ID. Only available for the Client steering configuration.
+    - name: type
+      type: keyword
+      description: |
+        Type of the alert.
+    - name: updated
+      type: long
+      description: |
+        N/A
+    - name: url
+      type: flattened
+      description: |
+        URL of the application that the user visited as provided by the log or data plane traffic.
+    - name: Url2Activity
+      type: keyword
+      description: |
+        Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only.
+    - name: user
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            Type of user in an enterprise - external / internal.
+        - name: group
+          type: keyword
+          description: |
+            N/A
+        - name: ip
+          type: keyword
+          description: |
+            IP address of User.
+        - name: geo
+          type: group
+          fields:
+            - name: city_name
+              type: keyword
+              description: |
+                City name.
+            - name: continent_name
+              type: keyword
+              description: |
+                Name of the continent.
+            - name: country_iso_code
+              type: keyword
+              description: |
+                Country ISO code.
+            - name: country_name
+              type: keyword
+              description: |
+                Country name.
+            - name: location
+              type: geo_point
+              description: |
+                Longitude and latitude.
+            - name: region_iso_code
+              type: keyword
+              description: |
+                Region ISO code.
+            - name: region_name
+              type: keyword
+              description: |
+                Region name.
+    - name: value
+      type: double
+      description: |
+        N/A
+    - name: violating_user
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            User who caused a violation. Populated for Workplace by Facebook.
+        - name: type
+          type: keyword
+          description: |
+            Category of the user who caused a violation. Populated for Workplace by Facebook.
+    - name: web
+      type: group
+      fields:
+        - name: url
+          type: flattened
+          description: |
+            File preview URL.
+    - name: workspace
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Workspace ID in case of Slack for Enterprise.
+        - name: name
+          type: keyword
+          description: |
+            Workspace name in case of Slack for Enterprise.
+    - name: zip
+      type: group
+      fields:
+        - name: password
+          type: keyword
+          description: |
+            Zip the malicious file and put pwd to it and send it back to caller.
+    - name: scanner_result
+      type: keyword
+      description: |
+        N/A
+    - name: slc_latitude
+      type: keyword
+      description: |
+        N/A
+    - name: slc_longitude
+      type: keyword
+      description: |
+        N/A
+    - name: source
+      type: group
+      fields:
+        - name: time
+          type: keyword
+          description: |
+            N/A
+    - name: uba_ap1
+      type: keyword
+      description: |
+        N/A
+    - name: uba_ap2
+      type: keyword
+      description: |
+        N/A
+    - name: uba_inst1
+      type: keyword
+      description: |
+        N/A
+    - name: uba_inst2
+      type: keyword
+      description: |-
+        N/A
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/netskope/0.1.2/data_stream/alerts/manifest.yml b/packages/netskope/0.1.2/data_stream/alerts/manifest.yml
new file mode 100755
index 0000000000..73acd6e99c
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/manifest.yml
@@ -0,0 +1,41 @@
+title: Alerts
+type: logs
+streams:
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: Netskope Alerts
+    description: Collect Netskope Alerts using tcp input
+    vars:
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        description: The TCP port number to listen on.
+        multi: false
+        required: true
+        show_user: true
+        default: 9020
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - netskope-alerts
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/netskope/0.1.2/data_stream/alerts/sample_event.json b/packages/netskope/0.1.2/data_stream/alerts/sample_event.json
new file mode 100755
index 0000000000..e287ed230b
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/alerts/sample_event.json
@@ -0,0 +1,182 @@
+{
+    "@timestamp": "2021-12-23T16:27:09.000Z",
+    "agent": {
+        "ephemeral_id": "f6ea30bb-70ab-4ae9-b338-b103657dd749",
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.3.0"
+    },
+    "data_stream": {
+        "dataset": "netskope.alerts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "81.2.69.143",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "snapshot": true,
+        "version": "8.3.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "id": "f621f259f5fbde850ad5593a",
+        "ingested": "2022-04-14T11:24:23Z",
+        "original": "{\"event\":{\"id\":\"f621f259f5fbde850ad5593a\"},\"netskope\":{\"alerts\":{\"insertion_epoch_timestamp\":1640277131,\"access_method\":\"API Connector\",\"acked\":\"false\",\"action\":\"block\",\"activity\":{\"name\":\"Login Successful\"},\"is_alert\":\"yes\",\"alert\":{\"name\":\"policy-alert\",\"type\":\"nspolicy\"},\"app\":{\"name\":\"SomeApp\",\"category\":\"Cloud Storage\"},\"category\":{\"name\":\"Cloud Storage\"},\"cci\":\"81\",\"ccl\":\"high\",\"count\":1,\"device\":{\"name\":\"Other\"},\"destination\":{\"geoip_src\":2},\"exposure\":\"organization_wide_link\",\"file\":{\"lang\":\"ENGLISH\"},\"instance\":{\"name\":\"example.com\",\"id\":\"example.com\"},\"modified\":{\"timestamp\":1613760236},\"object\":{\"name\":\"HjBuUvDLWgpudzQr\",\"id\":\"GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg\",\"type\":\"File\"},\"organization\":{\"unit\":\"example.local\\\\\\\\/example\\\\\\\\/Active Users\"},\"other\":{\"categories\":\"null\"},\"owner\":\"foobar\",\"policy\":{\"name\":\"Some Policy\"},\"request\":{\"id\":\"9262245914980288500\"},\"scan\":{\"type\":\"Ongoing\"},\"shared\":{\"with\":\"none\"},\"site\":\"Example\",\"source\":{\"geoip_src\":2},\"suppression\":{\"key\":\"Tenant Migration across MPs\"},\"traffic\":{\"type\":\"CloudApp\"},\"type\":\"policy\",\"url\":\"http:\\\\\\\\/\\\\\\\\/www.example.com\\\\\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg\"}},\"user_agent\":{\"name\":\"unknown\",\"os\":{\"name\":\"unknown\"}},\"destination\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"file\":{\"path\":\"\\\\\\\\/My Drive\\\\\\\\/Clickhouse\\\\\\\\/Tenant Migration across MPs\",\"size\":196869,\"mime_type\":{\"1\":\"application\\\\\\\\/vnd.apps.document\",\"2\":\"application\\\\\\\\/vnd.apps.document\"},\"hash\":{\"md5\":\"4bb5d9501bf7685ecaed55e3eda9ca01\"}},\"source\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"@timestamp\":\"2021-12-23T16:27:09.000Z\",\"user\":{\"email\":{\"1\":\"test@example.com\",\"2\":\"test@example.com\",\"3\":\"test@example.com\"},\"group\":{\"name\":\"null\"}}}"
+    },
+    "file": {
+        "hash": {
+            "md5": "4bb5d9501bf7685ecaed55e3eda9ca01"
+        },
+        "mime_type": [
+            "application\\\\/vnd.apps.document"
+        ],
+        "path": "\\\\/My Drive\\\\/Clickhouse\\\\/Tenant Migration across MPs",
+        "size": 196869
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.224.1:57542"
+        }
+    },
+    "netskope": {
+        "alerts": {
+            "access_method": "API Connector",
+            "acked": false,
+            "action": "block",
+            "activity": {
+                "name": "Login Successful"
+            },
+            "alert": {
+                "name": "policy-alert",
+                "type": "nspolicy"
+            },
+            "app": {
+                "category": "Cloud Storage",
+                "name": "SomeApp"
+            },
+            "category": {
+                "name": "Cloud Storage"
+            },
+            "cci": "81",
+            "ccl": "high",
+            "count": 1,
+            "destination": {
+                "geoip_src": 2
+            },
+            "device": {
+                "name": "Other"
+            },
+            "exposure": "organization_wide_link",
+            "file": {
+                "lang": "ENGLISH"
+            },
+            "insertion_epoch_timestamp": 1640277131,
+            "instance": {
+                "id": "example.com",
+                "name": "example.com"
+            },
+            "is_alert": true,
+            "modified": {
+                "timestamp": 1613760236
+            },
+            "object": {
+                "id": "GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg",
+                "name": "HjBuUvDLWgpudzQr",
+                "type": "File"
+            },
+            "organization": {
+                "unit": "example.local\\\\/example\\\\/Active Users"
+            },
+            "owner": "foobar",
+            "policy": {
+                "name": "Some Policy"
+            },
+            "request": {
+                "id": "9262245914980288500"
+            },
+            "scan": {
+                "type": "Ongoing"
+            },
+            "shared": {
+                "with": "none"
+            },
+            "site": "Example",
+            "source": {
+                "geoip_src": 2
+            },
+            "suppression": {
+                "key": "Tenant Migration across MPs"
+            },
+            "traffic": {
+                "type": "CloudApp"
+            },
+            "type": "policy",
+            "url": {
+                "extension": "com\\\\/open",
+                "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
+                "path": "\\\\/\\\\/www.example.com\\\\/open",
+                "query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
+                "scheme": "http"
+            }
+        }
+    },
+    "related": {
+        "ip": [
+            "81.2.69.143",
+            "81.2.69.143"
+        ]
+    },
+    "source": {
+        "address": "81.2.69.143",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "tags": [
+        "forwarded",
+        "netskope-alerts"
+    ],
+    "user": {
+        "email": [
+            "test@example.com"
+        ]
+    },
+    "user_agent": {
+        "name": "unknown",
+        "os": {
+            "name": "unknown"
+        }
+    }
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/data_stream/events/agent/stream/tcp.yml.hbs b/packages/netskope/0.1.2/data_stream/events/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..bc587e50a3
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/agent/stream/tcp.yml.hbs
@@ -0,0 +1,18 @@
+host: "{{listen_address}}:{{listen_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/netskope/0.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/0.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..989c462df9
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,253 @@
+---
+description: Pipeline for Netskope events
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - json: 
+      field: message
+      add_to_root: true
+      add_to_root_conflict_strategy: replace
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - append: 
+      field: related.ip
+      value: "{{{destination.ip}}}"
+      if: ctx?.destination?.ip != null
+      ignore_failure: true
+  - append: 
+      field: related.ip
+      value: "{{{netskope.events.user.ip}}}"
+      if: ctx?.netskope?.events?.user?.ip != null
+      ignore_failure: true
+  - append:
+      field: related.ip
+      value: "{{{source.ip}}}"
+      if: ctx?.source?.ip != null
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: "{{{destination.domain}}}" 
+      if: ctx?.destination?.domain != null
+      allow_duplicates: false
+      ignore_failure: true
+  - append:
+      field: related.hosts
+      value: "{{{host.hostname}}}" 
+      if: ctx?.host?.hostname != null
+      allow_duplicates: false
+      ignore_failure: true
+  - user_agent:
+      field: user_agent.original
+      ignore_failure: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+  - geoip:
+      field: netskope.events.user.ip
+      target_field: netskope.events.user.geo
+      ignore_missing: true
+  - uri_parts:
+      field: netskope.events.url
+      target_field: netskope.events.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - uri_parts:
+      field: netskope.events.web.url
+      target_field: netskope.events.web.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - uri_parts:
+      field: netskope.events.login.url
+      target_field: netskope.events.login.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - uri_parts:
+      field: netskope.events.url
+      target_field: netskope.events.url
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - json:
+      field: netskope.events.site
+      ignore_failure: true
+  - json:
+      field: netskope.events.app.name
+      ignore_failure: true
+  - lowercase:
+      ignore_failure: true
+      field: network.protocol
+  - uri_parts:
+      field: netskope.events.referer
+      target_field: netskope.events.referer
+      keep_original: true
+      remove_if_successful: false
+      ignore_failure: true
+  - set: 
+      field: netskope.events.managed_app
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.managed_app?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.managed_app
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.managed_app?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.is_bypass_traffic
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_bypass_traffic?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.is_bypass_traffic
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.is_bypass_traffic?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.is_unique_count
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_unique_count?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.is_unique_count
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.is_unique_count?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.user.is_aggregated
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.user?.is_aggregated?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.user.is_aggregated
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.user?.is_aggregated?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.alert.is_present
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.alert?.is_present?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.alert.is_present
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.alert?.is_present?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.user.generated
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.user?.generated?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.user.generated
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.user?.generated?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.ack
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.ack?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.ack
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.ack?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.is_malicious
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_malicious?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.is_malicious
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.is_malicious?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.obfuscate
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.obfuscate?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.obfuscate
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.obfuscate?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.shared.is_shared
+      value: true
+      if: "['yes', 'true'].contains(ctx?.netskope?.events?.shared?.is_shared?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - set: 
+      field: netskope.events.shared.is_shared
+      value: false
+      if: "['no', 'false'].contains(ctx?.netskope?.events?.shared?.is_shared?.toString()?.toLowerCase())"
+      ignore_failure: true
+  - date:
+      field: netskope.events.modified_at
+      target_field: netskope.events.modified_at
+      ignore_failure: true
+      formats:
+        - UNIX
+  - script:
+      if: ctx?.file?.mime_type != null
+      lang: painless
+      source: >-
+        def parts = ctx.file.mime_type;
+        if (parts != null && parts.size() > 0) {
+          List l = new ArrayList();
+          for (entry in parts.entrySet()) {
+            l.add(entry.getValue());
+          }
+          List setList = new ArrayList(new HashSet(l));
+          ctx.file.mime_type = setList;
+        }
+  - script:
+      if: ctx?.user?.email != null
+      lang: painless
+      source: >-
+        def parts = ctx.user.email;
+        if (parts != null && parts.size() > 0) {
+          List l = new ArrayList();
+          for (entry in parts.entrySet()) {
+            l.add(entry.getValue());
+          }
+          List setList = new ArrayList(new HashSet(l));
+          ctx.user.email = setList;
+        }
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "" || object == "null") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/netskope/0.1.2/data_stream/events/fields/agent.yml b/packages/netskope/0.1.2/data_stream/events/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/netskope/0.1.2/data_stream/events/fields/base-fields.yml b/packages/netskope/0.1.2/data_stream/events/fields/base-fields.yml
new file mode 100755
index 0000000000..b6306aceaf
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: netskope
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: netskope.events
diff --git a/packages/netskope/0.1.2/data_stream/events/fields/ecs.yml b/packages/netskope/0.1.2/data_stream/events/fields/ecs.yml
new file mode 100755
index 0000000000..674f6f18d6
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/fields/ecs.yml
@@ -0,0 +1,257 @@
+- description: Packets sent from the client to the server.
+  name: client.packets
+  type: long
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: |-
+    Translated IP of source based NAT sessions (e.g. internal client to internet).
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: client.nat.ip
+  type: ip
+- description: Packets sent from the client to the server.
+  name: client.packets
+  type: long
+- description: |-
+    The cloud account name or alias used to identify different entities in a multi-tenant environment.
+    Examples: AWS account name, Google Cloud ORG display name.
+  name: cloud.account.name
+  type: keyword
+- description: Region in which this host, resource, or service is located.
+  name: cloud.region
+  type: keyword
+- description: |-
+    The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.
+    Examples: app engine, app service, cloud run, fargate, lambda.
+  name: cloud.service.name
+  type: keyword
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: |-
+    The domain name of the destination system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: destination.domain
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: destination.geo.name
+  type: keyword
+- description: |-
+    Postal code associated with the location.
+    Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+  name: destination.geo.postal_code
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: The time zone of the location, such as IANA time zone name.
+  name: destination.geo.timezone
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: MD5 hash.
+  name: file.hash.md5
+  type: keyword
+- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
+  name: file.mime_type
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    File size in bytes.
+    Only relevant when `file.type` is "file".
+  name: file.size
+  type: long
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+  name: rule.id
+  type: keyword
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: Bytes sent from the server to the client.
+  name: server.bytes
+  type: long
+- description: Packets sent from the server to the client.
+  name: server.packets
+  type: long
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    Postal code associated with the location.
+    Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
+  name: source.geo.postal_code
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: The time zone of the location, such as IANA time zone name.
+  name: source.geo.timezone
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: MD5 hash.
+  name: threat.indicator.file.hash.md5
+  type: keyword
+- description: SHA1 hash.
+  name: threat.indicator.file.hash.sha1
+  type: keyword
+- description: SHA256 hash.
+  name: threat.indicator.file.hash.sha256
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Name of the group.
+  name: user.group.name
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Array of user roles at the time of the event.
+  name: user.roles
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/netskope/0.1.2/data_stream/events/fields/fields.yml b/packages/netskope/0.1.2/data_stream/events/fields/fields.yml
new file mode 100755
index 0000000000..e5521ff3c5
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/fields/fields.yml
@@ -0,0 +1,1240 @@
+- name: netskope.events
+  type: group
+  fields:
+    - name: url
+      type: flattened
+      description: |
+        URL of the application that the user visited as provided by the log or data plane traffic
+    - name: cci
+      type: keyword
+      description: |
+        N/A
+    - name: access_method
+      type: keyword
+      description: |
+        Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event.
+        For log uploads this shows the actual log type such as PAN, Websense, etc.
+    - name: ack
+      type: boolean
+      description: |
+        Whether user acknowledged the alert or not.
+    - name: activity
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            Description of the user performed activity.
+        - name: status
+          type: keyword
+          description: |
+            Displayed when the user is denied access while performing some activity.
+        - name: type
+          type: keyword
+          description: |
+            Displayed when only admins can perform the activity in question.
+    - name: alarm
+      type: group
+      fields:
+        - name: description
+          type: keyword
+          description: |
+            N/A
+        - name: name
+          type: keyword
+          description: |
+            N/A
+    - name: alert
+      type: group
+      fields:
+        - name: is_present
+          type: boolean
+          description: |
+            Indicates whether alert is generated or not.
+            Populated as yes for all alerts.
+        - name: name
+          type: keyword
+          description: |
+            Name of the alert.
+        - name: type
+          type: keyword
+          description: |
+            Type of the alert.
+    - name: app
+      type: group
+      fields:
+        - name: activity
+          type: keyword
+          description: |
+            N/A
+        - name: category
+          type: keyword
+          description: |
+            N/A
+        - name: name
+          type: keyword
+          description: |
+            Specific cloud application used by the user (e.g. app = Dropbox).
+        - name: region
+          type: keyword
+          description: |
+            N/A
+        - name: session.id
+          type: keyword
+          description: |
+            Unique App/Site Session ID for traffic_type = CloudApp and Web.
+            An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain.
+    - name: attachment
+      type: keyword
+      description: |
+        File name.
+    - name: audit
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google.
+        - name: log.event
+          type: keyword
+          description: |
+            N/A
+        - name: type
+          type: keyword
+          description: |
+            The sub category in audit according to SaaS / IaaS apps.
+    - name: browser
+      type: group
+      fields:
+        - name: session.id
+          type: keyword
+          description: |
+            Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session.
+    - name: bucket
+      type: keyword
+      description: |
+        N/A
+    - name: category
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Matching category ID according to policy. Populated for both cloud and web traffic.
+        - name: name
+          type: keyword
+          description: |
+            N/A
+    - name: ccl
+      type: keyword
+      description: |
+        Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity.
+        Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL.
+    - name: channel
+      type: keyword
+      description: |
+        Channel of the user for slack and slack enterprise apps.
+    - name: client
+      type: group
+      fields:
+        - name: bytes
+          type: long
+          description: |
+            Total number of bytes uploaded from client to server.
+        - name: packets
+          type: long
+          description: |
+            N/A
+    - name: connection
+      type: group
+      fields:
+        - name: duration
+          type: long
+          description: |
+            Duration of the connection in milliseconds. Useful for querying long-lived sessions.
+        - name: end_time
+          type: long
+          description: |
+            Connection end time.
+        - name: id
+          type: keyword
+          description: |
+            Each connection has a unique ID. Shows the ID for the connection event.
+        - name: start_time
+          type: long
+          description: |
+            Connection start time.
+    - name: count
+      type: long
+      description: |
+        Number of raw log lines/events sessionized or suppressed during the suppressed interval.
+    - name: description
+      type: keyword
+      description: |
+        N/A
+    - name: destination
+      type: group
+      fields:
+        - name: geoip.source
+          type: long
+          description: |
+            Source from where the location of Destination IP was derived.
+    - name: detail
+      type: keyword
+      description: |
+        N/A
+    - name: detection
+      type: group
+      fields:
+        - name: engine
+          type: keyword
+          description: |
+            Customer exposed detection engine name.
+        - name: type
+          type: keyword
+          description: |
+            Same as malware type. Duplicate.
+    - name: device
+      type: group
+      fields:
+        - name: classification
+          type: keyword
+          description: |
+            Designation of device as determined by the Netskope Client as to whether the device is managed or not.
+        - name: name
+          type: keyword
+          description: |
+            N/A
+        - name: type
+          type: keyword
+          description: |
+            Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc.
+    - name: dlp
+      type: group
+      fields:
+        - name: count
+          type: long
+          description: |
+            Count of rule hits.
+        - name: file
+          type: keyword
+          description: |
+            File/Object name extracted from the file/object.
+        - name: fingerprint.classificaiton
+          type: keyword
+          description: |
+            Fingerprint classification.
+        - name: fingerprint.match
+          type: keyword
+          description: |
+            Fingerprint classification match file name.
+        - name: fingerprint.score
+          type: long
+          description: |
+            Fingerprint classification score.
+        - name: fv
+          type: long
+          description: |
+            N/A
+        - name: incident.id
+          type: keyword
+          description: |
+            Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID.
+        - name: is_unique_count
+          type: boolean
+          description: |
+            True or false depending upon if rule is unique counted per rule data.
+        - name: mail.parent_id
+          type: keyword
+          description: |
+            N/A
+        - name: parent.id
+          type: keyword
+          description: |
+            Incident ID associated with main container (or non-container) file that was scanned.
+        - name: profile
+          type: keyword
+          description: |
+            DLP profile name.
+        - name: score
+          type: long
+          description: |
+            DLP rule score for weighted dictionaries.
+        - name: severity
+          type: keyword
+          description: |
+            Severity of rule.
+        - name: unique_count
+          type: long
+          description: |
+            Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted.
+    - name: domain
+      type: keyword
+      description: |
+        Domain value. This will hold the host header value or SNI or extracted from absolute URI.
+    - name: domain_shared_with
+      type: long
+      description: |
+        N/A
+    - name: drive
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: encrypt
+      type: group
+      fields:
+        - name: failure
+          type: keyword
+          description: |
+            Reason of failure while encrypting.
+    - name: end_time
+      type: keyword
+      description: |
+        N/A
+    - name: enterprise
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            EnterpriseID in case of Slack for Enterprise.
+        - name: name
+          type: keyword
+          description: |
+            Enterprise name in case of Slack for Enterprise.
+    - name: event
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            Anomaly type.
+    - name: exposure
+      type: keyword
+      description: |
+        Exposure of a document.
+    - name: external_collaborator_count
+      type: long
+      description: |
+        Count of external collaborators on a file/folder. Supported for some apps.
+    - name: file
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Unique identifier of the file.
+        - name: is_password_protected
+          type: keyword
+          description: |
+            N/A
+        - name: lang
+          type: keyword
+          description: |
+            Language of the file.
+    - name: from
+      type: group
+      fields:
+        - name: object
+          type: keyword
+          description: |
+            Initial name of an object that has been renamed, copied or moved.
+        - name: user_category
+          type: keyword
+          description: |
+            Type of from_user.
+        - name: storage
+          type: keyword
+          description: |
+            N/A
+        - name: logs
+          type: keyword
+          description: |
+            Shows if the event was generated from the Risk Insights log.
+    - name: gateway
+      type: keyword
+      description: |
+        N/A
+    - name: graph
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: http_status
+      type: keyword
+      description: |
+        N/A
+    - name: http_transaction_count
+      type: long
+      description: |
+        HTTP transaction count.
+    - name: iaas_asset_tags
+      type: keyword
+      description: |
+        List of tags associated with the asset for which alert is raised. Each tag is a key/value pair.
+    - name: id
+      type: keyword
+      description: |
+        N/A
+    - name: insertion
+      type: group
+      fields:
+        - name: timestamp
+          type: long
+          description: |
+            Insertion timestamp.
+    - name: instance_name
+      type: keyword
+      description: |
+        Instance associated with an organization application instance.
+    - name: instance
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Unique ID associated with an organization application instance.
+        - name: name
+          type: keyword
+          description: |
+            Instance name associated with an organization application instance.
+        - name: type
+          type: keyword
+          description: |
+            Instance type.
+    - name: internal_collaborator_count
+      type: long
+      description: |
+        Count of internal collaborators on a file/folder. Supported for some apps.
+    - name: ip
+      type: group
+      fields:
+        - name: protocol
+          type: keyword
+          description: |
+            N/A
+    - name: is_bypass_traffic
+      type: boolean
+      description: |
+        Tells if traffic is bypassed by Netskope.
+    - name: is_malicious
+      type: boolean
+      description: |
+        Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert.
+    - name: item
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: justification
+      type: group
+      fields:
+        - name: reason
+          type: keyword
+          description: |
+            Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box.
+        - name: type
+          type: keyword
+          description: |
+            Type of justification provided by user when user bypasses the policy block.
+    - name: last
+      type: group
+      fields:
+        - name: app
+          type: keyword
+          description: |
+            Last application (app in the first/older event). Applies to only proximity anomaly alert.
+        - name: country
+          type: keyword
+          description: |
+            Last location (Country). Applies to only proximity anomaly alert.
+        - name: device
+          type: keyword
+          description: |
+            Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert.
+        - name: location
+          type: keyword
+          description: |
+            Last location (City). Applies to only proximity anomaly alert.
+        - name: region
+          type: keyword
+          description: |
+            Applies to only proximity anomaly alert.
+        - name: timestamp
+          type: long
+          description: |
+            Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert.
+    - name: latency
+      type: group
+      fields:
+        - name: max
+          type: long
+          description: |
+            Max latency for a connection in milliseconds.
+        - name: min
+          type: long
+          description: |
+            Min latency for a connection in milliseconds.
+        - name: total
+          type: long
+          description: |
+            Total latency from proxy to app in milliseconds.
+    - name: legal_hold_profile_name
+      type: keyword
+      description: |
+        Legal hold profile name.
+    - name: lh
+      type: group
+      fields:
+        - name: custodian.name
+          type: keyword
+          description: |
+            Custodian name of legal hold profile.
+        - name: destination.app
+          type: keyword
+          description: |
+            Destination appname of legalhold action.
+        - name: destination.instance
+          type: keyword
+          description: |
+            Destination instance of legal hold action.
+        - name: file_id
+          type: keyword
+          description: |
+            File ID of legal hold file.
+        - name: filename
+          type: keyword
+          description: |
+            File name of legal hold file.
+        - name: filename_original
+          type: keyword
+          description: |
+            Original filename of legal hold file.
+        - name: filepath
+          type: keyword
+          description: |
+            File path of legal hold file.
+        - name: shared
+          type: keyword
+          description: |
+            Shared type of legal hold file.
+        - name: shared_with
+          type: keyword
+          description: |
+            User shared with the legal hold file.
+        - name: version
+          type: keyword
+          description: |
+            File version of original file.
+    - name: list
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: log_file
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            Log file name for Risk Insights.
+    - name: login
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            Salesforce login type.
+        - name: url
+          type: flattened
+          description: |
+            Salesforce login URL.
+    - name: malsite_category
+      type: keyword
+      description: |
+        Category of malsite [ Phishing / Botnet / Malicous URL, etc. ].
+    - name: malware
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            md5 hash of the malware name as provided by the scan engine.
+        - name: name
+          type: keyword
+          description: |
+            Netskope detection name.
+        - name: profile
+          type: keyword
+          description: |
+            tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure.
+        - name: severity
+          type: keyword
+          description: |
+            Malware severity.
+        - name: type
+          type: keyword
+          description: |
+            Malware Type.
+    - name: managed_app
+      type: boolean
+      description: |
+        Whether or not the app in question is managed.
+    - name: management
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Management ID.
+    - name: metric_value
+      type: long
+      description: |
+        N/A
+    - name: modified_at
+      type: date
+      description: |
+        Timestamp corresponding to the modification time of the entity (file, etc.).
+    - name: netskope_pop
+      type: keyword
+      description: |
+        N/A
+    - name: network
+      type: keyword
+      description: |
+        N/A
+    - name: new_value
+      type: keyword
+      description: |
+        New value for a given file for salesforce.com.
+    - name: notify_template
+      type: keyword
+      description: |
+        N/A
+    - name: ns
+      type: group
+      fields:
+        - name: activity
+          type: keyword
+          description: |
+            Maps app activity to Netskope standard activity.
+        - name: device_uid
+          type: keyword
+          description: |
+            Device identifiers on macOS and Windows.
+    - name: num_sessions
+      type: long
+      description: |
+        N/A
+    - name: numbytes
+      type: long
+      description: |
+        Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes.
+    - name: obfuscate
+      type: boolean
+      description: |
+        N/A
+    - name: object
+      type: group
+      fields:
+        - name: count
+          type: long
+          description: |
+            Displayed when the activity is Delete. Shows the number of objects being deleted.
+        - name: id
+          type: keyword
+          description: |
+            Unique ID associated with an object.
+        - name: name
+          type: keyword
+          description: |
+            Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc.
+        - name: type
+          type: keyword
+          description: |
+            Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc.
+    - name: old_value
+      type: keyword
+      description: |
+        Old value for a given file for salesforce.com.
+    - name: org
+      type: keyword
+      description: |
+        Search for events from a specific organization. Organization name is derived from the user ID.
+    - name: organization_unit
+      type: keyword
+      description: |
+        Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application.
+    - name: orig_ty
+      type: keyword
+      description: |
+        Event Type of original event.
+    - name: original_file_path
+      type: keyword
+      description: |
+        If the file is moved, then keep original path of the file in this field.
+    - name: other
+      type: group
+      fields:
+        - name: categories
+          type: keyword
+          description: |
+            N/A
+    - name: owner
+      type: keyword
+      description: |
+        Owner of the file.
+    - name: page
+      type: keyword
+      description: |
+        The URL of the originating page.
+    - name: page_site
+      type: keyword
+      description: |
+        N/A
+    - name: parent
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            N/A
+    - name: path_id
+      type: long
+      description: |
+        Path ID of the file in the application.
+    - name: policy
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            The Netskope internal ID for the policy created by an admin.
+        - name: name
+          type: keyword
+          description: |
+            Name of the policy configured by an admin.
+    - name: profile
+      type: group
+      fields:
+        - name: emails
+          type: keyword
+          description: |
+            List of profile emails per policy.
+        - name: id
+          type: keyword
+          description: |
+            Anomaly profile ID.
+    - name: publisher_cn
+      type: keyword
+      description: |
+        N/A
+    - name: quarantine
+      type: group
+      fields:
+        - name: action.reason
+          type: keyword
+          description: |
+            Reason for the action taken for quarantine.
+        - name: admin
+          type: keyword
+          description: |
+            Quarantine profile custodian email/name.
+        - name: app
+          type: keyword
+          description: |
+            Quarantine app name.
+        - name: app_name
+          type: keyword
+          description: |
+            N/A
+        - name: failure
+          type: keyword
+          description: |
+            Reason of failure.
+        - name: file.id
+          type: keyword
+          description: |
+            File ID of the quarantined file.
+        - name: file.name
+          type: keyword
+          description: |
+            File name of the quarantine file.
+        - name: instance
+          type: keyword
+          description: |
+            Quarantine instance name.
+        - name: original.file.name
+          type: keyword
+          description: |
+            Original file name which got quarantined.
+        - name: original.file.path
+          type: keyword
+          description: |
+            Original file path which got quarantined.
+        - name: original.version
+          type: keyword
+          description: |
+            Original version of file which got quarantined.
+        - name: shared_with
+          type: keyword
+          description: |
+            N/A
+        - name: profile.id
+          type: keyword
+          description: |
+            Quarantine profile ID.
+        - name: profile.name
+          type: keyword
+          description: |
+            Quarantine profile name of policy for quarantine action.
+        - name: original.shared
+          type: keyword
+          description: |
+            Original file shared user details.
+    - name: qar
+      type: keyword
+      description: |
+        N/A
+    - name: referer
+      type: flattened
+      description: |
+        Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic.
+    - name: region
+      type: keyword
+      description: |
+        N/A
+    - name: region
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Region ID (as provided by the cloud provider).
+    - name: repo
+      type: keyword
+      description: |
+        N/A
+    - name: request
+      type: group
+      fields:
+        - name: count
+          type: long
+          description: |
+            Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection.
+        - name: id
+          type: keyword
+          description: |
+            Unique request ID for the event.
+    - name: response
+      type: group
+      fields:
+        - name: content.length
+          type: long
+          description: |
+            N/A
+        - name: content.type
+          type: keyword
+          description: |
+            N/A
+        - name: count
+          type: long
+          description: |
+            Total number of HTTP responses (equal to number of transaction events for this page event) from server to client.
+    - name: retro_scan_name
+      type: keyword
+      description: |
+        Retro scan name.
+    - name: risk_level
+      type: keyword
+      description: |
+        Corresponding field to risk_level_id. Name.
+    - name: risk_level_id
+      type: keyword
+      description: |
+        This field is set by both role-based access (RBA) and MLAD.
+    - name: role
+      type: keyword
+      description: |
+        Roles for Box.
+    - name: run_id
+      type: long
+      description: |
+        Run ID.
+    - name: sa
+      type: group
+      fields:
+        - name: profile.id
+          type: keyword
+          description: |
+            CSA profile ID.
+        - name: profile.name
+          type: keyword
+          description: |
+            CSA profile name.
+        - name: rule.severity
+          type: keyword
+          description: |
+            Rule severity.
+    - name: scan
+      type: group
+      fields:
+        - name: time
+          type: long
+          description: |
+            Time when the scan is done.
+        - name: type
+          type: keyword
+          description: |
+            Generated during retroactive scan or new ongoing activity.
+    - name: scopes
+      type: keyword
+      description: |
+        List of permissions for google apps.
+    - name: serial
+      type: keyword
+      description: |
+        N/A
+    - name: server
+      type: group
+      fields:
+        - name: bytes
+          type: long
+          description: |
+            Total number of downloaded from server to client.
+        - name: packets
+          type: long
+          description: |
+            N/A
+    - name: session
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Session ID for Dropbox application.
+        - name: packets
+          type: long
+          description: |
+            N/A
+        - name: duration
+          type: long
+          description: |
+            N/A
+    - name: severity
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Severity ID used by watchlist and malware alerts.
+        - name: level
+          type: keyword
+          description: |
+            Severity used by watchlist and malware alerts.
+        - name: type
+          type: keyword
+          description: |
+            Severity type used by watchlist and malware alerts
+    - name: sfwder
+      type: keyword
+      description: |
+        N/A
+    - name: shared
+      type: group
+      fields:
+        - name: domains
+          type: keyword
+          description: |
+            List of domains of users the document is shared with.
+        - name: is_shared
+          type: boolean
+          description: |
+            If the file is shared or not.
+        - name: type
+          type: keyword
+          description: |
+            Shared Type.
+        - name: with
+          type: keyword
+          description: |
+            Array of emails with whom a document is shared with.
+    - name: site
+      type: keyword
+      description: |
+        For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com".
+    - name: slc
+      type: group
+      fields:
+        - name: geo.location
+          type: geo_point
+          description: |
+            Longitude and latitude.
+    - name: source
+      type: group
+      fields:
+        - name: geoip_src
+          type: long
+          description: |
+            Source from where the location of Source IP was derived.
+    - name: ssl_decrypt_policy
+      type: keyword
+      description: |
+        Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration, Bypass due to SSL Decrypt Policy.The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event.
+    - name: start_time
+      type: keyword
+      description: |
+        N/A
+    - name: sub_type
+      type: keyword
+      description: |
+        Workplace by Facebook post sub category (files, comments, status etc).
+    - name: supporting_data
+      type: keyword
+      description: |
+        N/A
+    - name: suppression
+      type: group
+      fields:
+        - name: end_time
+          type: long
+          description: |
+            When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.
+        - name: key
+          type: keyword
+          description: |
+            To limit the number of events. Example: Suppress block event for browse.
+        - name: start_time
+          type: long
+          description: |
+            When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.
+    - name: team
+      type: keyword
+      description: |
+        Slack team name.
+    - name: telemetry_app
+      type: keyword
+      description: |
+        Typically SaaS app web sites use web analytics code within the pages to gather analytic data.
+        When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the
+        Telemetry App field.
+    - name: temp_user
+      type: keyword
+      description: |
+        N/A
+    - name: tenant
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Tenant id.
+    - name: threat
+      type: group
+      fields:
+        - name: match_field
+          type: keyword
+          description: |
+            Threat match field, either from domain or URL or IP.
+        - name: source.id
+          type: keyword
+          description: |
+            Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb.
+    - name: threshold
+      type: long
+      description: |
+        Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type.
+    - name: tnetwork_session_id
+      type: keyword
+      description: |
+        N/A
+    - name: to
+      type: group
+      fields:
+        - name: object
+          type: keyword
+          description: |
+            Changed name of an object that has been renamed, copied, or moved.
+        - name: storage
+          type: keyword
+          description: |
+            N/A
+        - name: user
+          type: keyword
+          description: |
+            Used when a file is moved from user A to user B. Shows the email address of user B.
+        - name: user_category
+          type: keyword
+          description: |
+            Type of user to which move is done.
+    - name: total_packets
+      type: long
+      description: |
+        N/A
+    - name: total
+      type: group
+      fields:
+        - name: collaborator_count
+          type: long
+          description: |
+            Count of collaborators on a file/folder. Supported for some apps.
+    - name: traffic
+      type: group
+      fields:
+        - name: type
+          type: keyword
+          description: |
+            Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights.
+    - name: transaction
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Unique ID for a given request/response.
+    - name: tss_mode
+      type: keyword
+      description: |
+        Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection.
+    - name: tunnel
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Shows the Client installation ID. Only available for the Client steering configuration.
+        - name: type
+          type: keyword
+          description: |
+            N/A
+        - name: up_time
+          type: long
+          description: |
+            N/A
+    - name: two_factor_auth
+      type: keyword
+      description: |
+        N/A
+    - name: type
+      type: keyword
+      description: |
+        Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection.
+    - name: universal_connector
+      type: keyword
+      description: |
+        N/A
+    - name: url
+      type: flattened
+      description: |
+        URL of the application that the user visited as provided by the log or data plane traffic.
+    - name: url_to_activity
+      type: keyword
+      description: |
+        Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only.
+    - name: user
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            Type of user in an enterprise - external / internal.
+        - name: group
+          type: keyword
+          description: |
+            N/A
+        - name: generated
+          type: boolean
+          description: |
+            Tells whether it is user generated page event.
+        - name: ip
+          type: keyword
+          description: |
+            IP address of User.
+        - name: is_aggregated
+          type: boolean
+          description: |
+            N/A
+    - name: violating
+      type: group
+      fields:
+        - name: user.name
+          type: keyword
+          description: |
+            User who caused a vioaltion. Populated for Workplace by Facebook.
+        - name: user.type
+          type: keyword
+          description: |
+            Category of the user who caused a violation. Populated for Workplace by Facebook.
+    - name: web_universal_connector
+      type: keyword
+      description: |
+        N/A
+    - name: web
+      type: group
+      fields:
+        - name: url
+          type: flattened
+          description: |
+            File preview URL.
+    - name: workspace
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            Workspace ID in case of Slack for Enterprise.
+        - name: name
+          type: keyword
+          description: |
+            Workspace name in case of Slack for Enterprise.
+    - name: event_type
+      type: keyword
+      description: |
+        N/A
+    - name: zip_password
+      type: keyword
+      description: |
+        Zip the malacious file and put pwd to it and send it back to caller.
+    - name: user
+      type: group
+      fields:
+        - name: geo.city_name
+          type: keyword
+          description: |
+            N/A
+        - name: geo.continent_name
+          type: keyword
+          description: |
+            N/A
+        - name: geo.country_iso_code
+          type: keyword
+          description: |
+            N/A
+        - name: geo.country_name
+          type: keyword
+          description: |
+            N/A
+        - name: geo.location
+          type: geo_point
+          description: |
+            Longitude and latitude.
+        - name: geo.region_iso_code
+          type: keyword
+          description: |
+            N/A
+        - name: geo.region_name
+          type: keyword
+          description: |
+            N/A
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/netskope/0.1.2/data_stream/events/manifest.yml b/packages/netskope/0.1.2/data_stream/events/manifest.yml
new file mode 100755
index 0000000000..c5186b4df7
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/manifest.yml
@@ -0,0 +1,41 @@
+title: Events
+type: logs
+streams:
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: Netskope Events
+    description: Collect Netskope Events using tcp input
+    vars:
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        description: The TCP port number to listen on.
+        multi: false
+        required: true
+        show_user: true
+        default: 9021
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - netskope-events
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/netskope/0.1.2/data_stream/events/sample_event.json b/packages/netskope/0.1.2/data_stream/events/sample_event.json
new file mode 100755
index 0000000000..23098b922f
--- /dev/null
+++ b/packages/netskope/0.1.2/data_stream/events/sample_event.json
@@ -0,0 +1,60 @@
+{
+    "@timestamp": "2021-12-24T00:29:56.000Z",
+    "agent": {
+        "ephemeral_id": "3cabd78f-ac92-4719-87ff-e1dd82c3162a",
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.3.0"
+    },
+    "data_stream": {
+        "dataset": "netskope.events",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "snapshot": true,
+        "version": "8.3.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "netskope.events",
+        "ingested": "2022-04-14T09:24:43Z",
+        "original": "{\"@timestamp\":\"2021-12-24T00:29:56.000Z\",\"event.id\":\"613ee55ec9d868fc47654a73\",\"netskope\":{\"events\":{\"event_type\":\"infrastructure\",\"severity\":{\"level\":\"high\"},\"alarm\":{\"name\":\"No_events_from_device\",\"description\":\"Events from device not received in the last 24 hours\"},\"device\":{\"name\":\"device-1\"},\"metric_value\":43831789,\"serial\":\"FFFFFFFFFFFFFFFF\",\"supporting_data\":\"abc\"}}}"
+    },
+    "event.id": "613ee55ec9d868fc47654a73",
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.224.1:46522"
+        }
+    },
+    "netskope": {
+        "events": {
+            "alarm": {
+                "description": "Events from device not received in the last 24 hours",
+                "name": "No_events_from_device"
+            },
+            "device": {
+                "name": "device-1"
+            },
+            "event_type": "infrastructure",
+            "metric_value": 43831789,
+            "serial": "FFFFFFFFFFFFFFFF",
+            "severity": {
+                "level": "high"
+            },
+            "supporting_data": "abc"
+        }
+    },
+    "tags": [
+        "forwarded",
+        "netskope-events"
+    ]
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/docs/README.md b/packages/netskope/0.1.2/docs/README.md
new file mode 100755
index 0000000000..7e045449c3
--- /dev/null
+++ b/packages/netskope/0.1.2/docs/README.md
@@ -0,0 +1,2920 @@
+# Netskope
+
+This integration is for Netskope. It can be used
+to receive logs sent by Netskope Cloud Log Shipper on respective TCP ports.
+
+The log message is expected to be in JSON format. The data is mapped to
+ECS fields where applicable and the remaining fields are written under
+`netskope.<data-stream-name>.*`.
+
+## Setup steps
+
+1. Configure this integration with the TCP input in Kibana.
+2. For all Netskope Cloud Exchange configurations refer to the [_Log Shipper_](https://docs.netskope.com/en/log-shipper.html).
+3. In Netskope Cloud Exchange please enable Log Shipper, add your Netskope Tenant.
+4. Configure input connectors:  
+    1. First with all Event types, and
+    2. Second with all Alerts type. 
+    For detailed steps refer [_Configure the Netskope Plugin for Log Shipper_](https://docs.netskope.com/en/configure-the-netskope-plugin-for-log-shipper.html).
+5. Creating mappings:
+    1. Navigate to Settings -> Log Shipper -> Mapping.
+    2. Click on Add mapping and paste mappings of Alerts mentioned below in Netskope Elastic Integration's Overview Page.
+    3. Click on Add mapping and paste mappings of Events mentioned below in Netskope Elastic Integration's Overview Page.
+6. Configure output connectors:
+    1. Navigate to Settings -> Plugins.
+    2. Adding output connector **Elastic CLS**, select mapping created for Alerts and click **Next**, then paste the Events-validation in the **Valid Extensions** section for Alerts mentioned below in Netskope Elastic Integration's Overview Page.
+    For detailed steps refer [_Elastic Plugin for Log Shipper_](https://docs.netskope.com/en/elastic-plugin-for-log-shipper.html).
+7. Create business rules: 
+    1. Navigate to Home Page > Log Shipper > Business rules.
+    2. Create business rules with Netskope Alerts.
+    3. Create business rules with Netskope Events.
+    For detailed steps refer [_Manage Log Shipper Business Rules_](https://docs.netskope.com/en/manage-log-shipper-business-rules.html).
+8. Adding SIEM mappings:
+    1. Navigate to Home Page > Log Shipper > SIEM Mappings
+    2. Add SIEM mapping for events: 
+        * Add **Rule** put rule created in step 7.
+        * Add **Source Configuration** put input created for Events in step 4.
+        * Add **Destination Configuration**, put output created for Events in step 6.
+    For detailed steps refer [_Configure Log Shipper SIEM Mappings_](https://docs.netskope.com/en/configure-log-shipper-siem-mappings.html).
+9. *Please make sure to use the given response formats.*
+
+## Compatibility
+
+This package has been tested against `Netskope version 91.1.0.605` and `Netskope Cloud Exchange version 3.1.5`.
+
+## Documentation and configuration
+
+### Alerts
+
+Default port: _9020_
+
+Netskope Alert Mapping:
+```json
+{
+  "elastic_map_version": "2.0.0",
+  "ecs_version": "0",
+  "taxonomy": {
+    "alerts": {
+      "policy": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.access_method": { "mapping_field": "access_method" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.action": { "mapping_field": "action" },
+          "netskope.alerts.activity.name": { "mapping_field": "activity" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "netskope.alerts.app.name": { "mapping_field": "app" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.device.name": { "mapping_field": "device" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "destination.address": { "mapping_field": "dstip" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "netskope.alerts.exposure": { "mapping_field": "exposure" },
+          "netskope.alerts.file.lang": { "mapping_field": "file_lang" },
+          "file.path": { "mapping_field": "file_path" },
+          "file.size": { "mapping_field": "file_size" },
+          "file.mime_type.1": { "mapping_field": "file_type" },
+          "netskope.alerts.instance.name": { "mapping_field": "instance" },
+          "netskope.alerts.instance.id": { "mapping_field": "instance_id" },
+          "file.hash.md5": { "mapping_field": "md5" },
+          "file.mime_type.2": { "mapping_field": "mime_type" },
+          "netskope.alerts.modified.timestamp": { "mapping_field": "modified" },
+          "netskope.alerts.object.name": { "mapping_field": "object" },
+          "netskope.alerts.object.id": { "mapping_field": "object_id" },
+          "netskope.alerts.object.type": { "mapping_field": "object_type" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "netskope.alerts.owner": { "mapping_field": "owner" },
+          "netskope.alerts.policy.name": { "mapping_field": "policy" },
+          "netskope.alerts.request.id": { "mapping_field": "request_id" },
+          "netskope.alerts.scan.type": { "mapping_field": "scan_type" },
+          "netskope.alerts.shared.with": { "mapping_field": "shared_with" },
+          "netskope.alerts.site": { "mapping_field": "site" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "netskope.alerts.url": { "mapping_field": "url" },
+          "user.email.2": { "mapping_field": "user" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "user.email.3": { "mapping_field": "userkey" },
+          "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" },
+          "netskope.alerts.connection.id": { "mapping_field": "connection_id" },
+          "destination.geo.timezone": { "mapping_field": "dst_timezone" },
+          "netskope.alerts.encrypt.failure": { "mapping_field": "encrypt_failure" },
+          "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" },
+          "netskope.alerts.managed.app": { "mapping_field": "managed_app" },
+          "netskope.alerts.netskope_pop": { "mapping_field": "netskope_pop" },
+          "user_agent.os.version": { "mapping_field": "os_version" },
+          "network.protocol": { "mapping_field": "protocol" },
+          "netskope.alerts.referer": { "mapping_field": "referer" },
+          "netskope.alerts.severity.level": { "mapping_field": "severity" },
+          "source.geo.timezone": { "mapping_field": "src_timezone" },
+          "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" }
+        }
+      },
+      "dlp": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.access_method": { "mapping_field": "access_method" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.action": { "mapping_field": "action" },
+          "netskope.alerts.activity.name": { "mapping_field": "activity" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "netskope.alerts.app.name": { "mapping_field": "app" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.device.name": { "mapping_field": "device" },
+          "netskope.alerts.dlp.file": { "mapping_field": "dlp_file" },
+          "netskope.alerts.dlp.incident.id": { "mapping_field": "dlp_incident_id" },
+          "netskope.alerts.dlp.is_unique_count": { "mapping_field": "dlp_is_unique_count" },
+          "netskope.alerts.dlp.parent.id": { "mapping_field": "dlp_parent_id" },
+          "netskope.alerts.dlp.profile": { "mapping_field": "dlp_profile" },
+          "netskope.alerts.dlp.rule.name": { "mapping_field": "dlp_rule" },
+          "netskope.alerts.dlp.rule.count": { "mapping_field": "dlp_rule_count" },
+          "netskope.alerts.dlp.rule.severity": { "mapping_field": "dlp_rule_severity" },
+          "netskope.alerts.dlp.unique_count": { "mapping_field": "dlp_unique_count" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "destination.address": { "mapping_field": "dstip" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "netskope.alerts.exposure": { "mapping_field": "exposure" },
+          "netskope.alerts.file.lang": { "mapping_field": "file_lang" },
+          "file.path": { "mapping_field": "file_path" },
+          "file.size": { "mapping_field": "file_size" },
+          "file.mime_type.1": { "mapping_field": "file_type" },
+          "netskope.alerts.instance.name": { "mapping_field": "instance" },
+          "netskope.alerts.instance.id": { "mapping_field": "instance_id" },
+          "file.hash.md5": { "mapping_field": "md5" },
+          "file.mime_type.2": { "mapping_field": "mime_type" },
+          "netskope.alerts.modified.timestamp": { "mapping_field": "modified" },
+          "netskope.alerts.object.name": { "mapping_field": "object" },
+          "netskope.alerts.object.id": { "mapping_field": "object_id" },
+          "netskope.alerts.object.type": { "mapping_field": "object_type" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "netskope.alerts.owner": { "mapping_field": "owner" },
+          "netskope.alerts.policy.name": { "mapping_field": "policy" },
+          "netskope.alerts.request.id": { "mapping_field": "request_id" },
+          "netskope.alerts.scan.type": { "mapping_field": "scan_type" },
+          "netskope.alerts.shared.with": { "mapping_field": "shared_with" },
+          "netskope.alerts.site": { "mapping_field": "site" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "netskope.alerts.url": { "mapping_field": "url" },
+          "user.email.2": { "mapping_field": "user" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "user.email.3": { "mapping_field": "userkey" }
+        }
+      },
+      "quarantine": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.access_method": { "mapping_field": "access_method" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.action": { "mapping_field": "action" },
+          "netskope.alerts.activity.name": { "mapping_field": "activity" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "netskope.alerts.app.name": { "mapping_field": "app" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.device.name": { "mapping_field": "device" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "destination.address": { "mapping_field": "dstip" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "netskope.alerts.exposure": { "mapping_field": "exposure" },
+          "netskope.alerts.file.lang": { "mapping_field": "file_lang" },
+          "file.path": { "mapping_field": "file_path" },
+          "file.size": { "mapping_field": "file_size" },
+          "file.mime_type.1": { "mapping_field": "file_type" },
+          "netskope.alerts.instance.name": { "mapping_field": "instance" },
+          "netskope.alerts.instance.id": { "mapping_field": "instance_id" },
+          "file.hash.md5": { "mapping_field": "md5" },
+          "file.mime_type.2": { "mapping_field": "mime_type" },
+          "netskope.alerts.modified.timestamp": { "mapping_field": "modified" },
+          "netskope.alerts.object.name": { "mapping_field": "object" },
+          "netskope.alerts.object.id": { "mapping_field": "object_id" },
+          "netskope.alerts.object.type": { "mapping_field": "object_type" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "netskope.alerts.owner": { "mapping_field": "owner" },
+          "netskope.alerts.policy.name": { "mapping_field": "policy" },
+          "netskope.alerts.quarantine.admin": { "mapping_field": "q_admin" },
+          "netskope.alerts.quarantine.app.1": { "mapping_field": "q_app" },
+          "netskope.alerts.quarantine.instance": { "mapping_field": "q_instance" },
+          "netskope.alerts.quarantine.original.file.name": { "mapping_field": "q_original_filename" },
+          "netskope.alerts.quarantine.original.file.path": { "mapping_field": "q_original_filepath" },
+          "netskope.alerts.quarantine.original.shared": { "mapping_field": "q_original_shared" },
+          "netskope.alerts.quarantine.original.version": { "mapping_field": "q_original_version" },
+          "netskope.alerts.quarantine.shared.with": { "mapping_field": "q_shared_with" },
+          "netskope.alerts.quarantine.action.reason": { "mapping_field": "quarantine_action_reason" },
+          "netskope.alerts.quarantine.app.2": { "mapping_field": "quarantine_app" },
+          "netskope.alerts.quarantine.failure": { "mapping_field": "quarantine_failure" },
+          "netskope.alerts.quarantine.file.id": { "mapping_field": "quarantine_file_id" },
+          "netskope.alerts.quarantine.file.name": { "mapping_field": "quarantine_file_name" },
+          "netskope.alerts.quarantine.profile.name": { "mapping_field": "quarantine_profile" },
+          "netskope.alerts.quarantine.profile.id": { "mapping_field": "quarantine_profile_id" },
+          "netskope.alerts.request.id": { "mapping_field": "request_id" },
+          "netskope.alerts.scan.type": { "mapping_field": "scan_type" },
+          "netskope.alerts.shared.with": { "mapping_field": "shared_with" },
+          "netskope.alerts.site": { "mapping_field": "site" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "netskope.alerts.url": { "mapping_field": "url" },
+          "user.email.2": { "mapping_field": "user" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "user.email.3": { "mapping_field": "userkey"}
+        }
+      },
+      "Security Assessment": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.access_method": { "mapping_field": "access_method" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.action": { "mapping_field": "action" },
+          "netskope.alerts.activity.name": { "mapping_field": "activity" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "netskope.alerts.app.name": { "mapping_field": "app" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.device.name": { "mapping_field": "device" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.address": { "mapping_field": "dstip" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "netskope.alerts.exposure": { "mapping_field": "exposure" },
+          "netskope.alerts.file.lang": { "mapping_field": "file_lang" },
+          "file.path": { "mapping_field": "file_path" },
+          "file.size": { "mapping_field": "file_size" },
+          "file.mime_type.1": { "mapping_field": "file_type" },
+          "netskope.alerts.instance.name": { "mapping_field": "instance" },
+          "netskope.alerts.instance.id": { "mapping_field": "instance_id" },
+          "file.hash.md5": { "mapping_field": "md5" },
+          "file.mime_type.2": { "mapping_field": "mime_type" },
+          "netskope.alerts.modified.timestamp": { "mapping_field": "modified" },
+          "netskope.alerts.object.name": { "mapping_field": "object" },
+          "netskope.alerts.object.id": { "mapping_field": "object_id" },
+          "netskope.alerts.object.type": { "mapping_field": "object_type" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "netskope.alerts.owner": { "mapping_field": "owner" },
+          "netskope.alerts.policy.name": { "mapping_field": "policy" },
+          "netskope.alerts.request.id": { "mapping_field": "request_id" },
+          "netskope.alerts.sa.profile.id": { "mapping_field": "sa_profile_id" },
+          "netskope.alerts.sa.profile.name": { "mapping_field": "sa_profile_name" },
+          "netskope.alerts.sa.rule.id": { "mapping_field": "sa_rule_id" },
+          "netskope.alerts.sa.rule.name": { "mapping_field": "sa_rule_name" },
+          "netskope.alerts.sa.rule.severity": { "mapping_field": "sa_rule_severity" },
+          "netskope.alerts.scan.type": { "mapping_field": "scan_type" },
+          "netskope.alerts.shared.with": { "mapping_field": "shared_with" },
+          "netskope.alerts.site": { "mapping_field": "site" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "netskope.alerts.url": { "mapping_field": "url" },
+          "user.email.2": { "mapping_field": "user" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "user.email.3": { "mapping_field": "userkey" },
+          "netskope.alerts.compliance.standards": { "mapping_field": "compliance_standards" },
+          "netskope.alerts.iaas.asset.tags": { "mapping_field": "iaas_asset_tags" },
+          "netskope.alerts.iaas.remediated": { "mapping_field": "iaas_remediated" },
+          "netskope.alerts.sa.rule.remediation": { "mapping_field": "sa_rule_remediation" },
+          "cloud.account.id": { "mapping_field": "account_id" },
+          "cloud.account.name": { "mapping_field": "account_name" },
+          "netskope.alerts.asset.id": { "mapping_field": "asset_id" },
+          "netskope.alerts.asset.object.id": { "mapping_field": "asset_object_id" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.policy.id": { "mapping_field": "policy_id" },
+          "netskope.alerts.region.id": { "mapping_field": "region_id" },
+          "netskope.alerts.region.name": { "mapping_field": "region_name" },
+          "netskope.alerts.resource.category": { "mapping_field": "resource_category" },
+          "netskope.alerts.resource.group": { "mapping_field": "resource_group" }
+        }
+      },
+      "uba": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.access_method": { "mapping_field": "access_method" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.action": { "mapping_field": "action" },
+          "netskope.alerts.activity.name": { "mapping_field": "activity" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.id": { "mapping_field": "alert_id" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "netskope.alerts.app.name": { "mapping_field": "app" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.device.name": { "mapping_field": "device" },
+          "netskope.alerts.device.classification": { "mapping_field": "device_classification" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "destination.address": { "mapping_field": "dstip" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "netskope.alerts.event.type": { "mapping_field": "event_type" },
+          "netskope.alerts.event_source_channel": { "mapping_field": "evt_src_chnl" },
+          "file.size": { "mapping_field": "file_size" },
+          "file.mime_type.1": { "mapping_field": "file_type" },
+          "netskope.alerts.from.storage": { "mapping_field": "from_storage" },
+          "host.hostname": { "mapping_field": "hostname" },
+          "netskope.alerts.managed.app": { "mapping_field": "managed_app" },
+          "netskope.alerts.management.id": { "mapping_field": "managementID" },
+          "netskope.alerts.ns_device_uid": { "mapping_field": "nsdeviceuid" },
+          "netskope.alerts.object.name": { "mapping_field": "object" },
+          "netskope.alerts.object.type": { "mapping_field": "object_type" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "netskope.alerts.orig_ty": { "mapping_field": "orig_ty" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "user_agent.os.version": { "mapping_field": "os_version" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "netskope.alerts.page.url": { "mapping_field": "page" },
+          "netskope.alerts.page.site": { "mapping_field": "page_site" },
+          "netskope.alerts.policy.name": { "mapping_field": "policy" },
+          "netskope.alerts.policy.actions": { "mapping_field": "policy_actions" },
+          "netskope.alerts.profile.id": { "mapping_field": "profile_id" },
+          "netskope.alerts.severity.level": { "mapping_field": "severity" },
+          "netskope.alerts.site": { "mapping_field": "site" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "netskope.alerts.telemetry.app": { "mapping_field": "telemetry_app" },
+          "netskope.alerts.threshold.value": { "mapping_field": "threshold" },
+          "netskope.alerts.threshold.time": { "mapping_field": "threshold_time" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "netskope.alerts.url": { "mapping_field": "url" },
+          "user.email.2": { "mapping_field": "user" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "netskope.alerts.user.ip": { "mapping_field": "userip" },
+          "user.email.3": { "mapping_field": "userkey" },
+          "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" },
+          "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" },
+          "destination.geo.timezone": { "mapping_field": "dst_timezone" },
+          "netskope.alerts.last.app": { "mapping_field": "last_app" },
+          "netskope.alerts.last.country": { "mapping_field": "last_country" },
+          "netskope.alerts.last.device": { "mapping_field": "last_device" },
+          "netskope.alerts.last.location": { "mapping_field": "last_location" },
+          "netskope.alerts.last.region": { "mapping_field": "last_region" },
+          "netskope.alerts.last.timestamp": { "mapping_field": "last_timestamp" },
+          "netskope.alerts.slc_longitude": { "mapping_field": "slc_longitude" },
+          "source.geo.timezone": { "mapping_field": "src_timezone" },
+          "netskope.alerts.flow_status": { "mapping_field": "flow_status" },
+          "netskope.alerts.uba_ap1": { "mapping_field": "uba_ap1" },
+          "netskope.alerts.uba_ap2": { "mapping_field": "uba_ap2" },
+          "netskope.alerts.uba_inst1": { "mapping_field": "uba_inst1" },
+          "netskope.alerts.uba_inst2": { "mapping_field": "uba_inst2" },
+          "netskope.alerts.activity.status": { "mapping_field": "activity_status" },
+          "netskope.alerts.connection.id": { "mapping_field": "connection_id" },
+          "netskope.alerts.instance.id": { "mapping_field": "instance_id" },
+          "file.hash.md5": { "mapping_field": "md5" },
+          "netskope.alerts.parent.id": { "mapping_field": "parent_id" },
+          "netskope.alerts.referer": { "mapping_field": "referer" },
+          "netskope.alerts.slc_latitude": { "mapping_field": "slc_latitude" },
+          "netskope.alerts.is_web_universal_connector": { "mapping_field": "web_universal_connector" }
+        }
+      },
+      "Compromised Credential": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "netskope.alerts.breach.date": { "mapping_field": "breach_date" },
+          "netskope.alerts.breach.description": { "mapping_field": "breach_description" },
+          "netskope.alerts.breach.id": { "mapping_field": "breach_id" },
+          "netskope.alerts.breach.media_references": { "mapping_field": "breach_media_references" },
+          "netskope.alerts.breach.score": { "mapping_field": "breach_score" },
+          "netskope.alerts.breach.target_references": { "mapping_field": "breach_target_references" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.email.source": { "mapping_field": "email_source" },
+          "netskope.alerts.external.email": { "mapping_field": "external_email" },
+          "netskope.alerts.matched.username": { "mapping_field": "matched_username" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "user.email.2": { "mapping_field": "user" },
+          "netskope.alerts.user.group": { "mapping_field": "usergroup" },
+          "user.email.3": { "mapping_field": "userkey" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "netskope.alerts.flow_status": { "mapping_field": "flow_status" }
+        }
+      },
+      "Malsite": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.access_method": { "mapping_field": "access_method" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "netskope.alerts.app.name": { "mapping_field": "app" },
+          "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "netskope.alerts.app.suite": { "mapping_field": "appsuite" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.connection.id": { "mapping_field": "connection_id" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.device.name": { "mapping_field": "device" },
+          "netskope.alerts.device.classification": { "mapping_field": "device_classification" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.geo.timezone": { "mapping_field": "dst_timezone" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "destination.address": { "mapping_field": "dstip" },
+          "host.hostname": { "mapping_field": "hostname" },
+          "netskope.alerts.is_malicious": { "mapping_field": "malicious" },
+          "netskope.alerts.malsite.active": { "mapping_field": "malsite_active" },
+          "netskope.alerts.malsite.as.number": { "mapping_field": "malsite_as_number" },
+          "netskope.alerts.malsite.category": { "mapping_field": "malsite_category" },
+          "netskope.alerts.malsite.city": { "mapping_field": "malsite_city" },
+          "netskope.alerts.malsite.confidence": { "mapping_field": "malsite_confidence" },
+          "netskope.alerts.malsite.consecutive": { "mapping_field": "malsite_consecutive" },
+          "netskope.alerts.malsite.country": { "mapping_field": "malsite_country" },
+          "netskope.alerts.malsite.dns.server": { "mapping_field": "malsite_dns_server" },
+          "netskope.alerts.malsite.first_seen": { "mapping_field": "malsite_first_seen" },
+          "netskope.alerts.malsite.hostility": { "mapping_field": "malsite_hostility" },
+          "netskope.alerts.malsite.id": { "mapping_field": "malsite_id" },
+          "netskope.alerts.malsite.ip_host": { "mapping_field": "malsite_ip_host" },
+          "netskope.alerts.malsite.isp": { "mapping_field": "malsite_isp" },
+          "netskope.alerts.malsite.last.seen": { "mapping_field": "malsite_last_seen" },
+          "netskope.alerts.malsite.latitude": { "mapping_field": "malsite_latitude" },
+          "netskope.alerts.malsite.longitude": { "mapping_field": "malsite_longitude" },
+          "netskope.alerts.malsite.region": { "mapping_field": "malsite_region" },
+          "netskope.alerts.malsite.reputation": { "mapping_field": "malsite_reputation" },
+          "netskope.alerts.managed.app": { "mapping_field": "managed_app" },
+          "netskope.alerts.netskope_pop": { "mapping_field": "netskope_pop" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "user_agent.os.version": { "mapping_field": "os_version" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "netskope.alerts.page.url": { "mapping_field": "page" },
+          "netskope.alerts.page.site": { "mapping_field": "page_site" },
+          "network.protocol": { "mapping_field": "protocol" },
+          "netskope.alerts.severity.level": { "mapping_field": "severity" },
+          "netskope.alerts.malsite.severity.level": { "mapping_field": "severity_level" },
+          "netskope.alerts.severity.level_id": { "mapping_field": "severity_level_id" },
+          "netskope.alerts.site": { "mapping_field": "site" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "netskope.alerts.source.time": { "mapping_field": "src_time" },
+          "source.geo.timezone": { "mapping_field": "src_timezone" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.ip": { "mapping_field": "srcip" },
+          "source.address": { "mapping_field": "srcip" },
+          "netskope.alerts.telemetry.app": { "mapping_field": "telemetry_app" },
+          "netskope.alerts.threat.match.field": { "mapping_field": "threat_match_field" },
+          "netskope.alerts.threat.match.value": { "mapping_field": "threat_match_value" },
+          "netskope.alerts.threat.source.id": { "mapping_field": "threat_source_id" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "netskope.alerts.url": { "mapping_field": "url" },
+          "user.email.2": { "mapping_field": "user" },
+          "netskope.alerts.user.group": { "mapping_field": "usergroup" },
+          "netskope.alerts.user.ip": { "mapping_field": "userip" },
+          "user.email.3": { "mapping_field": "userkey" },
+          "netskope.alerts.action": { "mapping_field": "action" },
+          "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" },
+          "netskope.alerts.notify.template": { "mapping_field": "notify_template" },
+          "netskope.alerts.policy.name": { "mapping_field": "policy" },
+          "netskope.alerts.referer": { "mapping_field": "referer" },
+          "user_agent.version": { "mapping_field": "browser_version" },
+          "netskope.alerts.flow_status": { "mapping_field": "flow_status" }
+        }
+      },
+      "malware": {
+        "header": {},
+        "extension": {
+          "event.id": { "mapping_field": "_id" },
+          "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.alerts.access_method": { "mapping_field": "access_method" },
+          "netskope.alerts.acked": { "mapping_field": "acked" },
+          "netskope.alerts.action": { "mapping_field": "action" },
+          "netskope.alerts.activity.name": { "mapping_field": "activity" },
+          "netskope.alerts.is_alert": { "mapping_field": "alert" },
+          "netskope.alerts.alert.name": { "mapping_field": "alert_name" },
+          "netskope.alerts.type": { "mapping_field": "alert_type" },
+          "netskope.alerts.app.name": { "mapping_field": "app" },
+          "netskope.alerts.app.app_name": { "mapping_field": "app_name" },
+          "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" },
+          "netskope.alerts.app.category": { "mapping_field": "appcategory" },
+          "netskope.alerts.category.name": { "mapping_field": "category" },
+          "netskope.alerts.cci": { "mapping_field": "cci" },
+          "netskope.alerts.ccl": { "mapping_field": "ccl" },
+          "netskope.alerts.connection.id": { "mapping_field": "connection_id" },
+          "netskope.alerts.count": { "mapping_field": "count" },
+          "netskope.alerts.created_at": { "mapping_field": "created_date" },
+          "netskope.alerts.detection.engine": { "mapping_field": "detection_engine" },
+          "netskope.alerts.file.id": { "mapping_field": "file_id" },
+          "file.name": { "mapping_field": "file_name" },
+          "file.path": { "mapping_field": "file_path" },
+          "file.size": { "mapping_field": "file_size" },
+          "file.mime_type.1": { "mapping_field": "file_type" },
+          "netskope.alerts.instance.name": { "mapping_field": "instance" },
+          "threat.indicator.file.hash.md5": { "mapping_field": "local_md5" },
+          "threat.indicator.file.hash.sha256": { "mapping_field": "local_sha256" },
+          "netskope.alerts.malware.id": { "mapping_field": "malware_id" },
+          "netskope.alerts.malware.name": { "mapping_field": "malware_name" },
+          "netskope.alerts.malware.profile": { "mapping_field": "malware_profile" },
+          "netskope.alerts.malware.severity": { "mapping_field": "malware_severity" },
+          "netskope.alerts.malware.type": { "mapping_field": "malware_type" },
+          "netskope.alerts.mime.type": { "mapping_field": "mime_type" },
+          "netskope.alerts.ml_detection": { "mapping_field": "ml_detection" },
+          "netskope.alerts.modified.timestamp": { "mapping_field": "modified" },
+          "netskope.alerts.modified.date": { "mapping_field": "modified_date" },
+          "netskope.alerts.object.name": { "mapping_field": "object" },
+          "netskope.alerts.object.id": { "mapping_field": "object_id" },
+          "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" },
+          "netskope.alerts.other.categories": { "mapping_field": "other_categories" },
+          "netskope.alerts.path.id": { "mapping_field": "path_id" },
+          "netskope.alerts.scanner_result": { "mapping_field": "scanner_result" },
+          "netskope.alerts.severity.level": { "mapping_field": "severity" },
+          "netskope.alerts.severity.id": { "mapping_field": "severity_id" },
+          "netskope.alerts.shared.type": { "mapping_field": "shared_type" },
+          "netskope.alerts.shared.with": { "mapping_field": "shared_with" },
+          "netskope.alerts.site": { "mapping_field": "site" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.alerts.title": { "mapping_field": "title" },
+          "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.alerts.tss.mode": { "mapping_field": "tss_mode" },
+          "netskope.alerts.alert.type": { "mapping_field": "type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "user.email.2": { "mapping_field": "user" },
+          "user.email.3": { "mapping_field": "user_id" },
+          "netskope.alerts.user.group": { "mapping_field": "usergroup" },
+          "user.email.4": { "mapping_field": "userkey" },
+          "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "user_agent.version": { "mapping_field": "browser_version" },
+          "netskope.alerts.device.name": { "mapping_field": "device" },
+          "netskope.alerts.device.classification": { "mapping_field": "device_classification" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.geo.timezone": { "mapping_field": "dst_timezone" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "destination.address": { "mapping_field": "dstip" },
+          "netskope.alerts.flow_status": { "mapping_field": "flow_status" },
+          "host.hostname": { "mapping_field": "hostname" },
+          "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" },
+          "netskope.alerts.ns_device_uid": { "mapping_field": "nsdeviceuid" },
+          "netskope.alerts.object.type": { "mapping_field": "object_type" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "user_agent.os.version": { "mapping_field": "os_version" },
+          "netskope.alerts.page.url": { "mapping_field": "page" },
+          "netskope.alerts.page.site": { "mapping_field": "page_site" },
+          "network.protocol": { "mapping_field": "protocol" },
+          "netskope.alerts.referer": { "mapping_field": "referer" },
+          "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "netskope.alerts.source.time": { "mapping_field": "src_time" },
+          "source.geo.timezone": { "mapping_field": "src_timezone" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.ip": { "mapping_field": "srcip" },
+          "source.address": { "mapping_field": "srcip" },
+          "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" },
+          "netskope.alerts.is_web_universal_connector": { "mapping_field": "web_universal_connector" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.alerts.management.id": { "mapping_field": "managementID" },
+          "netskope.alerts.managed.app": { "mapping_field": "managed_app" },
+          "netskope.alerts.request.id": { "mapping_field": "request_id" },
+          "netskope.alerts.user.ip": { "mapping_field": "userip" }
+        }
+      }
+    }
+  }
+}
+```
+Netskope Alert Validation Extensions:
+```
+ECS Key Name,Length,Data Type
+@timestamp,,DateTime
+cloud.account.id,,String
+cloud.account.name,,String
+cloud.service.name,,String
+client.bytes,,Integer
+client.packets,,Integer
+destination.address,,String
+destination.domain,,String
+destination.geo.country_iso_code,,String
+destination.geo.city_name,,String
+destination.geo.location.lat,,Floating Point
+destination.geo.location.lon,,Floating Point
+destination.geo.postal_code,,String
+destination.geo.region_name,,String
+destination.geo.timezone,,String
+destination.ip,,String
+destination.port,,Integer
+event.id,,String
+file.hash.md5,,String
+file.mime_type,,String
+file.name,,String
+file.path,,String
+file.size,,Integer
+host.hostname,,String
+netskope.alerts.access_method,,String
+netskope.alerts.acked,,String
+netskope.alerts.acting.role,,String
+netskope.alerts.action,,String
+netskope.alerts.activities,,String
+netskope.alerts.activity.name,,String
+netskope.alerts.activity.status,,String
+netskope.alerts.activity.type,,String
+netskope.alerts.agg.window,,String
+netskope.alerts.aggregated.user,,String
+netskope.alerts.alert.affected.entities,,String
+netskope.alerts.alert.category,,String
+netskope.alerts.alert.description,,String
+netskope.alerts.alert.detection.stage,,String
+netskope.alerts.alert.id,,String
+netskope.alerts.alert.name,,String
+netskope.alerts.alert.notes,,String
+netskope.alerts.alert.query,,String
+netskope.alerts.alert.score,,Integer
+netskope.alerts.alert.source,,String
+netskope.alerts.alert.status,,String
+netskope.alerts.alert.type,,String
+netskope.alerts.alert.window,,String
+netskope.alerts.algorithm,,String
+netskope.alerts.anomaly.efficacy,,String
+netskope.alerts.anomaly.fields,,String
+netskope.alerts.anomaly.id,,String
+netskope.alerts.anomaly.magnitude,,Floating Point
+netskope.alerts.anomaly.type,,String
+netskope.alerts.app.app_name,,String
+netskope.alerts.app.activity,,String
+netskope.alerts.app.category,,String
+netskope.alerts.app.suite,,String
+netskope.alerts.app.name,,String
+netskope.alerts.app.region,,String
+netskope.alerts.app.session.id,,String
+netskope.alerts.asn,,Integer
+netskope.alerts.asset.id,,String
+netskope.alerts.asset.object.id,,String
+netskope.alerts.attachment,,String
+netskope.alerts.audit.category,,String
+netskope.alerts.audit.type,,String
+netskope.alerts.bin.timestamp,,Integer
+netskope.alerts.breach.date,,Integer
+netskope.alerts.breach.id,,String
+netskope.alerts.breach.description,,String
+netskope.alerts.breach.media_references,,String
+netskope.alerts.breach.name,,String
+netskope.alerts.breach.score,,Integer
+netskope.alerts.breach.target_references,,String
+netskope.alerts.browser.session.id,,String
+netskope.alerts.bucket,,String
+netskope.alerts.bypass.traffic,,String
+netskope.alerts.category,,String
+netskope.alerts.category.id,,String
+netskope.alerts.category.name,,String
+netskope.alerts.cci,,String
+netskope.alerts.ccl,,String
+netskope.alerts.channel,,String
+netskope.alerts.cloud.provider,,String
+netskope.alerts.compliance.standards,,String
+netskope.alerts.compute.instance,,String
+netskope.alerts.connection.duration,,Integer
+netskope.alerts.connection.endtime,,Floating Point
+netskope.alerts.connection.id,,String
+netskope.alerts.connection.starttime,,Floating Point
+netskope.alerts.count,,Integer
+netskope.alerts.created_at,,String
+netskope.alerts.data.version,,String
+netskope.alerts.description,,String
+netskope.alerts.destination.geoip_src,,Integer
+netskope.alerts.detected-file-type,,String
+netskope.alerts.detection.engine,,String
+netskope.alerts.detection.type,,String
+netskope.alerts.device.name,,String
+netskope.alerts.device.classification,,String
+netskope.alerts.dlp.file,,String
+netskope.alerts.dlp.fingerprint.classification,,String
+netskope.alerts.dlp.fingerprint.match,,String
+netskope.alerts.dlp.fingerprint.score,,Integer
+netskope.alerts.dlp.fv,,Integer
+netskope.alerts.dlp.incident.id,,String
+netskope.alerts.dlp.is_unique_count,,String
+netskope.alerts.dlp.mail.parent.id,,String
+netskope.alerts.dlp.parent.id,,String
+netskope.alerts.dlp.profile,,String
+netskope.alerts.dlp.rule.count,,Integer
+netskope.alerts.dlp.rule.name,,String
+netskope.alerts.dlp.rule.score,,Integer
+netskope.alerts.dlp.rule.severity,,String
+netskope.alerts.dlp.unique_count,,Integer
+netskope.alerts.doc.count,,Integer
+netskope.alerts.domain,,String
+netskope.alerts.domain.shared.with,,String
+netskope.alerts.download.app,,String
+netskope.alerts.drive.id,,String
+netskope.alerts.dynamic.classification,,String
+netskope.alerts.elastic_key,,String
+netskope.alerts.email.source,,String
+netskope.alerts.encrypt.failure,,String
+netskope.alerts.encryption.service.key,,String
+netskope.alerts.end_time,,Integer
+netskope.alerts.enterprise.id,,String
+netskope.alerts.enterprise.name,,String
+netskope.alerts.entity.list,,String
+netskope.alerts.entity.type,,String
+netskope.alerts.entity.value,,String
+netskope.alerts.event_source_channel,,String
+netskope.alerts.event.detail,,String
+netskope.alerts.event.id,,String
+netskope.alerts.event.type,,String
+netskope.alerts.exposure,,String
+netskope.alerts.external.collaborator.count,,Integer
+netskope.alerts.external.email,,Integer
+netskope.alerts.false_positive,,String
+netskope.alerts.feature.description,,String
+netskope.alerts.feature.id,,String
+netskope.alerts.feature.name,,String
+netskope.alerts.file.id,,String
+netskope.alerts.file.lang,,String
+netskope.alerts.file.name,,String
+netskope.alerts.file.password.protected,,String
+netskope.alerts.file.path,,String
+netskope.alerts.file.path.original,,String
+netskope.alerts.file.size,,Floating Point
+netskope.alerts.file.type,,String
+netskope.alerts.forward_to_proxy_profile,,String
+netskope.alerts.from.logs,,String
+netskope.alerts.from.object,,String
+netskope.alerts.from.storage,,String
+netskope.alerts.from.user_category,,String
+netskope.alerts.gateway,,String
+netskope.alerts.graph.id,,String
+netskope.alerts.http_status,,String
+netskope.alerts.http_transaction_count,,Integer
+netskope.alerts.iaas.asset.tags,,String
+netskope.alerts.iaas.remediated,,String
+netskope.alerts.iam.session,,String
+netskope.alerts.id,,String
+netskope.alerts.insertion_epoch_timestamp,,Integer
+netskope.alerts.instance_name,,String
+netskope.alerts.instance.id,,String
+netskope.alerts.instance.name,,String
+netskope.alerts.instance.type,,String
+netskope.alerts.internal.collaborator.count,,Integer
+netskope.alerts.ip_protocol,,String
+netskope.alerts.ipblock,,String
+netskope.alerts.is_alert,,String
+netskope.alerts.is_file_passwd_protected,,String
+netskope.alerts.is_malicious,,String
+netskope.alerts.is_two_factor_auth,,Integer
+netskope.alerts.is_universal_connector,,String
+netskope.alerts.is_user_generated,,String
+netskope.alerts.is_web_universal_connector,,String
+netskope.alerts.isp,,String
+netskope.alerts.item.id,,String
+netskope.alerts.justification.reason,,String
+netskope.alerts.justification.type,,String
+netskope.alerts.last.app,,String
+netskope.alerts.last.coordinates,,Floating Point
+netskope.alerts.last.country,,String
+netskope.alerts.last.device,,String
+netskope.alerts.last.location,,String
+netskope.alerts.last.modified_timestamp,,Integer
+netskope.alerts.last.region,,String
+netskope.alerts.last.timestamp,,Integer
+netskope.alerts.latency.max,,Integer
+netskope.alerts.latency.min,,Integer
+netskope.alerts.latency.total,,Integer
+netskope.alerts.legal_hold.custodian_name,,String
+netskope.alerts.legal_hold.destination.app,,String
+netskope.alerts.legal_hold.destination.instance,,String
+netskope.alerts.legal_hold.file.id,,String
+netskope.alerts.legal_hold.file.name,,String
+netskope.alerts.legal_hold.file.name_original,,String
+netskope.alerts.legal_hold.file.path,,String
+netskope.alerts.legal_hold.profile_name,,String
+netskope.alerts.legal_hold.shared,,String
+netskope.alerts.legal_hold.shared_with,,String
+netskope.alerts.legal_hold.version,,String
+netskope.alerts.list.id,,String
+netskope.alerts.log.file.name,,String
+netskope.alerts.login.type,,String
+netskope.alerts.login.url,,String
+netskope.alerts.malsite.active,,Integer
+netskope.alerts.malsite.as.number,,String
+netskope.alerts.malsite.category,,String
+netskope.alerts.malsite.city,,String
+netskope.alerts.malsite.confidence,,Integer
+netskope.alerts.malsite.consecutive,,Integer
+netskope.alerts.malsite.country,,String
+netskope.alerts.malsite.dns.server,,String
+netskope.alerts.malsite.first_seen,,Integer
+netskope.alerts.malsite.hostility,,String
+netskope.alerts.malsite.id,,String
+netskope.alerts.malsite.ip_host,,String
+netskope.alerts.malsite.isp,,String
+netskope.alerts.malsite.last.seen,,Integer
+netskope.alerts.malsite.latitude,,Floating Point
+netskope.alerts.malsite.longitude,,Floating Point
+netskope.alerts.malsite.region,,String
+netskope.alerts.malsite.reputation,,Floating Point
+netskope.alerts.malsite.severity.level,,String
+netskope.alerts.malware.id,,String
+netskope.alerts.malware.name,,String
+netskope.alerts.malware.profile,,String
+netskope.alerts.malware.severity,,String
+netskope.alerts.malware.type,,String
+netskope.alerts.managed.app,,String
+netskope.alerts.management.id,,String
+netskope.alerts.matched.username,,String
+netskope.alerts.matrix.columns,,String
+netskope.alerts.matrix.rows,,String
+netskope.alerts.md5_list,,String
+netskope.alerts.mime.type,,String
+netskope.alerts.modified.timestamp,,Integer
+netskope.alerts.modified.date,,Integer
+netskope.alerts.netskope_pop,,String
+netskope.alerts.network.name,,String
+netskope.alerts.network.security.group,,String
+netskope.alerts.network.session_id,,String
+netskope.alerts.new.value,,String
+netskope.alerts.nonzero.entries,,Integer
+netskope.alerts.nonzero.percentage,,Floating Point
+netskope.alerts.notify.template,,String
+netskope.alerts.ns_activity,,String
+netskope.alerts.ns_device_uid,,String
+netskope.alerts.numbytes,,Integer
+netskope.alerts.obfuscate,,String
+netskope.alerts.object.count,,Integer
+netskope.alerts.object.id,,String
+netskope.alerts.object.name,,String
+netskope.alerts.object.type,,String
+netskope.alerts.old.value,,String
+netskope.alerts.org,,String
+netskope.alerts.organization.unit,,String
+netskope.alerts.orig_ty,,String
+netskope.alerts.os_version_hostname,,String
+netskope.alerts.other.categories,,String
+netskope.alerts.owner,,String
+netskope.alerts.page,,String
+netskope.alerts.page.site,,String
+netskope.alerts.parameters,,String
+netskope.alerts.parent.id,,String
+netskope.alerts.path.id,,String
+netskope.alerts.policy.actions,,String
+netskope.alerts.policy.id,,String
+netskope.alerts.policy.name,,String
+netskope.alerts.pretty.sourcetype,,String
+netskope.alerts.processing.time,,Integer
+netskope.alerts.profile.emails,,String
+netskope.alerts.profile.id,,String
+netskope.alerts.quarantine.action.reason,,String
+netskope.alerts.quarantine.admin,,String
+netskope.alerts.quarantine.app,,String
+netskope.alerts.quarantine.failure,,String
+netskope.alerts.quarantine.file.id,,String
+netskope.alerts.quarantine.file.name,,String
+netskope.alerts.quarantine.instance,,String
+netskope.alerts.quarantine.original.file.name,,String
+netskope.alerts.quarantine.original.file.path,,String
+netskope.alerts.quarantine.original.shared,,String
+netskope.alerts.quarantine.original.version,,String
+netskope.alerts.quarantine.profile.name,,String
+netskope.alerts.quarantine.profile.id,,String
+netskope.alerts.quarantine.shared.with,,String
+netskope.alerts.referer,,String
+http.request.referrer,,String
+netskope.alerts.region.id,,String
+netskope.alerts.region.name,,String
+netskope.alerts.reladb,,String
+netskope.alerts.repo,,String
+netskope.alerts.request.cnt,,String
+netskope.alerts.request.id,,String
+netskope.alerts.resource.group,,String
+netskope.alerts.resources,,String
+netskope.alerts.response.cnt,,Integer
+netskope.alerts.response.content.length,,Integer
+netskope.alerts.response.content.type,,String
+netskope.alerts.retro.scan.name,,String
+netskope.alerts.risk_level.id,,String
+netskope.alerts.risk_level.tag,,String
+netskope.alerts.role,,String
+netskope.alerts.rule.id,,String
+netskope.alerts.sa.profile.id,,String
+netskope.alerts.sa.profile.name,,String
+netskope.alerts.sa.rule.remediation,,String
+netskope.alerts.sa.rule.severity,,String
+netskope.alerts.scan.time,,String
+netskope.alerts.scan.type,,String
+netskope.alerts.scanner_result,,String
+netskope.alerts.scopes,,String
+netskope.alerts.serial,,String
+netskope.alerts.session.duration,,Integer
+netskope.alerts.session.id,,String
+netskope.alerts.severity,,String
+netskope.alerts.severity.id,,String
+netskope.alerts.severity.level,,String
+netskope.alerts.severity.level_id,,Integer
+netskope.alerts.sfwder,,String
+netskope.alerts.shared_type,,String
+netskope.alerts.shared.credential.user,,String
+netskope.alerts.shared.domains,,String
+netskope.alerts.shared.is_shared,,String
+netskope.alerts.shared.type,,String
+netskope.alerts.shared.with,,String
+netskope.alerts.site,,String
+netskope.alerts.source.geoip_src,,Integer
+netskope.alerts.source.time,,String
+netskope.alerts.srcip2,,String
+netskope.alerts.ssl.decrypt.policy,,String
+netskope.alerts.start_time,,Integer
+netskope.alerts.start_time,,String
+netskope.alerts.statistics,,String
+netskope.alerts.storage_service_bucket,,String
+netskope.alerts.sub.type,,String
+netskope.alerts.summary,,String
+netskope.alerts.suppression.end.time,,String
+netskope.alerts.suppression.key,,String
+netskope.alerts.suppression.start.time,,String
+netskope.alerts.target.entity.key,,String
+netskope.alerts.target.entity.type,,String
+netskope.alerts.target.entity.value,,String
+netskope.alerts.team,,String
+netskope.alerts.telemetry.app,,String
+netskope.alerts.temp.user,,String
+netskope.alerts.tenant.id,,String
+netskope.alerts.tenant.id,,String
+netskope.alerts.threat.match.field,,String
+netskope.alerts.threat.match.value,,String
+netskope.alerts.threat.source.id,,String
+netskope.alerts.threshold.time,,Integer
+netskope.alerts.threshold.value,,Integer
+netskope.alerts.timestamp,,Integer
+netskope.alerts.to.object,,String
+netskope.alerts.to.storage,,String
+netskope.alerts.to.user,,String
+netskope.alerts.to.user_category,,String
+netskope.alerts.total.collaborator.count,,String
+netskope.alerts.total.packets,,Integer
+netskope.alerts.traffic.type,,String
+netskope.alerts.transaction.id,,String
+netskope.alerts.transformation,,String
+netskope.alerts.tss.mode,,String
+netskope.alerts.tss.version,,String
+netskope.alerts.tunnel.id,,String
+netskope.alerts.tunnel.type,,String
+netskope.alerts.tunnel.up_time,,String
+netskope.alerts.type,,String
+netskope.alerts.updated,,String
+netskope.alerts.url,,String
+netskope.alerts.Url2Activity,,String
+netskope.alerts.user.category,,String
+netskope.alerts.user.ip,,String
+netskope.alerts.value,,String
+netskope.alerts.violating_user.name,,Floating Point
+netskope.alerts.violating_user.type,,String
+netskope.alerts.web.url,,String
+netskope.alerts.workspace.id,,String
+netskope.alerts.workspace.name,,String
+netskope.alerts.zip.password,,String
+network.protocol,,String
+server.bytes,,Integer
+server.packets,,Integer
+source.address,,String
+source.geo.city_name,,String
+source.geo.country_iso_code,,String
+source.geo.location.lat,,Floating Point
+source.geo.location.lon,,Floating Point
+source.geo.postal_code,,String
+source.geo.region_name,,String
+source.geo.timezone,,String
+source.ip,,String
+source.port,,Integer
+threat.indicator.file.hash.md5,,String
+threat.indicator.file.hash.sha1,,String
+threat.indicator.file.hash.sha256,,String
+user_agent.name,,String
+user_agent.original,,String
+user_agent.os.name,,String
+user_agent.os.version,,String
+user_agent.version,,String
+user.email,,String
+user.group.name,,String
+user.id,,String
+user.name,,String
+user.roles,,String
+netskope.alerts.user.group,,String
+netskope.alerts.page.url,,String
+netskope.alerts.page_site,,String
+netskope.alerts.sa.rule.name,,String
+netskope.alerts.sa.rule.id,,String
+netskope.alerts.resource.category,,String
+netskope.alerts.ip.protocol,,String
+netskope.alerts.slc_longitude,,String
+netskope.alerts.flow_status,,String
+netskope.alerts.uba_inst2,,String
+netskope.alerts.uba_inst1,,String
+netskope.alerts.uba_ap2,,String
+netskope.alerts.uba_ap1,,String
+netskope.alerts.slc_latitude,,String
+netskope.alerts.ml_detection,,String
+netskope.alerts.title,,String
+file.mime_type.1,,String
+file.mime_type.2,,String
+user.email.1,,String
+user.email.2,,String
+user.email.3,,String
+user.email.4,,String
+netskope.alerts.quarantine.app.1,,String
+netskope.alerts.quarantine.app.2,,String
+```
+
+### Events
+
+Default port: _9021_
+
+Netskope Event Mapping:
+```json
+{
+  "elastic_map_version": "2.0.0",
+  "ecs_version": "0",
+  "taxonomy": {
+    "events": {
+      "application": {
+        "header": {},
+        "extension": {
+          "netskope.events.event_type": { "default_value": "application" },
+          "event.id": { "mapping_field": "_id" },
+          "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.events.access_method": { "mapping_field": "access_method" },
+          "netskope.events.ack": { "mapping_field": "ack" },
+          "user.email.1": { "mapping_field": "act_user" },
+          "netskope.events.activity.name": { "mapping_field": "activity" },
+          "netskope.events.alert.is_present": { "mapping_field": "alert" },
+          "netskope.events.app.name": { "mapping_field": "app" },
+          "netskope.events.app.activity": { "mapping_field": "app_activity" },
+          "netskope.events.app.category": { "mapping_field": "appcategory" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.events.category.name": { "mapping_field": "category" },
+          "netskope.events.cci": { "mapping_field": "cci" },
+          "netskope.events.ccl": { "mapping_field": "ccl" },
+          "netskope.events.count": { "mapping_field": "count" },
+          "netskope.events.device.type": { "mapping_field": "device" },
+          "netskope.events.instance.id": { "mapping_field": "instance_id" },
+          "netskope.events.object.name": { "mapping_field": "object" },
+          "netskope.events.object.id": { "mapping_field": "object_id" },
+          "netskope.events.object.type": { "mapping_field": "object_type" },
+          "netskope.events.organization_unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "netskope.events.other.categories": { "mapping_field": "other_categories" },
+          "netskope.events.request.id": { "mapping_field": "request_id" },
+          "netskope.events.site": { "mapping_field": "site" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.events.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.events.type": { "mapping_field": "type" },
+          "user.email.2": { "mapping_field": "ur_normalized" },
+          "user.email.3": { "mapping_field": "user" },
+          "netskope.events.user.category": { "mapping_field": "user_category" },
+          "user.email.4": { "mapping_field": "user_id" },
+          "user.name": { "mapping_field": "user_name" },
+          "user.roles": { "mapping_field": "user_role" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "netskope.events.user.ip": { "mapping_field": "userip" },
+          "user.email.5": { "mapping_field": "userkey" },
+          "cloud.account.name": { "mapping_field": "ack"},
+          "event.action": { "mapping_field": "action"},
+          "netskope.events.alert.name": { "mapping_field": "alert_name"},
+          "netskope.events.alert.type": { "mapping_field": "alert_type"},
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country"},
+          "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src"},
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude"},
+          "destination.geo.city_name": { "mapping_field": "dst_location"},
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude"},
+          "destination.geo.region_name": { "mapping_field": "dst_region"},
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode"},
+          "destination.address": { "mapping_field": "dstip"},
+          "destination.ip": { "mapping_field": "dstip"},
+          "netskope.events.exposure": { "mapping_field": "exposure"},
+          "netskope.events.file.lang": { "mapping_field": "file_lang"},
+          "file.path": { "mapping_field": "file_path"},
+          "file.size": { "mapping_field": "file_size"},
+          "file.mime_type.1": { "mapping_field": "file_type"},
+          "netskope.events.instance_name": { "mapping_field": "instance"},
+          "file.hash.md5": { "mapping_field": "md5"},
+          "file.mime_type.2": { "mapping_field": "mime_type"},
+          "netskope.events.modified_at": { "mapping_field": "modified"},
+          "netskope.events.owner": { "mapping_field": "owner"},
+          "netskope.events.policy.name": { "mapping_field": "policy"},
+          "netskope.events.quarantine.admin": { "mapping_field": "q_admin"},
+          "netskope.events.quarantine.app": { "mapping_field": "q_app"},
+          "netskope.events.quarantine.instance": { "mapping_field": "q_instance"},
+          "netskope.events.quarantine.original.file.name": { "mapping_field": "q_original_filename"},
+          "netskope.events.quarantine.original.file.path": { "mapping_field": "q_original_filepath"},
+          "netskope.events.quarantine.original.shared": { "mapping_field": "q_original_shared"},
+          "netskope.events.quarantine.original.version": { "mapping_field": "q_original_version"},
+          "netskope.events.quarantine.shared_with": { "mapping_field": "q_shared_with"},
+          "netskope.events.qar": { "mapping_field": "qar"},
+          "netskope.events.quarantine.app_name": { "mapping_field": "quarantine_app"},
+          "netskope.events.quarantine.action.reason": { "mapping_field": "quarantine_action_reason"},
+          "netskope.events.quarantine.failure": { "mapping_field": "quarantine_failure"},
+          "netskope.events.quarantine.file.id": { "mapping_field": "quarantine_file_id"},
+          "netskope.events.quarantine.file.name": { "mapping_field": "quarantine_file_name"},
+          "netskope.events.quarantine.profile.name": { "mapping_field": "quarantine_profile"},
+          "netskope.events.quarantine.profile.id": { "mapping_field": "quarantine_profile_id"},
+          "netskope.events.scan.type": { "mapping_field": "scan_type"},
+          "netskope.events.shared.with": { "mapping_field": "shared_with"},
+          "netskope.events.suppression.key": { "mapping_field": "suppression_key"},
+          "netskope.events.url": { "mapping_field": "url"},
+          "netskope.events.device.classification": { "mapping_field": "device_classification"},
+          "netskope.events.from.storage": { "mapping_field": "from_storage"},
+          "netskope.events.managed_app": { "mapping_field": "managed_app"},
+          "netskope.events.management.id": { "mapping_field": "managementID"},
+          "netskope.events.page": { "mapping_field": "page"},
+          "netskope.events.page_site": { "mapping_field": "page_site"},
+          "netskope.events.telemetry_app": { "mapping_field": "telemetry_app"},
+          "netskope.events.transaction.id": { "mapping_field": "transaction_id"},
+          "user_agent.os.version": { "mapping_field": "os_version"},
+          "netskope.events.legal_hold_profile_name": { "mapping_field": "legal_hold_profile_name"},
+          "user.email.6": { "mapping_field": "lh_custodian_email"},
+          "netskope.events.lh.custodian.name": { "mapping_field": "lh_custodian_name"},
+          "netskope.events.lh.destination.app": { "mapping_field": "lh_dest_app"},
+          "netskope.events.lh.destination.instance": { "mapping_field": "lh_dest_instance"},
+          "netskope.events.lh.file_id": { "mapping_field": "lh_fileid"},
+          "netskope.events.lh.filename": { "mapping_field": "lh_filename"},
+          "netskope.events.lh.filepath": { "mapping_field": "lh_filepath"},
+          "netskope.events.lh.filename_original": { "mapping_field": "lh_original_filename"},
+          "netskope.events.lh.shared": { "mapping_field": "lh_shared"},
+          "netskope.events.lh.shared_with": { "mapping_field": "lh_shared_with"},
+          "netskope.events.lh.version": { "mapping_field": "lh_version"},
+          "host.hostname": { "mapping_field": "hostname"},
+          "netskope.events.ns.device_uid": { "mapping_field": "nsdeviceuid"},
+          "netskope.events.severity.level": { "mapping_field": "severity"}
+        }
+      },
+      "audit": {
+        "header": {},
+        "extension": {
+          "netskope.events.event_type": { "default_value": "audit" },
+          "event.id": { "mapping_field": "_id" },
+          "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.events.app.category": { "mapping_field": "appcategory" },
+          "netskope.events.audit.log.event": { "mapping_field": "audit_log_event" },
+          "netskope.events.category.name": { "mapping_field": "category" },
+          "netskope.events.ccl": { "mapping_field": "ccl" },
+          "netskope.events.count": { "mapping_field": "count" },
+          "netskope.events.organization_unit": { "mapping_field": "organization_unit" },
+          "netskope.events.severity.level": { "mapping_field": "severity_level" },
+          "netskope.events.supporting_data": { "mapping_field": "supporting_data" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.events.type": { "mapping_field": "type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "user.email.2": { "mapping_field": "user" }
+        }
+      },
+      "infrastructure": {
+        "header": {},
+        "extension": {
+          "netskope.events.event_type": { "default_value": "infrastructure" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "event.id": { "mapping_field": "_id" },
+          "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.events.alarm.name": { "mapping_field": "alarm_name" },
+          "netskope.events.alarm.description": { "mapping_field": "alarm_description" },
+          "netskope.events.device.name": { "mapping_field": "device_name" },
+          "netskope.events.metric_value": { "mapping_field": "metric_value" },
+          "netskope.events.serial": { "mapping_field": "serial" },
+          "netskope.events.severity.level": { "mapping_field": "severity" },
+          "netskope.events.supporting_data": { "mapping_field": "supporting_data" }
+        }
+      },
+      "network": {
+        "header": {},
+        "extension": {
+          "netskope.events.event_type": { "default_value": "network" },
+          "event.id": { "mapping_field": "_id" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.events.access_method": { "mapping_field": "access_method" },
+          "event.action": { "mapping_field": "action" },
+          "netskope.events.app.name": { "mapping_field": "app" },
+          "netskope.events.app.category": { "mapping_field": "appcategory" },
+          "netskope.events.category.name": { "mapping_field": "category" },
+          "netskope.events.ccl": { "mapping_field": "ccl" },
+          "client.bytes": { "mapping_field": "client_bytes" },
+          "client.packets": { "mapping_field": "client_packets" },
+          "netskope.events.count": { "mapping_field": "count" },
+          "netskope.events.device.type": { "mapping_field": "device" },
+          "destination.domain": { "mapping_field": "dsthost" },
+          "destination.address": { "mapping_field": "dstip" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "destination.port": { "mapping_field": "dstport" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "netskope.events.end_time": { "mapping_field": "end_time" },
+          "netskope.events.ip.protocol": { "mapping_field": "ip_protocol" },
+          "netskope.events.netskope_pop": { "mapping_field": "netskope_pop" },
+          "netskope.events.num_sessions": { "mapping_field": "num_sessions" },
+          "netskope.events.numbytes": { "mapping_field": "numbytes" },
+          "netskope.events.organization_unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "user_agent.os.version": { "mapping_field": "os_version" },
+          "netskope.events.policy.name": { "mapping_field": "policy" },
+          "netskope.events.publisher_cn": { "mapping_field": "publisher_cn" },
+          "netskope.events.session.packets": { "mapping_field": "session_duration" },
+          "netskope.events.site": { "mapping_field": "site" },
+          "network.protocol": { "mapping_field": "protocol" },
+          "server.bytes": { "mapping_field": "server_bytes" },
+          "server.packets": { "mapping_field": "server_packets" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "source.port": { "mapping_field": "srcport" },
+          "netskope.events.start_time": { "mapping_field": "start_time" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.events.tnetwork_session_id": { "mapping_field": "tnetwork_session_id" },
+          "netskope.events.total_packets": { "mapping_field": "total_packets" },
+          "netskope.events.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.events.tunnel.id": { "mapping_field": "tunnel_id" },
+          "netskope.events.tunnel.type": { "mapping_field": "tunnel_type" },
+          "netskope.events.tunnel.up_time": { "mapping_field": "tunnel_up_time" },
+          "netskope.events.type": { "mapping_field": "type" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.geo.timezone": { "mapping_field": "src_timezone" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "user.email.2": { "mapping_field": "user" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "netskope.events.user.ip": { "mapping_field": "userip" },
+          "user.email.3": { "mapping_field": "userkey" }
+        }
+      },
+      "page": {
+        "header": {},
+        "extension": {
+          "netskope.events.event_type": { "default_value": "page" },
+          "event.id": { "mapping_field": "_id" },
+          "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" },
+          "netskope.events.access_method": { "mapping_field": "access_method" },
+          "netskope.events.app.name": { "mapping_field": "app" },
+          "netskope.events.app.session.id": { "mapping_field": "app_session_id" },
+          "netskope.events.app.category": { "mapping_field": "appcategory" },
+          "user_agent.name": { "mapping_field": "browser" },
+          "netskope.events.browser.session.id": { "mapping_field": "browser_session_id" },
+          "user_agent.version": { "mapping_field": "browser_version" },
+          "netskope.events.category.name": { "mapping_field": "category" },
+          "netskope.events.cci": { "mapping_field": "cci" },
+          "netskope.events.ccl": { "mapping_field": "ccl" },
+          "client.bytes": { "mapping_field": "client_bytes" },
+          "netskope.events.connection.duration": { "mapping_field": "conn_duration" },
+          "netskope.events.connection.end_time": { "mapping_field": "conn_endtime" },
+          "netskope.events.connection.start_time": { "mapping_field": "conn_starttime" },
+          "netskope.events.connection.id": { "mapping_field": "connection_id" },
+          "netskope.events.count": { "mapping_field": "count" },
+          "netskope.events.device.type": { "mapping_field": "device" },
+          "netskope.events.domain": { "mapping_field": "domain" },
+          "destination.geo.country_iso_code": { "mapping_field": "dst_country" },
+          "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src" },
+          "destination.geo.location.lat": { "mapping_field": "dst_latitude" },
+          "destination.geo.city_name": { "mapping_field": "dst_location" },
+          "destination.geo.location.lon": { "mapping_field": "dst_longitude" },
+          "destination.geo.region_name": { "mapping_field": "dst_region" },
+          "destination.geo.timezone": { "mapping_field": "dst_timezone" },
+          "destination.geo.postal_code": { "mapping_field": "dst_zipcode" },
+          "destination.address": { "mapping_field": "dstip" },
+          "destination.ip": { "mapping_field": "dstip" },
+          "destination.port": { "mapping_field": "dstport" },
+          "netskope.events.numbytes": { "mapping_field": "numbytes" },
+          "netskope.events.organization_unit": { "mapping_field": "organization_unit" },
+          "user_agent.os.name": { "mapping_field": "os" },
+          "user_agent.os.version": { "mapping_field": "os_version" },
+          "netskope.events.page": { "mapping_field": "page" },
+          "netskope.events.request.count": { "mapping_field": "req_cnt" },
+          "netskope.events.response.count": { "mapping_field": "resp_cnt" },
+          "server.bytes": { "mapping_field": "server_bytes" },
+          "netskope.events.severity.level": { "mapping_field": "severity" },
+          "netskope.events.site": { "mapping_field": "site" },
+          "netskope.events.slc.geo.location.lat": { "mapping_field": "slc_latitude" },
+          "netskope.events.slc.geo.location.lon": { "mapping_field": "slc_longitude" },
+          "source.geo.country_iso_code": { "mapping_field": "src_country" },
+          "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" },
+          "source.geo.location.lat": { "mapping_field": "src_latitude" },
+          "source.geo.city_name": { "mapping_field": "src_location" },
+          "source.geo.location.lon": { "mapping_field": "src_longitude" },
+          "source.geo.region_name": { "mapping_field": "src_region" },
+          "source.geo.timezone": { "mapping_field": "src_timezone" },
+          "source.geo.postal_code": { "mapping_field": "src_zipcode" },
+          "source.address": { "mapping_field": "srcip" },
+          "source.ip": { "mapping_field": "srcip" },
+          "@timestamp": { "mapping_field": "timestamp" },
+          "netskope.events.traffic.type": { "mapping_field": "traffic_type" },
+          "netskope.events.type": { "mapping_field": "type" },
+          "user.email.1": { "mapping_field": "ur_normalized" },
+          "user.email.2": { "mapping_field": "user" },
+          "netskope.events.user.generated": { "mapping_field": "user_generated" },
+          "user_agent.original": { "mapping_field": "useragent" },
+          "user.group.name": { "mapping_field": "usergroup" },
+          "netskope.events.user.ip": { "mapping_field": "userip" },
+          "user.email.3": { "mapping_field": "userkey" },
+          "netskope.events.url": { "mapping_field" : "url" },
+          "netskope.events.is_bypass_traffic": { "mapping_field" : "bypass_traffic" },
+          "host.hostname": { "mapping_field" : "hostname" },
+          "netskope.events.http_transaction_count": { "mapping_field" : "http_transaction_count" },
+          "netskope.events.response.content.length": { "mapping_field" : "resp_content_len" },
+          "netskope.events.response.content.type": { "mapping_field" : "resp_content_type" },
+          "netskope.events.suppression.end_time": { "mapping_field" : "suppression_end_time" },
+          "netskope.events.suppression.start_time": { "mapping_field" : "suppression_start_time" },
+          "netskope.events.transaction.id": { "mapping_field" : "transaction_id" }
+        }
+      }
+    }
+  }
+}
+```
+
+Netskope Event Validation Extensions: 
+```
+ECS Key Name,Length,Data Type
+@timestamp,,DateTime
+client.bytes,,Integer
+client.packets,,Integer
+cloud.account.id,,String
+cloud.account.name,,String
+cloud.region,,String
+cloud.service.name,,String
+destination.address,,String
+destination.domain,,String
+destination.geo.city_name,,String
+destination.geo.country_iso_code,,String
+destination.geo.location.lat,,Floating Point
+destination.geo.location.lon,,Floating Point
+destination.geo.postal_code,,String
+destination.geo.region_name,,String
+destination.geo.timezone,,String
+destination.ip,,String
+destination.port,,Integer
+event.action,,String
+event.id,,String
+file.hash.md5,,String
+file.mime_type,,String
+file.name,,String
+file.path,,String
+file.size,,Integer
+host.hostname,,String
+netskope.events.access_method,,String
+netskope.events.ack,,String
+netskope.events.acked,,String
+netskope.events.activity.name,,String
+netskope.events.activity.status,,String
+netskope.events.activity.type,,String
+netskope.events.alarm.description,,String
+netskope.events.alarm.name,,String
+netskope.events.alert.is_present,,String
+netskope.events.alert.name,,String
+netskope.events.alert.type,,String
+netskope.events.app.activity,,String
+netskope.events.app.category,,String
+netskope.events.app.name,,String
+netskope.events.app.region,,String
+netskope.events.app.session.id,,String
+netskope.events.attachment,,String
+netskope.events.audit.category,,String
+netskope.events.audit.log.event,,String
+netskope.events.audit.type,,String
+netskope.events.breach_name,,String
+netskope.events.browser.session.id,,String
+netskope.events.bucket,,String
+netskope.events.category.id,,String
+netskope.events.category.name,,String
+netskope.events.cci,,String
+netskope.events.ccl,,String
+netskope.events.channel,,String
+netskope.events.connection.duration,,Integer
+netskope.events.connection.end_time,,Floating Point
+netskope.events.connection.id,,String
+netskope.events.connection.start_time,,Floating Point
+netskope.events.count,,Integer
+netskope.events.description,,String
+netskope.events.destination.geoip.source,,Integer
+netskope.events.detail,,String
+netskope.events.detection.engine,,String
+netskope.events.detection.type,,String
+netskope.events.device.classification,,String
+netskope.events.device.name,,String
+netskope.events.device.type,,String
+netskope.events.dlp.count,,Integer
+netskope.events.dlp.file,,String
+netskope.events.dlp.fingerprint.classification,,String
+netskope.events.dlp.fingerprint.match,,String
+netskope.events.dlp.fingerprint.score,,Integer
+netskope.events.dlp.fv,,Integer
+netskope.events.dlp.incident.id,,String
+netskope.events.dlp.is_unique_count,,String
+netskope.events.dlp.mail.parent_id,,String
+netskope.events.dlp.parent.id,,String
+netskope.events.dlp.profile,,String
+netskope.events.dlp.score,,Integer
+netskope.events.dlp.severity,,String
+netskope.events.dlp.unique_count,,Integer
+netskope.events.domain,,String
+netskope.events.domain_shared_with,,String
+netskope.events.drive.id,,String
+netskope.events.encrypt.failure,,String
+netskope.events.end_time,,Integer
+netskope.events.enterprise.id,,String
+netskope.events.enterprise.name,,String
+netskope.events.event_type,,String
+netskope.events.event.type,,String
+netskope.events.exposure,,String
+netskope.events.external_collaborator_count,,Integer
+netskope.events.false_positive,,String
+netskope.events.file.id,,String
+netskope.events.file.is_password_protected,,String
+netskope.events.file.lang,,String
+netskope.events.forward_to_proxy_profile,,String
+netskope.events.from.logs,,String
+netskope.events.from.object,,String
+netskope.events.from.storage,,String
+netskope.events.from.user_category,,String
+netskope.events.gateway,,String
+netskope.events.graph.id,,Integer
+netskope.events.http_status,,String
+netskope.events.http_transaction_count,,Integer
+netskope.events.iaas_asset_tags,,String
+netskope.events.id,,String
+netskope.events.insertion.timestamp,,Integer
+netskope.events.instance_name,,String
+netskope.events.instance.id,,String
+netskope.events.instance.name,,String
+netskope.events.instance.type,,String
+netskope.events.internal_collaborator_count,,Integer
+netskope.events.ip.protocol,,String
+netskope.events.is_bypass_traffic,,String
+netskope.events.is_malicious,,String
+netskope.events.item.id,,String
+netskope.events.justification.type,,String
+netskope.events.last.app,,String
+netskope.events.last.country,,String
+netskope.events.last.device,,String
+netskope.events.last.location,,String
+netskope.events.last.region,,String
+netskope.events.last.timestamp,,Integer
+netskope.events.latency.max,,Integer
+netskope.events.latency.min,,Integer
+netskope.events.latency.total,,Integer
+netskope.events.legal_hold_profile_name,,String
+netskope.events.lh.custodian.name,,String
+netskope.events.lh.destination.app,,String
+netskope.events.lh.destination.instance,,String
+netskope.events.lh.file_id,,String
+netskope.events.lh.filename,,String
+netskope.events.lh.filename_original,,String
+netskope.events.lh.filepath,,String
+netskope.events.lh.shared,,String
+netskope.events.lh.shared_with,,String
+netskope.events.lh.version,,String
+netskope.events.list.id,,String
+netskope.events.log_file.name,,String
+netskope.events.login.type,,String
+netskope.events.login.url,,String
+netskope.events.malsite_category,,String
+netskope.events.malware.id,,String
+netskope.events.malware.name,,String
+netskope.events.malware.profile,,String
+netskope.events.malware.severity,,String
+netskope.events.malware.type,,String
+netskope.events.managed_app,,String
+netskope.events.management.id,,String
+netskope.events.metric_value,,Integer
+netskope.events.modified_at,,Integer
+netskope.events.quarantine.original.shared,,String
+netskope.events.network.name,,String
+netskope.events.network.session_id,,String
+netskope.events.new_value,,String
+netskope.events.notify_template,,String
+netskope.events.ns.activity,,String
+netskope.events.ns.device_uid,,String
+netskope.events.numbytes,,Integer
+netskope.events.obfuscate,,String
+netskope.events.object.count,,String
+netskope.events.object.id,,String
+netskope.events.object.name,,String
+netskope.events.object.type,,String
+netskope.events.old_value,,String
+netskope.events.org,,String
+netskope.events.organization_unit,,String
+netskope.events.orig_ty,,String
+netskope.events.original_file_path,,String
+netskope.events.other.categories,,String
+netskope.events.owner,,String
+netskope.events.page,,String
+netskope.events.page_site,,String
+netskope.events.parent.id,,String
+netskope.events.path_id,,String
+netskope.events.policy.id,,String
+netskope.events.policy.name,,String
+netskope.events.profile.emails,,String
+netskope.events.profile.id,,String
+netskope.events.protocol,,String
+netskope.events.publisher_cn,,String
+netskope.events.qar,,String
+netskope.events.quarantine.action.reason,,String
+netskope.events.quarantine.admin,,String
+netskope.events.quarantine.app,,String
+netskope.events.quarantine.app_name,,String
+netskope.events.quarantine.failure,,String
+netskope.events.quarantine.file.id,,String
+netskope.events.quarantine.file.name,,String
+netskope.events.quarantine.instance,,String
+netskope.events.quarantine.original.file.name,,String
+netskope.events.quarantine.original.file.path,,String
+netskope.events.quarantine.original.shared,,String
+netskope.events.quarantine.original.version,,String
+netskope.events.quarantine.profile.id,,String
+netskope.events.quarantine.profile.name,,String
+netskope.events.quarantine.shared_with,,String
+netskope.events.referer,,String
+netskope.events.region,,String
+netskope.events.region.id,,String
+netskope.events.repo,,String
+netskope.events.request.count,,Integer
+netskope.events.request.id,,String
+netskope.events.response.content.length,,Integer
+netskope.events.response.content.type,,String
+netskope.events.response.count,,Integer
+netskope.events.retro_scan_name,,String
+netskope.events.risk_level,,String
+netskope.events.risk_level_id,,String
+netskope.events.role,,String
+netskope.events.run_id,,String
+netskope.events.sa.profile.id,,String
+netskope.events.sa.profile.name,,String
+netskope.events.sa.rule.severity,,String
+netskope.events.scan.time,,String
+netskope.events.scan.type,,String
+netskope.events.scopes,,String
+netskope.events.serial,,String
+netskope.events.session.duration,,Integer
+netskope.events.session.id,,String
+netskope.events.session.packets,,Integer
+netskope.events.severity.id,,String
+netskope.events.severity.level,,String
+netskope.events.severity.type,,String
+netskope.events.sfwder,,String
+netskope.events.shared.domains,,String
+netskope.events.shared.is_shared,,String
+netskope.events.shared.type,,String
+netskope.events.shared.with,,String
+netskope.events.site,,String
+netskope.events.slc.geo.location.lat,,Floating Point
+netskope.events.slc.geo.location.lon,,Floating Point
+netskope.events.source.geoip_src,,Integer
+netskope.events.ssl_decrypt_policy,,String
+netskope.events.start_time,,Integer
+netskope.events.sub_type,,String
+netskope.events.supporting_data,,String
+netskope.events.suppression.end_time,,Integer
+netskope.events.suppression.key,,String
+netskope.events.suppression.start_time,,Integer
+netskope.events.team,,String
+netskope.events.telemetry_app,,String
+netskope.events.temp_user,,String
+netskope.events.tenant.id,,String
+netskope.events.threat.match.field,,String
+netskope.events.threat.match.value,,String
+netskope.events.threat.source.id,,String
+netskope.events.threshold,,Integer
+netskope.events.to.object,,String
+netskope.events.to.storage,,String
+netskope.events.to.user,,String
+netskope.events.to.user_category,,String
+netskope.events.total_packets,,Integer
+netskope.events.total.collaborator_count,,String
+netskope.events.traffic.type,,String
+netskope.events.transaction.id,,String
+netskope.events.tss_mode,,Integer
+netskope.events.tunnel.id,,String
+netskope.events.tunnel.type,,String
+netskope.events.tunnel.up_time,,Integer
+netskope.events.two_factor_auth,,Integer
+netskope.events.type,,String
+netskope.events.universal_connector,,String
+netskope.events.url,,String
+netskope.events.url_to_activity,,String
+netskope.events.user.category,,String
+netskope.events.user.generated,,String
+netskope.events.user.group,,String
+netskope.events.user.ip,,String
+netskope.events.user.is_aggregated,,String
+netskope.events.violating.user.name,,String
+netskope.events.violating.user.type,,String
+netskope.events.web_universal_connector,,String
+netskope.events.web.url,,String
+netskope.events.workspace.id,,String
+netskope.events.workspace.name,,String
+netskope.events.zip_password,,String
+network.protocol,,String
+rule.id,,String
+rule.name,,String
+server.bytes,,Integer
+server.packets,,Integer
+source.address,,String
+source.geo.city_name,,String
+source.geo.country_iso_code,,String
+source.geo.location.lat,,Floating Point
+source.geo.location.lon,,Floating Point
+source.geo.postal_code,,String
+source.geo.region_name,,String
+source.geo.timezone,,String
+source.ip,,String
+source.port,,Integer
+threat.indicator.file.hash.md5,,String
+threat.indicator.file.hash.sha1,,String
+threat.indicator.file.hash.sha256,,String
+user_agent.name,,String
+user_agent.original,,String
+user_agent.os.name,,String
+user_agent.os.version,,String
+user_agent.version,,String
+user.email,,String
+user.group.name,,String
+user.name,,String
+user.roles,,String
+file.mime_type.1,,String
+file.mime_type.2,,String
+user.email.1,,String
+user.email.2,,String
+user.email.3,,String
+user.email.4,,String
+user.email.5,,String
+user.email.6,,String
+```
+
+## Fields and Sample event
+
+### Alerts
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.port | Port of the client. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module | constant_keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| netskope.alerts.Url2Activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword |
+| netskope.alerts.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword |
+| netskope.alerts.account.id | Account ID (usually is account number as provided by the cloud provider). | keyword |
+| netskope.alerts.account.name | Account name - in case of AWS this is the instance name set by user. For others, account name is provided by cloud provider. | keyword |
+| netskope.alerts.acked | Whether user acknowledged the alert or not. | boolean |
+| netskope.alerts.acting.role | N/A | keyword |
+| netskope.alerts.action | Action taken on the event for the policy. | keyword |
+| netskope.alerts.activities | N/A | array |
+| netskope.alerts.activity.name | Description of the user performed activity. | keyword |
+| netskope.alerts.activity.status | Displayed when the user is denied access while performing some activity. | keyword |
+| netskope.alerts.activity.type | Displayed when only admins can perform the activity in question. | keyword |
+| netskope.alerts.agg.window | N/A | long |
+| netskope.alerts.aggregated.user | N/A | boolean |
+| netskope.alerts.alert.affected.entities | N/A | keyword |
+| netskope.alerts.alert.category | N/A | keyword |
+| netskope.alerts.alert.description | N/A | keyword |
+| netskope.alerts.alert.detection.stage | N/A | keyword |
+| netskope.alerts.alert.id | Hash of alert generated from code. | keyword |
+| netskope.alerts.alert.name | Name of the alert. | keyword |
+| netskope.alerts.alert.notes | N/A | keyword |
+| netskope.alerts.alert.query | N/A | keyword |
+| netskope.alerts.alert.score | N/A | long |
+| netskope.alerts.alert.source | N/A | keyword |
+| netskope.alerts.alert.status | N/A | keyword |
+| netskope.alerts.alert.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword |
+| netskope.alerts.alert.window | N/A | long |
+| netskope.alerts.algorithm | N/A | keyword |
+| netskope.alerts.anomaly.efficacy | Full anomaly details for debugging. | keyword |
+| netskope.alerts.anomaly.fields | Name(s) and values(s) of the anomalous fields, usually there's going to be only one in the list. | keyword |
+| netskope.alerts.anomaly.id | N/A | keyword |
+| netskope.alerts.anomaly.magnitude | N/A | double |
+| netskope.alerts.anomaly.type | Type of UBA alert. | keyword |
+| netskope.alerts.app.activity | N/A | keyword |
+| netskope.alerts.app.app_name | N/A | keyword |
+| netskope.alerts.app.category | N/A | keyword |
+| netskope.alerts.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword |
+| netskope.alerts.app.region | N/A | keyword |
+| netskope.alerts.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword |
+| netskope.alerts.app.suite | N/A | keyword |
+| netskope.alerts.asn | N/A | long |
+| netskope.alerts.asset.id | N/A | keyword |
+| netskope.alerts.asset.object.id | N/A | keyword |
+| netskope.alerts.attachment | File name. | keyword |
+| netskope.alerts.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword |
+| netskope.alerts.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword |
+| netskope.alerts.bin.timestamp | Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). | long |
+| netskope.alerts.breach.date | Breach date for compromised credentials. | double |
+| netskope.alerts.breach.description | N/A | keyword |
+| netskope.alerts.breach.id | Breach ID for compromised credentials. | keyword |
+| netskope.alerts.breach.media_references | Media references of breach. | keyword |
+| netskope.alerts.breach.score | Breach score for compromised credentials. | long |
+| netskope.alerts.breach.target_references | Breach target references for compromised credentials. | keyword |
+| netskope.alerts.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword |
+| netskope.alerts.bucket | N/A | keyword |
+| netskope.alerts.bypass.traffic | Tells if traffic is bypassed by Netskope. | boolean |
+| netskope.alerts.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword |
+| netskope.alerts.category.name | N/A | keyword |
+| netskope.alerts.cci | N/A | keyword |
+| netskope.alerts.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword |
+| netskope.alerts.channel | Channel of the user for slack and slack enterprise apps. | keyword |
+| netskope.alerts.cloud.provider | N/A | keyword |
+| netskope.alerts.compliance.standards | N/A | keyword |
+| netskope.alerts.compute.instance | N/A | keyword |
+| netskope.alerts.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long |
+| netskope.alerts.connection.endtime | Connection end time. | long |
+| netskope.alerts.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword |
+| netskope.alerts.connection.starttime | Connection start time. | long |
+| netskope.alerts.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long |
+| netskope.alerts.created_at | N/A | keyword |
+| netskope.alerts.data.type | Content type of upload/download. | keyword |
+| netskope.alerts.data.version | N/A | long |
+| netskope.alerts.description | N/A | keyword |
+| netskope.alerts.destination.geoip_src | Source from where the location of Destination IP was derived. | long |
+| netskope.alerts.detected-file-type | N/A | keyword |
+| netskope.alerts.detection.engine | Customer exposed detection engine name. | keyword |
+| netskope.alerts.detection.type | Same as malware type. Duplicate. | keyword |
+| netskope.alerts.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword |
+| netskope.alerts.device.name | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword |
+| netskope.alerts.dlp.file | File/Object name extracted from the file/object. | keyword |
+| netskope.alerts.dlp.fingerprint.classification | Fingerprint classification. | keyword |
+| netskope.alerts.dlp.fingerprint.match | Fingerprint classification match file name. | keyword |
+| netskope.alerts.dlp.fingerprint.score | Fingerprint classification score. | long |
+| netskope.alerts.dlp.fv | N/A | long |
+| netskope.alerts.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword |
+| netskope.alerts.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean |
+| netskope.alerts.dlp.mail.parent.id | N/A | keyword |
+| netskope.alerts.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword |
+| netskope.alerts.dlp.profile | DLP profile name. | keyword |
+| netskope.alerts.dlp.rule.count | Count of rule hits. | long |
+| netskope.alerts.dlp.rule.name | DLP rule that triggered. | keyword |
+| netskope.alerts.dlp.rule.score | DLP rule score for weighted dictionaries. | long |
+| netskope.alerts.dlp.rule.severity | Severity of rule. | keyword |
+| netskope.alerts.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long |
+| netskope.alerts.doc.count | N/A | long |
+| netskope.alerts.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword |
+| netskope.alerts.domain_shared_with | N/A | keyword |
+| netskope.alerts.download.app | Applicable to only data exfiltration. Download App (App in the download event). | keyword |
+| netskope.alerts.drive.id | N/A | keyword |
+| netskope.alerts.dynamic.classification | URLs were categorized by NSURLC machine or not. | keyword |
+| netskope.alerts.elastic_key | N/A | keyword |
+| netskope.alerts.email.source | N/A | keyword |
+| netskope.alerts.encrypt.failure | Reason of failure while encrypting. | keyword |
+| netskope.alerts.encryption.service.key | N/A | keyword |
+| netskope.alerts.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword |
+| netskope.alerts.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword |
+| netskope.alerts.entity.list | N/A | array |
+| netskope.alerts.entity.type | N/A | keyword |
+| netskope.alerts.entity.value | N/A | keyword |
+| netskope.alerts.event.detail | N/A | keyword |
+| netskope.alerts.event.id | N/A | keyword |
+| netskope.alerts.event.type | Anomaly type. | keyword |
+| netskope.alerts.event_source_channel | N/A | keyword |
+| netskope.alerts.exposure | Exposure of a document. | keyword |
+| netskope.alerts.external.collaborator.count | Count of external collaborators on a file/folder. Supported for some apps. | long |
+| netskope.alerts.external.email | N/A | long |
+| netskope.alerts.feature.description | N/A | keyword |
+| netskope.alerts.feature.id | N/A | keyword |
+| netskope.alerts.feature.name | N/A | keyword |
+| netskope.alerts.file.id | Unique identifier of the file. | keyword |
+| netskope.alerts.file.lang | Language of the file. | keyword |
+| netskope.alerts.file.name | N/A | keyword |
+| netskope.alerts.file.password.protected | N/A | keyword |
+| netskope.alerts.file.path.orignal | If the file is moved, then keep original path of the file in this field. | keyword |
+| netskope.alerts.file.size | Size of the file in bytes. | long |
+| netskope.alerts.file.type | File type. | keyword |
+| netskope.alerts.flow_status | N/A | keyword |
+| netskope.alerts.from.logs | Shows if the event was generated from the Risk Insights log. | keyword |
+| netskope.alerts.from.object | Initial name of an object that has been renamed, copied or moved. | keyword |
+| netskope.alerts.from.storage | N/A | keyword |
+| netskope.alerts.from.user_category | Type of from_user. | keyword |
+| netskope.alerts.gateway | N/A | keyword |
+| netskope.alerts.graph.id | N/A | keyword |
+| netskope.alerts.http_status | N/A | keyword |
+| netskope.alerts.http_transaction_count | HTTP transaction count. | long |
+| netskope.alerts.iaas.asset.tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword |
+| netskope.alerts.iaas.remediated | N/A | keyword |
+| netskope.alerts.iam.session | N/A | keyword |
+| netskope.alerts.id | N/A | keyword |
+| netskope.alerts.insertion_epoch_timestamp | Insertion timestamp. | long |
+| netskope.alerts.instance.id | Unique ID associated with an organization application instance. | keyword |
+| netskope.alerts.instance.name | Instance name associated with an organization application instance. | keyword |
+| netskope.alerts.instance.type | Instance type. | keyword |
+| netskope.alerts.instance_name | Instance associated with an organization application instance. | keyword |
+| netskope.alerts.internal.collaborator.count | Count of internal collaborators on a file/folder. Supported for some apps. | long |
+| netskope.alerts.ip.protocol | N/A | keyword |
+| netskope.alerts.ipblock | IPblock that caused the alert. | keyword |
+| netskope.alerts.is_alert | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean |
+| netskope.alerts.is_file_passwd_protected | Tells if the file is password protected. | boolean |
+| netskope.alerts.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean |
+| netskope.alerts.is_two_factor_auth | N/A | keyword |
+| netskope.alerts.is_universal_connector | N/A | keyword |
+| netskope.alerts.is_user_generated | Tells whether it is user generated page event. | boolean |
+| netskope.alerts.is_web_universal_connector | N/A | boolean |
+| netskope.alerts.isp | N/A | keyword |
+| netskope.alerts.item.id | N/A | keyword |
+| netskope.alerts.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword |
+| netskope.alerts.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword |
+| netskope.alerts.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword |
+| netskope.alerts.last.coordinates | Last location coordinates(latitude, longitude). Applies to only proximity alert. | keyword |
+| netskope.alerts.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword |
+| netskope.alerts.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword |
+| netskope.alerts.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword |
+| netskope.alerts.last.modified_timestamp | Timestamp when alert is acknowledged. | long |
+| netskope.alerts.last.region | Applies to only proximity anomaly alert. | keyword |
+| netskope.alerts.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long |
+| netskope.alerts.latency.max | Max latency for a connection in milliseconds. | long |
+| netskope.alerts.latency.min | Min latency for a connection in milliseconds. | long |
+| netskope.alerts.latency.total | Total latency from proxy to app in milliseconds. | long |
+| netskope.alerts.legal_hold.custodian_name | Custodian name of legal hold profile. | keyword |
+| netskope.alerts.legal_hold.destination.app | Destination appname of legalhold action. | keyword |
+| netskope.alerts.legal_hold.destination.instance | Destination instance of legal hold action. | keyword |
+| netskope.alerts.legal_hold.file.id | File ID of legal hold file. | keyword |
+| netskope.alerts.legal_hold.file.name | File name of legal hold file. | keyword |
+| netskope.alerts.legal_hold.file.name_original | Original filename of legal hold file. | keyword |
+| netskope.alerts.legal_hold.file.path | File path of legal hold file. | keyword |
+| netskope.alerts.legal_hold.profile_name | Legal hold profile name. | keyword |
+| netskope.alerts.legal_hold.shared | Shared type of legal hold file. | keyword |
+| netskope.alerts.legal_hold.shared_with | User shared with the legal hold file. | keyword |
+| netskope.alerts.legal_hold.version | File version of original file. | keyword |
+| netskope.alerts.list.id | N/A | keyword |
+| netskope.alerts.local.md5 | md5 hash of file generated by Malware engine. | keyword |
+| netskope.alerts.local.sha1 | sha1 hash of file generated by Malware engine. | keyword |
+| netskope.alerts.local.sha256 | sha256 hash of file generated by Malware engine. | keyword |
+| netskope.alerts.log.file.name | Log file name for Risk Insights. | keyword |
+| netskope.alerts.login.type | Salesforce login type. | keyword |
+| netskope.alerts.login.url | Salesforce login URL. | flattened |
+| netskope.alerts.malsite.active | Since how many days malsite is Active. | long |
+| netskope.alerts.malsite.as.number | Malsite ASN Number. | keyword |
+| netskope.alerts.malsite.category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword |
+| netskope.alerts.malsite.city | Malsite city. | keyword |
+| netskope.alerts.malsite.confidence | Malsite confidence score. | long |
+| netskope.alerts.malsite.consecutive | How many times that malsite is seen. | long |
+| netskope.alerts.malsite.country | Malsite country. | keyword |
+| netskope.alerts.malsite.dns.server | DNS server of the malsite URL/Domain/IP. | keyword |
+| netskope.alerts.malsite.first_seen | Malsite first seen timestamp. | long |
+| netskope.alerts.malsite.hostility | Malsite hostility score. | long |
+| netskope.alerts.malsite.id | Malicious Site ID - Hash of threat match value. | keyword |
+| netskope.alerts.malsite.ip_host | Malsite IP. | keyword |
+| netskope.alerts.malsite.isp | Malsite ISP info. | keyword |
+| netskope.alerts.malsite.last.seen | Malsite last seen timestamp. | long |
+| netskope.alerts.malsite.latitude | Latitude plot of the Malsite URL/IP/Domain. | double |
+| netskope.alerts.malsite.longitude | Longitude plot of the Malsite URL/IP/Domain. | double |
+| netskope.alerts.malsite.region | Region of the malsite URL/IP/Domain. | keyword |
+| netskope.alerts.malsite.reputation | Reputation score of Malsite IP/Domain/URL. | double |
+| netskope.alerts.malsite.severity.level | Severity level of the Malsite ( High / Med / Low). | keyword |
+| netskope.alerts.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword |
+| netskope.alerts.malware.name | Netskope detection name. | keyword |
+| netskope.alerts.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword |
+| netskope.alerts.malware.severity | Malware severity. | keyword |
+| netskope.alerts.malware.type | Malware Type. | keyword |
+| netskope.alerts.managed.app | Whether or not the app in question is managed. | boolean |
+| netskope.alerts.management.id | Management ID. | keyword |
+| netskope.alerts.matched.username | N/A | keyword |
+| netskope.alerts.matrix.columns | N/A | keyword |
+| netskope.alerts.matrix.rows | N/A | keyword |
+| netskope.alerts.md5 | md5 of the file. | keyword |
+| netskope.alerts.md5_list | List of md5 hashes specific to the files that are part of custom sequence policy alert. | keyword |
+| netskope.alerts.mime.type | MIME type of the file. | keyword |
+| netskope.alerts.ml_detection | N/A | boolean |
+| netskope.alerts.modified.date | N/A | long |
+| netskope.alerts.modified.timestamp | Timestamp corresponding to the modification time of the entity (file, etc.). | long |
+| netskope.alerts.netskope_pop | N/A | keyword |
+| netskope.alerts.network.name | N/A | keyword |
+| netskope.alerts.network.security.group | N/A | array |
+| netskope.alerts.new.value | New value for a given file for salesforce.com. | keyword |
+| netskope.alerts.nonzero.entries | N/A | long |
+| netskope.alerts.nonzero.percentage | N/A | double |
+| netskope.alerts.notify.template | N/A | keyword |
+| netskope.alerts.ns_activity | Maps app activity to Netskope standard activity. | keyword |
+| netskope.alerts.ns_device_uid | Device identifiers on macOS and Windows. | keyword |
+| netskope.alerts.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long |
+| netskope.alerts.obfuscate | N/A | boolean |
+| netskope.alerts.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long |
+| netskope.alerts.object.id | Unique ID associated with an object. | keyword |
+| netskope.alerts.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword |
+| netskope.alerts.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword |
+| netskope.alerts.old.value | Old value for a given file for salesforce.com. | keyword |
+| netskope.alerts.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword |
+| netskope.alerts.organization.unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword |
+| netskope.alerts.orig_ty | Event Type of original event. | keyword |
+| netskope.alerts.original.file_path | If the file is moved, then keep original path of the file in this field. | keyword |
+| netskope.alerts.os_version_hostname | Host and OS Version that caused the alert. Concatenation of 2 fields (hostname and os). | keyword |
+| netskope.alerts.other.categories | N/A | keyword |
+| netskope.alerts.owner | Owner of the file. | keyword |
+| netskope.alerts.page.site | N/A | keyword |
+| netskope.alerts.page.url | The URL of the originating page. | flattened |
+| netskope.alerts.parameters | N/A | keyword |
+| netskope.alerts.parent.id | N/A | keyword |
+| netskope.alerts.path.id | N/A | keyword |
+| netskope.alerts.policy.actions | N/A | keyword |
+| netskope.alerts.policy.id | The Netskope internal ID for the policy created by an admin. | keyword |
+| netskope.alerts.policy.name | Predefined or Custom policy name. | keyword |
+| netskope.alerts.pretty.sourcetype | N/A | keyword |
+| netskope.alerts.processing.time | N/A | long |
+| netskope.alerts.profile.emails | List of profile emails per policy. | keyword |
+| netskope.alerts.profile.id | Anomaly profile ID. | keyword |
+| netskope.alerts.quarantine.action.reason | Reason for the action taken for quarantine. | keyword |
+| netskope.alerts.quarantine.admin | Quarantine profile custodian email/name. | keyword |
+| netskope.alerts.quarantine.app | Quarantine app name. | keyword |
+| netskope.alerts.quarantine.failure | Reason of failure. | keyword |
+| netskope.alerts.quarantine.file.id | File ID of the quarantined file. | keyword |
+| netskope.alerts.quarantine.file.name | File name of the quarantine file. | keyword |
+| netskope.alerts.quarantine.instance | Quarantine instance name. | keyword |
+| netskope.alerts.quarantine.original.file.name | Original file name which got quarantined. | keyword |
+| netskope.alerts.quarantine.original.file.path | Original file path which got quarantined. | keyword |
+| netskope.alerts.quarantine.original.shared | Original file shared user details. | keyword |
+| netskope.alerts.quarantine.original.version | Original version of file which got quarantined. | keyword |
+| netskope.alerts.quarantine.profile.id | Quarantine profile ID. | keyword |
+| netskope.alerts.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword |
+| netskope.alerts.quarantine.shared.with | N/A | keyword |
+| netskope.alerts.referer | Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. | keyword |
+| netskope.alerts.region.id | Region ID (as provided by the cloud provider). | keyword |
+| netskope.alerts.region.name | N/A | keyword |
+| netskope.alerts.reladb | N/A | keyword |
+| netskope.alerts.repo | N/A | keyword |
+| netskope.alerts.request.cnt | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long |
+| netskope.alerts.request.id | Unique request ID for the event. | keyword |
+| netskope.alerts.resource.category | Category of resource as defined in DOM. | keyword |
+| netskope.alerts.resource.group | N/A | keyword |
+| netskope.alerts.resources | N/A | keyword |
+| netskope.alerts.response.cnt | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long |
+| netskope.alerts.response.content.length | N/A | long |
+| netskope.alerts.response.content.type | N/A | keyword |
+| netskope.alerts.retro.scan.name | Retro scan name. | keyword |
+| netskope.alerts.risk_level.id | This field is set by both role-based access (RBA) and MLAD. | keyword |
+| netskope.alerts.risk_level.tag | Corresponding field to risk_level_id. Name. | keyword |
+| netskope.alerts.role | Roles for Box. | keyword |
+| netskope.alerts.rule.id | N/A | keyword |
+| netskope.alerts.sa.profile.id | CSA profile ID. | keyword |
+| netskope.alerts.sa.profile.name | CSA profile name. | keyword |
+| netskope.alerts.sa.rule.id | CSA rule ID. | keyword |
+| netskope.alerts.sa.rule.name | CSA rule name. | keyword |
+| netskope.alerts.sa.rule.remediation | N/A | keyword |
+| netskope.alerts.sa.rule.severity | Rule severity. | keyword |
+| netskope.alerts.scan.time | Time when the scan is done. | long |
+| netskope.alerts.scan.type | Generated during retroactive scan or new ongoing activity. | keyword |
+| netskope.alerts.scanner_result | N/A | keyword |
+| netskope.alerts.scopes | List of permissions for google apps. | keyword |
+| netskope.alerts.serial | N/A | keyword |
+| netskope.alerts.server.bytes | Total number of downloaded from server to client. | long |
+| netskope.alerts.session.id | Populated by Risk Insights. | keyword |
+| netskope.alerts.severity.id | Severity ID used by watchlist and malware alerts. | keyword |
+| netskope.alerts.severity.level | Severity used by watchlist and malware alerts. | keyword |
+| netskope.alerts.severity.level_id | If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the Zvelo DB Malsite Category. | long |
+| netskope.alerts.sfwder | N/A | keyword |
+| netskope.alerts.shared.credential.user | Applicable to only shared credentials. User with whom the credentials are shared with. | keyword |
+| netskope.alerts.shared.domains | List of domains of users the document is shared with. | keyword |
+| netskope.alerts.shared.is_shared | If the file is shared or not. | boolean |
+| netskope.alerts.shared.type | Shared Type. | keyword |
+| netskope.alerts.shared.with | Array of emails with whom a document is shared with. | keyword |
+| netskope.alerts.shared_type | N/A | keyword |
+| netskope.alerts.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword |
+| netskope.alerts.slc_latitude | N/A | keyword |
+| netskope.alerts.slc_longitude | N/A | keyword |
+| netskope.alerts.source.geoip_src | Source from where the location of Source IP was derived. | long |
+| netskope.alerts.source.time | N/A | keyword |
+| netskope.alerts.srcip2 | N/A | keyword |
+| netskope.alerts.ssl.decrypt.policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration Bypass due to SSL Decrypt Policy The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword |
+| netskope.alerts.start_time | Start time for alert time period. | long |
+| netskope.alerts.statistics | This field & summary field go together. This field will either tell count or size of files. File size is in bytes. | long |
+| netskope.alerts.storage_service_bucket | N/A | keyword |
+| netskope.alerts.sub.type | Workplace by Facebook post sub category (files, comments, status etc). | keyword |
+| netskope.alerts.summary | Tells whether anomaly was measured from count or size of files. | keyword |
+| netskope.alerts.suppression.end.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
+| netskope.alerts.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword |
+| netskope.alerts.suppression.start.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
+| netskope.alerts.target.entity.key | N/A | keyword |
+| netskope.alerts.target.entity.type | N/A | keyword |
+| netskope.alerts.target.entity.value | N/A | keyword |
+| netskope.alerts.team | Slack team name. | keyword |
+| netskope.alerts.telemetry.app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword |
+| netskope.alerts.temp.user | N/A | keyword |
+| netskope.alerts.tenant.id | Tenant id. | keyword |
+| netskope.alerts.threat.match.field | Threat match field, either from domain or URL or IP. | keyword |
+| netskope.alerts.threat.match.value | N/A | keyword |
+| netskope.alerts.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword |
+| netskope.alerts.threshold.time | Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time. | long |
+| netskope.alerts.threshold.value | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long |
+| netskope.alerts.title | Title of the file. | keyword |
+| netskope.alerts.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword |
+| netskope.alerts.to.storage | N/A | keyword |
+| netskope.alerts.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword |
+| netskope.alerts.to.user_category | Type of user to which move is done. | keyword |
+| netskope.alerts.total.collaborator.count | Count of collaborators on a file/folder. Supported for some apps. | long |
+| netskope.alerts.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword |
+| netskope.alerts.transaction.id | Unique ID for a given request/response. | keyword |
+| netskope.alerts.transformation | N/A | keyword |
+| netskope.alerts.tss.mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword |
+| netskope.alerts.tss.version | N/A | long |
+| netskope.alerts.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword |
+| netskope.alerts.type | Type of the alert. | keyword |
+| netskope.alerts.uba_ap1 | N/A | keyword |
+| netskope.alerts.uba_ap2 | N/A | keyword |
+| netskope.alerts.uba_inst1 | N/A | keyword |
+| netskope.alerts.uba_inst2 | N/A | keyword |
+| netskope.alerts.updated | N/A | long |
+| netskope.alerts.url | URL of the application that the user visited as provided by the log or data plane traffic. | flattened |
+| netskope.alerts.user.category | Type of user in an enterprise - external / internal. | keyword |
+| netskope.alerts.user.geo.city_name | City name. | keyword |
+| netskope.alerts.user.geo.continent_name | Name of the continent. | keyword |
+| netskope.alerts.user.geo.country_iso_code | Country ISO code. | keyword |
+| netskope.alerts.user.geo.country_name | Country name. | keyword |
+| netskope.alerts.user.geo.location | Longitude and latitude. | geo_point |
+| netskope.alerts.user.geo.region_iso_code | Region ISO code. | keyword |
+| netskope.alerts.user.geo.region_name | Region name. | keyword |
+| netskope.alerts.user.group | N/A | keyword |
+| netskope.alerts.user.ip | IP address of User. | keyword |
+| netskope.alerts.value | N/A | double |
+| netskope.alerts.violating_user.name | User who caused a violation. Populated for Workplace by Facebook. | keyword |
+| netskope.alerts.violating_user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword |
+| netskope.alerts.web.url | File preview URL. | flattened |
+| netskope.alerts.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword |
+| netskope.alerts.workspace.name | Workspace name in case of Slack for Enterprise. | keyword |
+| netskope.alerts.zip.password | Zip the malicious file and put pwd to it and send it back to caller. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| user.email | User email address. | keyword |
+| user.group.name | Name of the group. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.roles | Array of user roles at the time of the event. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
+
+An example event for `alerts` looks as following:
+
+```json
+{
+    "@timestamp": "2021-12-23T16:27:09.000Z",
+    "agent": {
+        "ephemeral_id": "f6ea30bb-70ab-4ae9-b338-b103657dd749",
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.3.0"
+    },
+    "data_stream": {
+        "dataset": "netskope.alerts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "81.2.69.143",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "snapshot": true,
+        "version": "8.3.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "id": "f621f259f5fbde850ad5593a",
+        "ingested": "2022-04-14T11:24:23Z",
+        "original": "{\"event\":{\"id\":\"f621f259f5fbde850ad5593a\"},\"netskope\":{\"alerts\":{\"insertion_epoch_timestamp\":1640277131,\"access_method\":\"API Connector\",\"acked\":\"false\",\"action\":\"block\",\"activity\":{\"name\":\"Login Successful\"},\"is_alert\":\"yes\",\"alert\":{\"name\":\"policy-alert\",\"type\":\"nspolicy\"},\"app\":{\"name\":\"SomeApp\",\"category\":\"Cloud Storage\"},\"category\":{\"name\":\"Cloud Storage\"},\"cci\":\"81\",\"ccl\":\"high\",\"count\":1,\"device\":{\"name\":\"Other\"},\"destination\":{\"geoip_src\":2},\"exposure\":\"organization_wide_link\",\"file\":{\"lang\":\"ENGLISH\"},\"instance\":{\"name\":\"example.com\",\"id\":\"example.com\"},\"modified\":{\"timestamp\":1613760236},\"object\":{\"name\":\"HjBuUvDLWgpudzQr\",\"id\":\"GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg\",\"type\":\"File\"},\"organization\":{\"unit\":\"example.local\\\\\\\\/example\\\\\\\\/Active Users\"},\"other\":{\"categories\":\"null\"},\"owner\":\"foobar\",\"policy\":{\"name\":\"Some Policy\"},\"request\":{\"id\":\"9262245914980288500\"},\"scan\":{\"type\":\"Ongoing\"},\"shared\":{\"with\":\"none\"},\"site\":\"Example\",\"source\":{\"geoip_src\":2},\"suppression\":{\"key\":\"Tenant Migration across MPs\"},\"traffic\":{\"type\":\"CloudApp\"},\"type\":\"policy\",\"url\":\"http:\\\\\\\\/\\\\\\\\/www.example.com\\\\\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg\"}},\"user_agent\":{\"name\":\"unknown\",\"os\":{\"name\":\"unknown\"}},\"destination\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"file\":{\"path\":\"\\\\\\\\/My Drive\\\\\\\\/Clickhouse\\\\\\\\/Tenant Migration across MPs\",\"size\":196869,\"mime_type\":{\"1\":\"application\\\\\\\\/vnd.apps.document\",\"2\":\"application\\\\\\\\/vnd.apps.document\"},\"hash\":{\"md5\":\"4bb5d9501bf7685ecaed55e3eda9ca01\"}},\"source\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"@timestamp\":\"2021-12-23T16:27:09.000Z\",\"user\":{\"email\":{\"1\":\"test@example.com\",\"2\":\"test@example.com\",\"3\":\"test@example.com\"},\"group\":{\"name\":\"null\"}}}"
+    },
+    "file": {
+        "hash": {
+            "md5": "4bb5d9501bf7685ecaed55e3eda9ca01"
+        },
+        "mime_type": [
+            "application\\\\/vnd.apps.document"
+        ],
+        "path": "\\\\/My Drive\\\\/Clickhouse\\\\/Tenant Migration across MPs",
+        "size": 196869
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.224.1:57542"
+        }
+    },
+    "netskope": {
+        "alerts": {
+            "access_method": "API Connector",
+            "acked": false,
+            "action": "block",
+            "activity": {
+                "name": "Login Successful"
+            },
+            "alert": {
+                "name": "policy-alert",
+                "type": "nspolicy"
+            },
+            "app": {
+                "category": "Cloud Storage",
+                "name": "SomeApp"
+            },
+            "category": {
+                "name": "Cloud Storage"
+            },
+            "cci": "81",
+            "ccl": "high",
+            "count": 1,
+            "destination": {
+                "geoip_src": 2
+            },
+            "device": {
+                "name": "Other"
+            },
+            "exposure": "organization_wide_link",
+            "file": {
+                "lang": "ENGLISH"
+            },
+            "insertion_epoch_timestamp": 1640277131,
+            "instance": {
+                "id": "example.com",
+                "name": "example.com"
+            },
+            "is_alert": true,
+            "modified": {
+                "timestamp": 1613760236
+            },
+            "object": {
+                "id": "GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg",
+                "name": "HjBuUvDLWgpudzQr",
+                "type": "File"
+            },
+            "organization": {
+                "unit": "example.local\\\\/example\\\\/Active Users"
+            },
+            "owner": "foobar",
+            "policy": {
+                "name": "Some Policy"
+            },
+            "request": {
+                "id": "9262245914980288500"
+            },
+            "scan": {
+                "type": "Ongoing"
+            },
+            "shared": {
+                "with": "none"
+            },
+            "site": "Example",
+            "source": {
+                "geoip_src": 2
+            },
+            "suppression": {
+                "key": "Tenant Migration across MPs"
+            },
+            "traffic": {
+                "type": "CloudApp"
+            },
+            "type": "policy",
+            "url": {
+                "extension": "com\\\\/open",
+                "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
+                "path": "\\\\/\\\\/www.example.com\\\\/open",
+                "query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
+                "scheme": "http"
+            }
+        }
+    },
+    "related": {
+        "ip": [
+            "81.2.69.143",
+            "81.2.69.143"
+        ]
+    },
+    "source": {
+        "address": "81.2.69.143",
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.143"
+    },
+    "tags": [
+        "forwarded",
+        "netskope-alerts"
+    ],
+    "user": {
+        "email": [
+            "test@example.com"
+        ]
+    },
+    "user_agent": {
+        "name": "unknown",
+        "os": {
+            "name": "unknown"
+        }
+    }
+}
+```
+
+### Events
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip |
+| client.packets | Packets sent from the client to the server. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| netskope.events.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword |
+| netskope.events.ack | Whether user acknowledged the alert or not. | boolean |
+| netskope.events.activity.name | Description of the user performed activity. | keyword |
+| netskope.events.activity.status | Displayed when the user is denied access while performing some activity. | keyword |
+| netskope.events.activity.type | Displayed when only admins can perform the activity in question. | keyword |
+| netskope.events.alarm.description | N/A | keyword |
+| netskope.events.alarm.name | N/A | keyword |
+| netskope.events.alert.is_present | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean |
+| netskope.events.alert.name | Name of the alert. | keyword |
+| netskope.events.alert.type | Type of the alert. | keyword |
+| netskope.events.app.activity | N/A | keyword |
+| netskope.events.app.category | N/A | keyword |
+| netskope.events.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword |
+| netskope.events.app.region | N/A | keyword |
+| netskope.events.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword |
+| netskope.events.attachment | File name. | keyword |
+| netskope.events.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword |
+| netskope.events.audit.log.event | N/A | keyword |
+| netskope.events.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword |
+| netskope.events.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword |
+| netskope.events.bucket | N/A | keyword |
+| netskope.events.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword |
+| netskope.events.category.name | N/A | keyword |
+| netskope.events.cci | N/A | keyword |
+| netskope.events.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword |
+| netskope.events.channel | Channel of the user for slack and slack enterprise apps. | keyword |
+| netskope.events.client.bytes | Total number of bytes uploaded from client to server. | long |
+| netskope.events.client.packets | N/A | long |
+| netskope.events.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long |
+| netskope.events.connection.end_time | Connection end time. | long |
+| netskope.events.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword |
+| netskope.events.connection.start_time | Connection start time. | long |
+| netskope.events.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long |
+| netskope.events.description | N/A | keyword |
+| netskope.events.destination.geoip.source | Source from where the location of Destination IP was derived. | long |
+| netskope.events.detail | N/A | keyword |
+| netskope.events.detection.engine | Customer exposed detection engine name. | keyword |
+| netskope.events.detection.type | Same as malware type. Duplicate. | keyword |
+| netskope.events.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword |
+| netskope.events.device.name | N/A | keyword |
+| netskope.events.device.type | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword |
+| netskope.events.dlp.count | Count of rule hits. | long |
+| netskope.events.dlp.file | File/Object name extracted from the file/object. | keyword |
+| netskope.events.dlp.fingerprint.classificaiton | Fingerprint classification. | keyword |
+| netskope.events.dlp.fingerprint.match | Fingerprint classification match file name. | keyword |
+| netskope.events.dlp.fingerprint.score | Fingerprint classification score. | long |
+| netskope.events.dlp.fv | N/A | long |
+| netskope.events.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword |
+| netskope.events.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean |
+| netskope.events.dlp.mail.parent_id | N/A | keyword |
+| netskope.events.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword |
+| netskope.events.dlp.profile | DLP profile name. | keyword |
+| netskope.events.dlp.score | DLP rule score for weighted dictionaries. | long |
+| netskope.events.dlp.severity | Severity of rule. | keyword |
+| netskope.events.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long |
+| netskope.events.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword |
+| netskope.events.domain_shared_with | N/A | long |
+| netskope.events.drive.id | N/A | keyword |
+| netskope.events.encrypt.failure | Reason of failure while encrypting. | keyword |
+| netskope.events.end_time | N/A | keyword |
+| netskope.events.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword |
+| netskope.events.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword |
+| netskope.events.event.type | Anomaly type. | keyword |
+| netskope.events.event_type | N/A | keyword |
+| netskope.events.exposure | Exposure of a document. | keyword |
+| netskope.events.external_collaborator_count | Count of external collaborators on a file/folder. Supported for some apps. | long |
+| netskope.events.file.id | Unique identifier of the file. | keyword |
+| netskope.events.file.is_password_protected | N/A | keyword |
+| netskope.events.file.lang | Language of the file. | keyword |
+| netskope.events.from.logs | Shows if the event was generated from the Risk Insights log. | keyword |
+| netskope.events.from.object | Initial name of an object that has been renamed, copied or moved. | keyword |
+| netskope.events.from.storage | N/A | keyword |
+| netskope.events.from.user_category | Type of from_user. | keyword |
+| netskope.events.gateway | N/A | keyword |
+| netskope.events.graph.id | N/A | keyword |
+| netskope.events.http_status | N/A | keyword |
+| netskope.events.http_transaction_count | HTTP transaction count. | long |
+| netskope.events.iaas_asset_tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword |
+| netskope.events.id | N/A | keyword |
+| netskope.events.insertion.timestamp | Insertion timestamp. | long |
+| netskope.events.instance.id | Unique ID associated with an organization application instance. | keyword |
+| netskope.events.instance.name | Instance name associated with an organization application instance. | keyword |
+| netskope.events.instance.type | Instance type. | keyword |
+| netskope.events.instance_name | Instance associated with an organization application instance. | keyword |
+| netskope.events.internal_collaborator_count | Count of internal collaborators on a file/folder. Supported for some apps. | long |
+| netskope.events.ip.protocol | N/A | keyword |
+| netskope.events.is_bypass_traffic | Tells if traffic is bypassed by Netskope. | boolean |
+| netskope.events.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean |
+| netskope.events.item.id | N/A | keyword |
+| netskope.events.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword |
+| netskope.events.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword |
+| netskope.events.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword |
+| netskope.events.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword |
+| netskope.events.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword |
+| netskope.events.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword |
+| netskope.events.last.region | Applies to only proximity anomaly alert. | keyword |
+| netskope.events.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long |
+| netskope.events.latency.max | Max latency for a connection in milliseconds. | long |
+| netskope.events.latency.min | Min latency for a connection in milliseconds. | long |
+| netskope.events.latency.total | Total latency from proxy to app in milliseconds. | long |
+| netskope.events.legal_hold_profile_name | Legal hold profile name. | keyword |
+| netskope.events.lh.custodian.name | Custodian name of legal hold profile. | keyword |
+| netskope.events.lh.destination.app | Destination appname of legalhold action. | keyword |
+| netskope.events.lh.destination.instance | Destination instance of legal hold action. | keyword |
+| netskope.events.lh.file_id | File ID of legal hold file. | keyword |
+| netskope.events.lh.filename | File name of legal hold file. | keyword |
+| netskope.events.lh.filename_original | Original filename of legal hold file. | keyword |
+| netskope.events.lh.filepath | File path of legal hold file. | keyword |
+| netskope.events.lh.shared | Shared type of legal hold file. | keyword |
+| netskope.events.lh.shared_with | User shared with the legal hold file. | keyword |
+| netskope.events.lh.version | File version of original file. | keyword |
+| netskope.events.list.id | N/A | keyword |
+| netskope.events.log_file.name | Log file name for Risk Insights. | keyword |
+| netskope.events.login.type | Salesforce login type. | keyword |
+| netskope.events.login.url | Salesforce login URL. | flattened |
+| netskope.events.malsite_category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword |
+| netskope.events.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword |
+| netskope.events.malware.name | Netskope detection name. | keyword |
+| netskope.events.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword |
+| netskope.events.malware.severity | Malware severity. | keyword |
+| netskope.events.malware.type | Malware Type. | keyword |
+| netskope.events.managed_app | Whether or not the app in question is managed. | boolean |
+| netskope.events.management.id | Management ID. | keyword |
+| netskope.events.metric_value | N/A | long |
+| netskope.events.modified_at | Timestamp corresponding to the modification time of the entity (file, etc.). | date |
+| netskope.events.netskope_pop | N/A | keyword |
+| netskope.events.network | N/A | keyword |
+| netskope.events.new_value | New value for a given file for salesforce.com. | keyword |
+| netskope.events.notify_template | N/A | keyword |
+| netskope.events.ns.activity | Maps app activity to Netskope standard activity. | keyword |
+| netskope.events.ns.device_uid | Device identifiers on macOS and Windows. | keyword |
+| netskope.events.num_sessions | N/A | long |
+| netskope.events.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long |
+| netskope.events.obfuscate | N/A | boolean |
+| netskope.events.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long |
+| netskope.events.object.id | Unique ID associated with an object. | keyword |
+| netskope.events.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword |
+| netskope.events.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword |
+| netskope.events.old_value | Old value for a given file for salesforce.com. | keyword |
+| netskope.events.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword |
+| netskope.events.organization_unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword |
+| netskope.events.orig_ty | Event Type of original event. | keyword |
+| netskope.events.original_file_path | If the file is moved, then keep original path of the file in this field. | keyword |
+| netskope.events.other.categories | N/A | keyword |
+| netskope.events.owner | Owner of the file. | keyword |
+| netskope.events.page | The URL of the originating page. | keyword |
+| netskope.events.page_site | N/A | keyword |
+| netskope.events.parent.id | N/A | keyword |
+| netskope.events.path_id | Path ID of the file in the application. | long |
+| netskope.events.policy.id | The Netskope internal ID for the policy created by an admin. | keyword |
+| netskope.events.policy.name | Name of the policy configured by an admin. | keyword |
+| netskope.events.profile.emails | List of profile emails per policy. | keyword |
+| netskope.events.profile.id | Anomaly profile ID. | keyword |
+| netskope.events.publisher_cn | N/A | keyword |
+| netskope.events.qar | N/A | keyword |
+| netskope.events.quarantine.action.reason | Reason for the action taken for quarantine. | keyword |
+| netskope.events.quarantine.admin | Quarantine profile custodian email/name. | keyword |
+| netskope.events.quarantine.app | Quarantine app name. | keyword |
+| netskope.events.quarantine.app_name | N/A | keyword |
+| netskope.events.quarantine.failure | Reason of failure. | keyword |
+| netskope.events.quarantine.file.id | File ID of the quarantined file. | keyword |
+| netskope.events.quarantine.file.name | File name of the quarantine file. | keyword |
+| netskope.events.quarantine.instance | Quarantine instance name. | keyword |
+| netskope.events.quarantine.original.file.name | Original file name which got quarantined. | keyword |
+| netskope.events.quarantine.original.file.path | Original file path which got quarantined. | keyword |
+| netskope.events.quarantine.original.shared | Original file shared user details. | keyword |
+| netskope.events.quarantine.original.version | Original version of file which got quarantined. | keyword |
+| netskope.events.quarantine.profile.id | Quarantine profile ID. | keyword |
+| netskope.events.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword |
+| netskope.events.quarantine.shared_with | N/A | keyword |
+| netskope.events.referer | Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. | flattened |
+| netskope.events.region | N/A | keyword |
+| netskope.events.region.id | Region ID (as provided by the cloud provider). | keyword |
+| netskope.events.repo | N/A | keyword |
+| netskope.events.request.count | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long |
+| netskope.events.request.id | Unique request ID for the event. | keyword |
+| netskope.events.response.content.length | N/A | long |
+| netskope.events.response.content.type | N/A | keyword |
+| netskope.events.response.count | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long |
+| netskope.events.retro_scan_name | Retro scan name. | keyword |
+| netskope.events.risk_level | Corresponding field to risk_level_id. Name. | keyword |
+| netskope.events.risk_level_id | This field is set by both role-based access (RBA) and MLAD. | keyword |
+| netskope.events.role | Roles for Box. | keyword |
+| netskope.events.run_id | Run ID. | long |
+| netskope.events.sa.profile.id | CSA profile ID. | keyword |
+| netskope.events.sa.profile.name | CSA profile name. | keyword |
+| netskope.events.sa.rule.severity | Rule severity. | keyword |
+| netskope.events.scan.time | Time when the scan is done. | long |
+| netskope.events.scan.type | Generated during retroactive scan or new ongoing activity. | keyword |
+| netskope.events.scopes | List of permissions for google apps. | keyword |
+| netskope.events.serial | N/A | keyword |
+| netskope.events.server.bytes | Total number of downloaded from server to client. | long |
+| netskope.events.server.packets | N/A | long |
+| netskope.events.session.duration | N/A | long |
+| netskope.events.session.id | Session ID for Dropbox application. | keyword |
+| netskope.events.session.packets | N/A | long |
+| netskope.events.severity.id | Severity ID used by watchlist and malware alerts. | keyword |
+| netskope.events.severity.level | Severity used by watchlist and malware alerts. | keyword |
+| netskope.events.severity.type | Severity type used by watchlist and malware alerts | keyword |
+| netskope.events.sfwder | N/A | keyword |
+| netskope.events.shared.domains | List of domains of users the document is shared with. | keyword |
+| netskope.events.shared.is_shared | If the file is shared or not. | boolean |
+| netskope.events.shared.type | Shared Type. | keyword |
+| netskope.events.shared.with | Array of emails with whom a document is shared with. | keyword |
+| netskope.events.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword |
+| netskope.events.slc.geo.location | Longitude and latitude. | geo_point |
+| netskope.events.source.geoip_src | Source from where the location of Source IP was derived. | long |
+| netskope.events.ssl_decrypt_policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration, Bypass due to SSL Decrypt Policy.The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword |
+| netskope.events.start_time | N/A | keyword |
+| netskope.events.sub_type | Workplace by Facebook post sub category (files, comments, status etc). | keyword |
+| netskope.events.supporting_data | N/A | keyword |
+| netskope.events.suppression.end_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
+| netskope.events.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword |
+| netskope.events.suppression.start_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
+| netskope.events.team | Slack team name. | keyword |
+| netskope.events.telemetry_app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword |
+| netskope.events.temp_user | N/A | keyword |
+| netskope.events.tenant.id | Tenant id. | keyword |
+| netskope.events.threat.match_field | Threat match field, either from domain or URL or IP. | keyword |
+| netskope.events.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword |
+| netskope.events.threshold | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long |
+| netskope.events.tnetwork_session_id | N/A | keyword |
+| netskope.events.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword |
+| netskope.events.to.storage | N/A | keyword |
+| netskope.events.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword |
+| netskope.events.to.user_category | Type of user to which move is done. | keyword |
+| netskope.events.total.collaborator_count | Count of collaborators on a file/folder. Supported for some apps. | long |
+| netskope.events.total_packets | N/A | long |
+| netskope.events.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword |
+| netskope.events.transaction.id | Unique ID for a given request/response. | keyword |
+| netskope.events.tss_mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword |
+| netskope.events.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword |
+| netskope.events.tunnel.type | N/A | keyword |
+| netskope.events.tunnel.up_time | N/A | long |
+| netskope.events.two_factor_auth | N/A | keyword |
+| netskope.events.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword |
+| netskope.events.universal_connector | N/A | keyword |
+| netskope.events.url | URL of the application that the user visited as provided by the log or data plane traffic | flattened |
+| netskope.events.url_to_activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword |
+| netskope.events.user.category | Type of user in an enterprise - external / internal. | keyword |
+| netskope.events.user.generated | Tells whether it is user generated page event. | boolean |
+| netskope.events.user.geo.city_name | N/A | keyword |
+| netskope.events.user.geo.continent_name | N/A | keyword |
+| netskope.events.user.geo.country_iso_code | N/A | keyword |
+| netskope.events.user.geo.country_name | N/A | keyword |
+| netskope.events.user.geo.location | Longitude and latitude. | geo_point |
+| netskope.events.user.geo.region_iso_code | N/A | keyword |
+| netskope.events.user.geo.region_name | N/A | keyword |
+| netskope.events.user.group | N/A | keyword |
+| netskope.events.user.ip | IP address of User. | keyword |
+| netskope.events.user.is_aggregated | N/A | boolean |
+| netskope.events.violating.user.name | User who caused a vioaltion. Populated for Workplace by Facebook. | keyword |
+| netskope.events.violating.user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword |
+| netskope.events.web.url | File preview URL. | flattened |
+| netskope.events.web_universal_connector | N/A | keyword |
+| netskope.events.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword |
+| netskope.events.workspace.name | Workspace name in case of Slack for Enterprise. | keyword |
+| netskope.events.zip_password | Zip the malacious file and put pwd to it and send it back to caller. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.bytes | Bytes sent from the server to the client. | long |
+| server.packets | Packets sent from the server to the client. | long |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| user.email | User email address. | keyword |
+| user.group.name | Name of the group. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.roles | Array of user roles at the time of the event. | keyword |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
+
+An example event for `events` looks as following:
+
+```json
+{
+    "@timestamp": "2021-12-24T00:29:56.000Z",
+    "agent": {
+        "ephemeral_id": "3cabd78f-ac92-4719-87ff-e1dd82c3162a",
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.3.0"
+    },
+    "data_stream": {
+        "dataset": "netskope.events",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "52d90929-98ee-4480-9b14-fe07637d0bbe",
+        "snapshot": true,
+        "version": "8.3.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "netskope.events",
+        "ingested": "2022-04-14T09:24:43Z",
+        "original": "{\"@timestamp\":\"2021-12-24T00:29:56.000Z\",\"event.id\":\"613ee55ec9d868fc47654a73\",\"netskope\":{\"events\":{\"event_type\":\"infrastructure\",\"severity\":{\"level\":\"high\"},\"alarm\":{\"name\":\"No_events_from_device\",\"description\":\"Events from device not received in the last 24 hours\"},\"device\":{\"name\":\"device-1\"},\"metric_value\":43831789,\"serial\":\"FFFFFFFFFFFFFFFF\",\"supporting_data\":\"abc\"}}}"
+    },
+    "event.id": "613ee55ec9d868fc47654a73",
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.224.1:46522"
+        }
+    },
+    "netskope": {
+        "events": {
+            "alarm": {
+                "description": "Events from device not received in the last 24 hours",
+                "name": "No_events_from_device"
+            },
+            "device": {
+                "name": "device-1"
+            },
+            "event_type": "infrastructure",
+            "metric_value": 43831789,
+            "serial": "FFFFFFFFFFFFFFFF",
+            "severity": {
+                "level": "high"
+            },
+            "supporting_data": "abc"
+        }
+    },
+    "tags": [
+        "forwarded",
+        "netskope-events"
+    ]
+}
+```
diff --git a/packages/netskope/0.1.2/img/netskope-alerts-screenshot.png b/packages/netskope/0.1.2/img/netskope-alerts-screenshot.png
new file mode 100755
index 0000000000..3478a97c30
Binary files /dev/null and b/packages/netskope/0.1.2/img/netskope-alerts-screenshot.png differ
diff --git a/packages/netskope/0.1.2/img/netskope-events-screenshot.png b/packages/netskope/0.1.2/img/netskope-events-screenshot.png
new file mode 100755
index 0000000000..a429b80386
Binary files /dev/null and b/packages/netskope/0.1.2/img/netskope-events-screenshot.png differ
diff --git a/packages/netskope/0.1.2/img/netskope-logo.svg b/packages/netskope/0.1.2/img/netskope-logo.svg
new file mode 100755
index 0000000000..cf1c8bcb3d
--- /dev/null
+++ b/packages/netskope/0.1.2/img/netskope-logo.svg
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 200 137.2" style="enable-background:new 0 0 200 137.2;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FF8300;}
+	.st1{fill:#55565A;}
+	.st2{fill:#00A7CE;}
+</style>
+<g>
+	<path class="st0" d="M56,50.1c-0.9,2.1-2.2,4.2-4.1,6c-4,4-9,5.6-14.2,5.8l19.5,19.5c0.3-5.2,1.8-10.2,5.8-14.2
+		c1.8-1.8,3.9-3.1,6-4.1C63,60.9,58.2,56.1,56,50.1z"/>
+	<path class="st0" d="M51.7,94.2c7.4-7.4,7.4-19.4,0-26.8c-7.4-7.4-19.4-7.4-26.8,0c-7.4,7.4-7.4,19.4,0,26.8
+		C32.3,101.6,44.3,101.6,51.7,94.2"/>
+	<path class="st1" d="M90.1,29.1c7.4,7.4,7.4,19.4,0,26.8c-7.4,7.4-19.4,7.4-26.8,0c-7.4-7.4-7.4-19.4,0-26.8
+		C70.7,21.7,82.7,21.7,90.1,29.1"/>
+	<path class="st2" d="M166.9,29.1c-7.4-7.4-19.4-7.4-26.8,0c-3.6,3.6-5.4,8.2-5.5,12.8l0,0c-0.3,5.2-1.8,10.2-5.8,14.2
+		c-1.8,1.8-3.9,3.2-6,4.1c6.1,2.2,10.9,7,13.1,13.1c0.9-2.2,2.2-4.2,4.1-6c4-4,9-5.6,14.2-5.8l0,0c4.7-0.1,9.3-2,12.8-5.5
+		C174.3,48.5,174.3,36.5,166.9,29.1z M160.3,49.3c-1.8,1.8-4.3,2.8-6.8,2.8c-2.6,0-5-1-6.8-2.8c-3.8-3.8-3.8-9.9,0-13.7
+		c1.8-1.8,4.3-2.8,6.8-2.8c2.6,0,5,1,6.8,2.8c1.8,1.8,2.8,4.3,2.8,6.8C163.2,45.1,162.2,47.5,160.3,49.3z"/>
+	<path class="st1" d="M128.5,67.5c7.4,7.4,7.4,19.4,0,26.8c-7.4,7.4-19.4,7.4-26.8,0c-7.4-7.4-7.4-19.4,0-26.8
+		C109.1,60.1,121.1,60.1,128.5,67.5"/>
+	<path class="st1" d="M101.5,56.1c-4-4-5.6-9-5.8-14.2L76.1,61.4c5.2,0.3,10.2,1.8,14.2,5.8c4,4,5.6,9,5.8,14.2l19.5-19.5
+		C110.5,61.7,105.5,60.1,101.5,56.1"/>
+</g>
+</svg>
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..23c328b567
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,152 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"panelRefName\":\"panel_6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"panelRefName\":\"panel_4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"45c067c5-0e47-4988-90f8-fc788f006afd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"45c067c5-0e47-4988-90f8-fc788f006afd\",\"panelRefName\":\"panel_45c067c5-0e47-4988-90f8-fc788f006afd\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"panelRefName\":\"panel_a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"panelRefName\":\"panel_feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"panelRefName\":\"panel_366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"afe687dc-fbb2-4277-b415-2d63dc660034\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"afe687dc-fbb2-4277-b415-2d63dc660034\",\"panelRefName\":\"panel_afe687dc-fbb2-4277-b415-2d63dc660034\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"84973327-83fa-4d3e-a605-942aa2f8d165\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"84973327-83fa-4d3e-a605-942aa2f8d165\",\"panelRefName\":\"panel_84973327-83fa-4d3e-a605-942aa2f8d165\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"panelRefName\":\"panel_b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"panelRefName\":\"panel_1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"panelRefName\":\"panel_1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e9392a59-5f4d-405d-8779-6b1400c25493\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"e9392a59-5f4d-405d-8779-6b1400c25493\",\"panelRefName\":\"panel_e9392a59-5f4d-405d-8779-6b1400c25493\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"panelRefName\":\"panel_f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"panelRefName\":\"panel_8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"panelRefName\":\"panel_a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"panelRefName\":\"panel_eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d726178a-8c9a-465c-ac2d-974f77abb85f\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"d726178a-8c9a-465c-ac2d-974f77abb85f\",\"panelRefName\":\"panel_d726178a-8c9a-465c-ac2d-974f77abb85f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5d065d8d-9b03-4707-9c50-4b655a013932\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"5d065d8d-9b03-4707-9c50-4b655a013932\",\"panelRefName\":\"panel_5d065d8d-9b03-4707-9c50-4b655a013932\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"panelRefName\":\"panel_5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"panelRefName\":\"panel_65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"panelRefName\":\"panel_b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"panelRefName\":\"panel_e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"panelRefName\":\"panel_99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"panelRefName\":\"panel_44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f01b8e09-267d-433e-965b-20d3483143a6\",\"w\":24,\"x\":0,\"y\":180},\"panelIndex\":\"f01b8e09-267d-433e-965b-20d3483143a6\",\"panelRefName\":\"panel_f01b8e09-267d-433e-965b-20d3483143a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Alerts] Quarantine",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02",
+      "name": "6fa82f60-f04f-444f-ba2f-00773e1e6108:panel_6fa82f60-f04f-444f-ba2f-00773e1e6108",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02",
+      "name": "4652af1f-2400-4b6c-bc5e-571191e2a14f:panel_4652af1f-2400-4b6c-bc5e-571191e2a14f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02",
+      "name": "45c067c5-0e47-4988-90f8-fc788f006afd:panel_45c067c5-0e47-4988-90f8-fc788f006afd",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02",
+      "name": "a9793bf2-d220-4b8c-a5b5-ce31043445f9:panel_a9793bf2-d220-4b8c-a5b5-ce31043445f9",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02",
+      "name": "feaa25d0-fc21-4688-ad80-aac792a6f5a7:panel_feaa25d0-fc21-4688-ad80-aac792a6f5a7",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02",
+      "name": "366ab0ac-ca2e-42af-a6c3-ed7af9892b33:panel_366ab0ac-ca2e-42af-a6c3-ed7af9892b33",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "afe687dc-fbb2-4277-b415-2d63dc660034:panel_afe687dc-fbb2-4277-b415-2d63dc660034",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "84973327-83fa-4d3e-a605-942aa2f8d165:panel_84973327-83fa-4d3e-a605-942aa2f8d165",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02",
+      "name": "b4492c2d-8d65-4ba1-88ff-477837e47ba7:panel_b4492c2d-8d65-4ba1-88ff-477837e47ba7",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02",
+      "name": "1ff971d6-add3-4c2e-b392-13c5487ac4ee:panel_1ff971d6-add3-4c2e-b392-13c5487ac4ee",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02",
+      "name": "1f30c1e5-042e-48ce-99e5-5f1fc9e12d12:panel_1f30c1e5-042e-48ce-99e5-5f1fc9e12d12",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02",
+      "name": "e9392a59-5f4d-405d-8779-6b1400c25493:panel_e9392a59-5f4d-405d-8779-6b1400c25493",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "f722efca-df82-46e8-bb4d-8217b1fac3e3:panel_f722efca-df82-46e8-bb4d-8217b1fac3e3",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "8c4361bf-c0be-44e9-a898-0f2de9b10187:panel_8c4361bf-c0be-44e9-a898-0f2de9b10187",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02",
+      "name": "a65412a1-13cd-40ed-900e-4fc49f388ee7:panel_a65412a1-13cd-40ed-900e-4fc49f388ee7",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "eb9e1079-4966-4ae9-abbf-e0df000f17d6:panel_eb9e1079-4966-4ae9-abbf-e0df000f17d6",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02",
+      "name": "d726178a-8c9a-465c-ac2d-974f77abb85f:panel_d726178a-8c9a-465c-ac2d-974f77abb85f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "5d065d8d-9b03-4707-9c50-4b655a013932:panel_5d065d8d-9b03-4707-9c50-4b655a013932",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02",
+      "name": "5da4dcb5-1642-48d8-8b08-cc24ad43f53d:panel_5da4dcb5-1642-48d8-8b08-cc24ad43f53d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02",
+      "name": "65a1d845-2c17-4bd6-8cd8-d8c651d89bd5:panel_65a1d845-2c17-4bd6-8cd8-d8c651d89bd5",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02",
+      "name": "b2f14091-11cf-492c-bd71-06a8096e4cc2:panel_b2f14091-11cf-492c-bd71-06a8096e4cc2",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02",
+      "name": "e0331a0a-3091-48e8-8591-31ed4cb1e001:panel_e0331a0a-3091-48e8-8591-31ed4cb1e001",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02",
+      "name": "99617f89-4bf3-4426-9d51-d486cde5c8a6:panel_99617f89-4bf3-4426-9d51-d486cde5c8a6",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02",
+      "name": "44f4cc45-f34e-4034-aa95-aab9bae9be7b:panel_44f4cc45-f34e-4034-aa95-aab9bae9be7b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02",
+      "name": "f01b8e09-267d-433e-965b-20d3483143a6:panel_f01b8e09-267d-433e-965b-20d3483143a6",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..ec910490e0
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,122 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"9ecea79f-aedc-4c49-a78d-113c35d00646\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"9ecea79f-aedc-4c49-a78d-113c35d00646\",\"panelRefName\":\"panel_9ecea79f-aedc-4c49-a78d-113c35d00646\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"panelRefName\":\"panel_f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"panelRefName\":\"panel_6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48681f61-2ad6-4dac-aafd-895b2c267d93\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"48681f61-2ad6-4dac-aafd-895b2c267d93\",\"panelRefName\":\"panel_48681f61-2ad6-4dac-aafd-895b2c267d93\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"414e518e-6119-4905-9052-0bab7a7e53c2\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"414e518e-6119-4905-9052-0bab7a7e53c2\",\"panelRefName\":\"panel_414e518e-6119-4905-9052-0bab7a7e53c2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"panelRefName\":\"panel_f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"dedb010c-aa2b-4849-a123-01d05df8391e\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"dedb010c-aa2b-4849-a123-01d05df8391e\",\"panelRefName\":\"panel_dedb010c-aa2b-4849-a123-01d05df8391e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"panelRefName\":\"panel_769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c15e2f15-51e0-450b-8b65-68ad53160156\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c15e2f15-51e0-450b-8b65-68ad53160156\",\"panelRefName\":\"panel_c15e2f15-51e0-450b-8b65-68ad53160156\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"panelRefName\":\"panel_75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"panelRefName\":\"panel_abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"panelRefName\":\"panel_15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5fe16d63-f752-4c67-b033-54924d7a631a\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"5fe16d63-f752-4c67-b033-54924d7a631a\",\"panelRefName\":\"panel_5fe16d63-f752-4c67-b033-54924d7a631a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"panelRefName\":\"panel_87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"panelRefName\":\"panel_802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"panelRefName\":\"panel_f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"panelRefName\":\"panel_5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9e38ddf-3807-4283-8612-12890da9ddbe\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"f9e38ddf-3807-4283-8612-12890da9ddbe\",\"panelRefName\":\"panel_f9e38ddf-3807-4283-8612-12890da9ddbe\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"panelRefName\":\"panel_4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Alerts] Security Assessment",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-f9097160-71f3-11ec-8c4b-cb281099ee02",
+      "name": "9ecea79f-aedc-4c49-a78d-113c35d00646:panel_9ecea79f-aedc-4c49-a78d-113c35d00646",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02",
+      "name": "f7136693-69cc-43e0-b9ad-3b975bbe830a:panel_f7136693-69cc-43e0-b9ad-3b975bbe830a",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-187e0140-71f5-11ec-8c4b-cb281099ee02",
+      "name": "6a352e9d-2bda-4c4d-a65f-70086fe9e098:panel_6a352e9d-2bda-4c4d-a65f-70086fe9e098",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02",
+      "name": "48681f61-2ad6-4dac-aafd-895b2c267d93:panel_48681f61-2ad6-4dac-aafd-895b2c267d93",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02",
+      "name": "414e518e-6119-4905-9052-0bab7a7e53c2:panel_414e518e-6119-4905-9052-0bab7a7e53c2",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02",
+      "name": "f52d5fe1-0317-4341-8828-34c8eb20e6c5:panel_f52d5fe1-0317-4341-8828-34c8eb20e6c5",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "dedb010c-aa2b-4849-a123-01d05df8391e:panel_dedb010c-aa2b-4849-a123-01d05df8391e",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "769bdbcd-f96e-41c7-ba73-76bc435f8573:panel_769bdbcd-f96e-41c7-ba73-76bc435f8573",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02",
+      "name": "c15e2f15-51e0-450b-8b65-68ad53160156:panel_c15e2f15-51e0-450b-8b65-68ad53160156",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02",
+      "name": "75d0c42b-7852-4914-95e7-6d2e92b99bd0:panel_75d0c42b-7852-4914-95e7-6d2e92b99bd0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02",
+      "name": "abd95a27-a1f0-4808-88fb-3bb5f770f543:panel_abd95a27-a1f0-4808-88fb-3bb5f770f543",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02",
+      "name": "15c3b9dc-93ee-48ca-a860-fd4f1b768c4c:panel_15c3b9dc-93ee-48ca-a860-fd4f1b768c4c",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "5fe16d63-f752-4c67-b033-54924d7a631a:panel_5fe16d63-f752-4c67-b033-54924d7a631a",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "87ee17ee-d40e-4a43-b26f-9622bf1bcbad:panel_87ee17ee-d40e-4a43-b26f-9622bf1bcbad",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02",
+      "name": "802cd7a9-7704-4a53-b143-1b9a4f75cc2b:panel_802cd7a9-7704-4a53-b143-1b9a4f75cc2b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02",
+      "name": "f6e061ee-b7ac-47c8-9915-3fca33a23317:panel_f6e061ee-b7ac-47c8-9915-3fca33a23317",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "5a0acb1a-ce64-413f-a582-567d7fa79fc0:panel_5a0acb1a-ce64-413f-a582-567d7fa79fc0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02",
+      "name": "f9e38ddf-3807-4283-8612-12890da9ddbe:panel_f9e38ddf-3807-4283-8612-12890da9ddbe",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02",
+      "name": "4f45dac1-2a01-418a-9174-86fa1d613f5f:panel_4f45dac1-2a01-418a-9174-86fa1d613f5f",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..1d99e0f070
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,132 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"de113850-0514-4327-bf4a-96fd3bff0aa1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"de113850-0514-4327-bf4a-96fd3bff0aa1\",\"panelRefName\":\"panel_de113850-0514-4327-bf4a-96fd3bff0aa1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"panelRefName\":\"panel_81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"1ae18052-f555-4f33-b76c-7f425a337c95\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1ae18052-f555-4f33-b76c-7f425a337c95\",\"panelRefName\":\"panel_1ae18052-f555-4f33-b76c-7f425a337c95\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"panelRefName\":\"panel_cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"40a99b00-0503-4360-b2ee-4758402ddbc6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"40a99b00-0503-4360-b2ee-4758402ddbc6\",\"panelRefName\":\"panel_40a99b00-0503-4360-b2ee-4758402ddbc6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c56aec99-3085-448f-b3ce-d68d4d758354\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"c56aec99-3085-448f-b3ce-d68d4d758354\",\"panelRefName\":\"panel_c56aec99-3085-448f-b3ce-d68d4d758354\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"panelRefName\":\"panel_cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"91fb5be5-9fe1-446c-b5de-0a9844698834\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"91fb5be5-9fe1-446c-b5de-0a9844698834\",\"panelRefName\":\"panel_91fb5be5-9fe1-446c-b5de-0a9844698834\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"panelRefName\":\"panel_e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"panelRefName\":\"panel_cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"199442bd-7bb0-4112-ade5-3264743defd1\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"199442bd-7bb0-4112-ade5-3264743defd1\",\"panelRefName\":\"panel_199442bd-7bb0-4112-ade5-3264743defd1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"panelRefName\":\"panel_90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"panelRefName\":\"panel_3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"panelRefName\":\"panel_cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"68eae1da-9479-4de6-a888-790e7bee6449\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"68eae1da-9479-4de6-a888-790e7bee6449\",\"panelRefName\":\"panel_68eae1da-9479-4de6-a888-790e7bee6449\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8368a6ca-b543-4adc-a9c5-624e74497329\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"8368a6ca-b543-4adc-a9c5-624e74497329\",\"panelRefName\":\"panel_8368a6ca-b543-4adc-a9c5-624e74497329\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4b05e711-810e-4014-9b25-0bd307954aa0\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"4b05e711-810e-4014-9b25-0bd307954aa0\",\"panelRefName\":\"panel_4b05e711-810e-4014-9b25-0bd307954aa0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"893dd429-9e30-4fd6-9419-dbe51aafc104\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"893dd429-9e30-4fd6-9419-dbe51aafc104\",\"panelRefName\":\"panel_893dd429-9e30-4fd6-9419-dbe51aafc104\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"panelRefName\":\"panel_5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"39191fce-eb15-468c-ad46-923e47f84456\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"39191fce-eb15-468c-ad46-923e47f84456\",\"panelRefName\":\"panel_39191fce-eb15-468c-ad46-923e47f84456\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aedad988-c987-4390-b904-8ed71a118d4d\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"aedad988-c987-4390-b904-8ed71a118d4d\",\"panelRefName\":\"panel_aedad988-c987-4390-b904-8ed71a118d4d\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Events] Network",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-55144a90-72ab-11ec-8c4b-cb281099ee02",
+      "name": "de113850-0514-4327-bf4a-96fd3bff0aa1:panel_de113850-0514-4327-bf4a-96fd3bff0aa1",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02",
+      "name": "81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842:panel_81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02",
+      "name": "1ae18052-f555-4f33-b76c-7f425a337c95:panel_1ae18052-f555-4f33-b76c-7f425a337c95",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-327320f0-72ac-11ec-8c4b-cb281099ee02",
+      "name": "cf91b73d-8723-4207-a9db-2f2eec6dbc83:panel_cf91b73d-8723-4207-a9db-2f2eec6dbc83",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02",
+      "name": "40a99b00-0503-4360-b2ee-4758402ddbc6:panel_40a99b00-0503-4360-b2ee-4758402ddbc6",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02",
+      "name": "c56aec99-3085-448f-b3ce-d68d4d758354:panel_c56aec99-3085-448f-b3ce-d68d4d758354",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02",
+      "name": "cfbe5876-f02d-42c0-ae50-b85b43223f2d:panel_cfbe5876-f02d-42c0-ae50-b85b43223f2d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02",
+      "name": "91fb5be5-9fe1-446c-b5de-0a9844698834:panel_91fb5be5-9fe1-446c-b5de-0a9844698834",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-464ce970-72b7-11ec-8c4b-cb281099ee02",
+      "name": "e89d1bab-dd1c-4b06-bad0-77f26fb8e217:panel_e89d1bab-dd1c-4b06-bad0-77f26fb8e217",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02",
+      "name": "cafd5a6f-d702-4870-b85d-8c5619997cb6:panel_cafd5a6f-d702-4870-b85d-8c5619997cb6",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02",
+      "name": "199442bd-7bb0-4112-ade5-3264743defd1:panel_199442bd-7bb0-4112-ade5-3264743defd1",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02",
+      "name": "90e8a139-5ac8-4a10-a5ed-802d30eca519:panel_90e8a139-5ac8-4a10-a5ed-802d30eca519",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02",
+      "name": "3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339:panel_3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02",
+      "name": "cbe6b18e-b303-4b00-b573-f9856a82e15e:panel_cbe6b18e-b303-4b00-b573-f9856a82e15e",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02",
+      "name": "68eae1da-9479-4de6-a888-790e7bee6449:panel_68eae1da-9479-4de6-a888-790e7bee6449",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02",
+      "name": "8368a6ca-b543-4adc-a9c5-624e74497329:panel_8368a6ca-b543-4adc-a9c5-624e74497329",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02",
+      "name": "4b05e711-810e-4014-9b25-0bd307954aa0:panel_4b05e711-810e-4014-9b25-0bd307954aa0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "893dd429-9e30-4fd6-9419-dbe51aafc104:panel_893dd429-9e30-4fd6-9419-dbe51aafc104",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb:panel_5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "39191fce-eb15-468c-ad46-923e47f84456:panel_39191fce-eb15-468c-ad46-923e47f84456",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02",
+      "name": "aedad988-c987-4390-b904-8ed71a118d4d:panel_aedad988-c987-4390-b904-8ed71a118d4d",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..d2e6875041
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,47 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"eef1d418-6eb7-4ca7-963c-376163e018cc\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"eef1d418-6eb7-4ca7-963c-376163e018cc\",\"panelRefName\":\"panel_eef1d418-6eb7-4ca7-963c-376163e018cc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b8ce0876-320e-4903-919e-3101df39f199\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"b8ce0876-320e-4903-919e-3101df39f199\",\"panelRefName\":\"panel_b8ce0876-320e-4903-919e-3101df39f199\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"panelRefName\":\"panel_bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cb25209c-af4f-46d4-8055-e0165377c186\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"cb25209c-af4f-46d4-8055-e0165377c186\",\"panelRefName\":\"panel_cb25209c-af4f-46d4-8055-e0165377c186\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Events] Infrastructure",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02",
+      "name": "eef1d418-6eb7-4ca7-963c-376163e018cc:panel_eef1d418-6eb7-4ca7-963c-376163e018cc",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-719e0f30-72af-11ec-8c4b-cb281099ee02",
+      "name": "b8ce0876-320e-4903-919e-3101df39f199:panel_b8ce0876-320e-4903-919e-3101df39f199",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02",
+      "name": "bcd7cd0f-3d14-4165-ad36-411e407c1b3a:panel_bcd7cd0f-3d14-4165-ad36-411e407c1b3a",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02",
+      "name": "cb25209c-af4f-46d4-8055-e0165377c186:panel_cb25209c-af4f-46d4-8055-e0165377c186",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..35312a2ab0
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,92 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"panelRefName\":\"panel_26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"w\":24,\"x\":0,\"y\":5},\"panelIndex\":\"5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"panelRefName\":\"panel_5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"w\":24,\"x\":24,\"y\":5},\"panelIndex\":\"6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"panelRefName\":\"panel_6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"panelRefName\":\"panel_067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"panelRefName\":\"panel_26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"panelRefName\":\"panel_98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"panelRefName\":\"panel_1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"panelRefName\":\"panel_822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"panelRefName\":\"panel_5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1773342f-dd53-4c10-9b38-82b4e09a7395\",\"w\":24,\"x\":0,\"y\":65},\"panelIndex\":\"1773342f-dd53-4c10-9b38-82b4e09a7395\",\"panelRefName\":\"panel_1773342f-dd53-4c10-9b38-82b4e09a7395\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"w\":24,\"x\":24,\"y\":65},\"panelIndex\":\"e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"panelRefName\":\"panel_e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d9355657-e78e-4edf-89b0-4f0e0698372e\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"d9355657-e78e-4edf-89b0-4f0e0698372e\",\"panelRefName\":\"panel_d9355657-e78e-4edf-89b0-4f0e0698372e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"82495547-fdb7-4c0c-8e55-83246013d66f\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"82495547-fdb7-4c0c-8e55-83246013d66f\",\"panelRefName\":\"panel_82495547-fdb7-4c0c-8e55-83246013d66f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"panelRefName\":\"panel_c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope] Events Overview",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02",
+      "name": "26fbf4d7-3b96-4d0a-a206-1c0b6c36a654:panel_26fbf4d7-3b96-4d0a-a206-1c0b6c36a654",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02",
+      "name": "5a43e517-99d6-425a-b5cb-7ee124b327e7:panel_5a43e517-99d6-425a-b5cb-7ee124b327e7",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02",
+      "name": "6a0e0f49-951b-47ca-8664-5507bae1d7f4:panel_6a0e0f49-951b-47ca-8664-5507bae1d7f4",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02",
+      "name": "067dda5d-b9eb-495c-b663-5bb1eaa164da:panel_067dda5d-b9eb-495c-b663-5bb1eaa164da",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02",
+      "name": "26a44d07-f0e4-4c58-a209-ebe227dfe682:panel_26a44d07-f0e4-4c58-a209-ebe227dfe682",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02",
+      "name": "98d0578d-b4f5-46f6-8c5d-db6939548a41:panel_98d0578d-b4f5-46f6-8c5d-db6939548a41",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02",
+      "name": "1150af83-f4ee-4aa3-8b31-7d5c5dccc716:panel_1150af83-f4ee-4aa3-8b31-7d5c5dccc716",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "822a62d6-ed17-4a9c-bcbc-b29b25538156:panel_822a62d6-ed17-4a9c-bcbc-b29b25538156",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec:panel_5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02",
+      "name": "1773342f-dd53-4c10-9b38-82b4e09a7395:panel_1773342f-dd53-4c10-9b38-82b4e09a7395",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02",
+      "name": "e297318d-0e02-4fc2-a5dd-6b6d57f5e35b:panel_e297318d-0e02-4fc2-a5dd-6b6d57f5e35b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02",
+      "name": "d9355657-e78e-4edf-89b0-4f0e0698372e:panel_d9355657-e78e-4edf-89b0-4f0e0698372e",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "82495547-fdb7-4c0c-8e55-83246013d66f:panel_82495547-fdb7-4c0c-8e55-83246013d66f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02",
+      "name": "c291aef0-c76c-4c83-ae56-2c2126f817a7:panel_c291aef0-c76c-4c83-ae56-2c2126f817a7",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..84042f8c6d
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,57 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"77a59f05-8734-4361-a4ee-f0081a667f90\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"77a59f05-8734-4361-a4ee-f0081a667f90\",\"panelRefName\":\"panel_77a59f05-8734-4361-a4ee-f0081a667f90\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ba5dff68-0c84-4678-bf9b-a20767da4594\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ba5dff68-0c84-4678-bf9b-a20767da4594\",\"panelRefName\":\"panel_ba5dff68-0c84-4678-bf9b-a20767da4594\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"panelRefName\":\"panel_04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1fb9cef2-f112-4a25-985e-e191d044a824\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1fb9cef2-f112-4a25-985e-e191d044a824\",\"panelRefName\":\"panel_1fb9cef2-f112-4a25-985e-e191d044a824\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d6851ddb-5402-419a-b8e2-91e060a5a715\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d6851ddb-5402-419a-b8e2-91e060a5a715\",\"panelRefName\":\"panel_d6851ddb-5402-419a-b8e2-91e060a5a715\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"panelRefName\":\"panel_8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Events] Audit",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-97349920-72b0-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-feb43930-72af-11ec-8c4b-cb281099ee02",
+      "name": "77a59f05-8734-4361-a4ee-f0081a667f90:panel_77a59f05-8734-4361-a4ee-f0081a667f90",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-24907420-72b0-11ec-8c4b-cb281099ee02",
+      "name": "ba5dff68-0c84-4678-bf9b-a20767da4594:panel_ba5dff68-0c84-4678-bf9b-a20767da4594",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02",
+      "name": "04a815f0-2d0c-4189-9382-c4b5c4455bce:panel_04a815f0-2d0c-4189-9382-c4b5c4455bce",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "1fb9cef2-f112-4a25-985e-e191d044a824:panel_1fb9cef2-f112-4a25-985e-e191d044a824",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "d6851ddb-5402-419a-b8e2-91e060a5a715:panel_d6851ddb-5402-419a-b8e2-91e060a5a715",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02",
+      "name": "8c1ee365-4a0c-4b03-858a-26c7d6652699:panel_8c1ee365-4a0c-4b03-858a-26c7d6652699",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..94ccc020a5
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,117 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"panelRefName\":\"panel_ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"panelRefName\":\"panel_f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"panelRefName\":\"panel_85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"panelRefName\":\"panel_d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"panelRefName\":\"panel_516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"panelRefName\":\"panel_ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e6fdc807-d7d7-4c8d-a592-584e42001712\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e6fdc807-d7d7-4c8d-a592-584e42001712\",\"panelRefName\":\"panel_e6fdc807-d7d7-4c8d-a592-584e42001712\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"panelRefName\":\"panel_fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5de4021e-f3ba-4155-83c6-d44937ad4564\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"5de4021e-f3ba-4155-83c6-d44937ad4564\",\"panelRefName\":\"panel_5de4021e-f3ba-4155-83c6-d44937ad4564\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6b88f03d-4441-4081-b031-7af3644a3421\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"6b88f03d-4441-4081-b031-7af3644a3421\",\"panelRefName\":\"panel_6b88f03d-4441-4081-b031-7af3644a3421\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"panelRefName\":\"panel_ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"panelRefName\":\"panel_6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"panelRefName\":\"panel_942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"panelRefName\":\"panel_51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85ba4c06-11ce-4bfe-ba79-983562383efb\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"85ba4c06-11ce-4bfe-ba79-983562383efb\",\"panelRefName\":\"panel_85ba4c06-11ce-4bfe-ba79-983562383efb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2209097a-5361-4924-b89b-30cb69fc1aa9\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"2209097a-5361-4924-b89b-30cb69fc1aa9\",\"panelRefName\":\"panel_2209097a-5361-4924-b89b-30cb69fc1aa9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"313214f2-83b2-41eb-98f6-d2e061b84267\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"313214f2-83b2-41eb-98f6-d2e061b84267\",\"panelRefName\":\"panel_313214f2-83b2-41eb-98f6-d2e061b84267\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"18e2231e-c783-4353-a799-b41f01154e97\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"18e2231e-c783-4353-a799-b41f01154e97\",\"panelRefName\":\"panel_18e2231e-c783-4353-a799-b41f01154e97\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Events] Application",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02",
+      "name": "ab32506e-cd95-4643-94f4-ff3d7f10655b:panel_ab32506e-cd95-4643-94f4-ff3d7f10655b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02",
+      "name": "f04eaee2-b656-45f0-bf2e-7db096fe5ba5:panel_f04eaee2-b656-45f0-bf2e-7db096fe5ba5",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5e243140-72b5-11ec-8c4b-cb281099ee02",
+      "name": "85a443dc-c3dd-4198-8273-b2edbe5254a6:panel_85a443dc-c3dd-4198-8273-b2edbe5254a6",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02",
+      "name": "d8da7946-0d47-405d-b219-b3f4519ee4d9:panel_d8da7946-0d47-405d-b219-b3f4519ee4d9",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02",
+      "name": "516a4ca3-23b4-4d6d-9162-50197cbfe306:panel_516a4ca3-23b4-4d6d-9162-50197cbfe306",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-917c9230-72b5-11ec-8c4b-cb281099ee02",
+      "name": "ab75c7fa-d665-4ce4-b2d0-62428fd846da:panel_ab75c7fa-d665-4ce4-b2d0-62428fd846da",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02",
+      "name": "e6fdc807-d7d7-4c8d-a592-584e42001712:panel_e6fdc807-d7d7-4c8d-a592-584e42001712",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02",
+      "name": "fe337472-7a96-402a-b7e5-b8ea37e6328c:panel_fe337472-7a96-402a-b7e5-b8ea37e6328c",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02",
+      "name": "5de4021e-f3ba-4155-83c6-d44937ad4564:panel_5de4021e-f3ba-4155-83c6-d44937ad4564",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02",
+      "name": "6b88f03d-4441-4081-b031-7af3644a3421:panel_6b88f03d-4441-4081-b031-7af3644a3421",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02",
+      "name": "ebf8e192-7eba-438f-96cc-5e6d80d08fd0:panel_ebf8e192-7eba-438f-96cc-5e6d80d08fd0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02",
+      "name": "6a003a65-76ee-43fa-9f63-a8c96c129fd1:panel_6a003a65-76ee-43fa-9f63-a8c96c129fd1",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4:panel_942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "51fc9a00-6109-46eb-9264-cfb81fafbb90:panel_51fc9a00-6109-46eb-9264-cfb81fafbb90",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "85ba4c06-11ce-4bfe-ba79-983562383efb:panel_85ba4c06-11ce-4bfe-ba79-983562383efb",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02",
+      "name": "2209097a-5361-4924-b89b-30cb69fc1aa9:panel_2209097a-5361-4924-b89b-30cb69fc1aa9",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02",
+      "name": "313214f2-83b2-41eb-98f6-d2e061b84267:panel_313214f2-83b2-41eb-98f6-d2e061b84267",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02",
+      "name": "18e2231e-c783-4353-a799-b41f01154e97:panel_18e2231e-c783-4353-a799-b41f01154e97",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..0c48984958
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,182 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"panelRefName\":\"panel_3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"df123261-3370-4572-b118-09a2654264f2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"df123261-3370-4572-b118-09a2654264f2\",\"panelRefName\":\"panel_df123261-3370-4572-b118-09a2654264f2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"649b0d8e-5d17-411d-9117-a63ad74960f1\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"649b0d8e-5d17-411d-9117-a63ad74960f1\",\"panelRefName\":\"panel_649b0d8e-5d17-411d-9117-a63ad74960f1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"92b99046-01c4-413a-84dd-93ad174171b0\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"92b99046-01c4-413a-84dd-93ad174171b0\",\"panelRefName\":\"panel_92b99046-01c4-413a-84dd-93ad174171b0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"panelRefName\":\"panel_aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"3d78958c-581d-4ad4-a768-346a4f234b25\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3d78958c-581d-4ad4-a768-346a4f234b25\",\"panelRefName\":\"panel_3d78958c-581d-4ad4-a768-346a4f234b25\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"panelRefName\":\"panel_cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"panelRefName\":\"panel_9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"panelRefName\":\"panel_e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":162},{\"colIndex\":1,\"width\":355.5}]}}},\"gridData\":{\"h\":15,\"i\":\"b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"panelRefName\":\"panel_b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5513d359-dd47-44a7-856b-fadc0178aa5f\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"5513d359-dd47-44a7-856b-fadc0178aa5f\",\"panelRefName\":\"panel_5513d359-dd47-44a7-856b-fadc0178aa5f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"panelRefName\":\"panel_ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6c932713-9d4b-430a-a799-6d31b45ecacf\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"6c932713-9d4b-430a-a799-6d31b45ecacf\",\"panelRefName\":\"panel_6c932713-9d4b-430a-a799-6d31b45ecacf\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"panelRefName\":\"panel_c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"panelRefName\":\"panel_90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"panelRefName\":\"panel_cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"panelRefName\":\"panel_0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"650391d6-5467-4b6e-b529-f89b34cacdee\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"650391d6-5467-4b6e-b529-f89b34cacdee\",\"panelRefName\":\"panel_650391d6-5467-4b6e-b529-f89b34cacdee\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6b8089ba-e257-40d5-847f-516759ce8475\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"6b8089ba-e257-40d5-847f-516759ce8475\",\"panelRefName\":\"panel_6b8089ba-e257-40d5-847f-516759ce8475\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d4098eb-54b0-474e-81b5-75fc222cb341\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"2d4098eb-54b0-474e-81b5-75fc222cb341\",\"panelRefName\":\"panel_2d4098eb-54b0-474e-81b5-75fc222cb341\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"panelRefName\":\"panel_bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"panelRefName\":\"panel_37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"panelRefName\":\"panel_690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3753bbb6-64ab-4b10-8526-232375c9da38\",\"w\":24,\"x\":0,\"y\":180},\"panelIndex\":\"3753bbb6-64ab-4b10-8526-232375c9da38\",\"panelRefName\":\"panel_3753bbb6-64ab-4b10-8526-232375c9da38\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"panelRefName\":\"panel_ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"97611e00-8013-43c4-856d-54b0e78313d5\",\"w\":24,\"x\":0,\"y\":195},\"panelIndex\":\"97611e00-8013-43c4-856d-54b0e78313d5\",\"panelRefName\":\"panel_97611e00-8013-43c4-856d-54b0e78313d5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"32296ddd-d26c-431a-8227-7ee72592cb3e\",\"w\":24,\"x\":24,\"y\":180},\"panelIndex\":\"32296ddd-d26c-431a-8227-7ee72592cb3e\",\"panelRefName\":\"panel_32296ddd-d26c-431a-8227-7ee72592cb3e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1394aa3a-d711-4634-9623-5dbaff400068\",\"w\":24,\"x\":0,\"y\":210},\"panelIndex\":\"1394aa3a-d711-4634-9623-5dbaff400068\",\"panelRefName\":\"panel_1394aa3a-d711-4634-9623-5dbaff400068\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"w\":24,\"x\":24,\"y\":195},\"panelIndex\":\"4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"panelRefName\":\"panel_4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"w\":24,\"x\":0,\"y\":225},\"panelIndex\":\"5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"panelRefName\":\"panel_5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"w\":24,\"x\":24,\"y\":210},\"panelIndex\":\"2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"panelRefName\":\"panel_2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Alerts] UBA",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a03670f0-7208-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-f1c99420-7207-11ec-8c4b-cb281099ee02",
+      "name": "3b340e55-d9eb-4304-a0d3-583150bd54eb:panel_3b340e55-d9eb-4304-a0d3-583150bd54eb",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02",
+      "name": "df123261-3370-4572-b118-09a2654264f2:panel_df123261-3370-4572-b118-09a2654264f2",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02",
+      "name": "649b0d8e-5d17-411d-9117-a63ad74960f1:panel_649b0d8e-5d17-411d-9117-a63ad74960f1",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02",
+      "name": "92b99046-01c4-413a-84dd-93ad174171b0:panel_92b99046-01c4-413a-84dd-93ad174171b0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bc70e470-7209-11ec-8c4b-cb281099ee02",
+      "name": "aa10cc62-fe46-420a-88fc-9df0b78e58c1:panel_aa10cc62-fe46-420a-88fc-9df0b78e58c1",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02",
+      "name": "3d78958c-581d-4ad4-a768-346a4f234b25:panel_3d78958c-581d-4ad4-a768-346a4f234b25",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-648c79d0-720a-11ec-8c4b-cb281099ee02",
+      "name": "cee9c637-74f0-42bd-8a30-7c8b8cb4ed01:panel_cee9c637-74f0-42bd-8a30-7c8b8cb4ed01",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-03150a40-720b-11ec-8c4b-cb281099ee02",
+      "name": "9422ea18-43fb-4271-9c06-bfb40b9f9c78:panel_9422ea18-43fb-4271-9c06-bfb40b9f9c78",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-0922ae70-720a-11ec-8c4b-cb281099ee02",
+      "name": "e0b7f071-f82f-457c-ad45-de3f45cd9ee8:panel_e0b7f071-f82f-457c-ad45-de3f45cd9ee8",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02",
+      "name": "b205b75e-5675-49ed-90d3-f183e7b80d2f:panel_b205b75e-5675-49ed-90d3-f183e7b80d2f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02",
+      "name": "5513d359-dd47-44a7-856b-fadc0178aa5f:panel_5513d359-dd47-44a7-856b-fadc0178aa5f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02",
+      "name": "ccf70172-a85b-40e1-a616-b3b1e9a6088c:panel_ccf70172-a85b-40e1-a616-b3b1e9a6088c",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02",
+      "name": "6c932713-9d4b-430a-a799-6d31b45ecacf:panel_6c932713-9d4b-430a-a799-6d31b45ecacf",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "c483ecaf-49f8-4dc5-b0f0-0e1339a67d22:panel_c483ecaf-49f8-4dc5-b0f0-0e1339a67d22",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "90096c7a-a554-4a30-89a3-7d0d63ea804c:panel_90096c7a-a554-4a30-89a3-7d0d63ea804c",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02",
+      "name": "cd490c17-67ea-4bd1-aa9a-88f1a9c139b5:panel_cd490c17-67ea-4bd1-aa9a-88f1a9c139b5",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02",
+      "name": "0b6ca0f2-57a6-4e90-9592-56bb052d4ca7:panel_0b6ca0f2-57a6-4e90-9592-56bb052d4ca7",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02",
+      "name": "650391d6-5467-4b6e-b529-f89b34cacdee:panel_650391d6-5467-4b6e-b529-f89b34cacdee",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02",
+      "name": "6b8089ba-e257-40d5-847f-516759ce8475:panel_6b8089ba-e257-40d5-847f-516759ce8475",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "2d4098eb-54b0-474e-81b5-75fc222cb341:panel_2d4098eb-54b0-474e-81b5-75fc222cb341",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "bbc3957b-53a2-47dd-9760-56f8ceb5289d:panel_bbc3957b-53a2-47dd-9760-56f8ceb5289d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "37776b9c-bfc6-4c6f-9079-2c0d23fe4a89:panel_37776b9c-bfc6-4c6f-9079-2c0d23fe4a89",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02",
+      "name": "690c706e-c8bc-4f19-ab9e-9ba64e268647:panel_690c706e-c8bc-4f19-ab9e-9ba64e268647",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "3753bbb6-64ab-4b10-8526-232375c9da38:panel_3753bbb6-64ab-4b10-8526-232375c9da38",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02",
+      "name": "ebec8d00-4d63-44cd-9970-4882fcf5108f:panel_ebec8d00-4d63-44cd-9970-4882fcf5108f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02",
+      "name": "97611e00-8013-43c4-856d-54b0e78313d5:panel_97611e00-8013-43c4-856d-54b0e78313d5",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02",
+      "name": "32296ddd-d26c-431a-8227-7ee72592cb3e:panel_32296ddd-d26c-431a-8227-7ee72592cb3e",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02",
+      "name": "1394aa3a-d711-4634-9623-5dbaff400068:panel_1394aa3a-d711-4634-9623-5dbaff400068",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02",
+      "name": "4812c275-ae66-4de9-913e-4ebe6b8a7782:panel_4812c275-ae66-4de9-913e-4ebe6b8a7782",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02",
+      "name": "5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc:panel_5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02",
+      "name": "2be4e6e2-c325-4e05-9ed7-bb4534507f5a:panel_2be4e6e2-c325-4e05-9ed7-bb4534507f5a",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..1ef5de3f2e
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,137 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"policy\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"policy\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"baaf2231-c596-479b-b0ad-238fc8c7405f\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"baaf2231-c596-479b-b0ad-238fc8c7405f\",\"panelRefName\":\"panel_baaf2231-c596-479b-b0ad-238fc8c7405f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"4202f297-6899-4b88-8d71-286c85369671\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4202f297-6899-4b88-8d71-286c85369671\",\"panelRefName\":\"panel_4202f297-6899-4b88-8d71-286c85369671\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"panelRefName\":\"panel_5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"714f5073-96fc-4838-a2b3-987a3b62bc33\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"714f5073-96fc-4838-a2b3-987a3b62bc33\",\"panelRefName\":\"panel_714f5073-96fc-4838-a2b3-987a3b62bc33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"323b1896-5cd9-4382-982c-7be72721ae48\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"323b1896-5cd9-4382-982c-7be72721ae48\",\"panelRefName\":\"panel_323b1896-5cd9-4382-982c-7be72721ae48\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf72a578-2949-4de8-b4de-5d56b067efd0\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"bf72a578-2949-4de8-b4de-5d56b067efd0\",\"panelRefName\":\"panel_bf72a578-2949-4de8-b4de-5d56b067efd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"panelRefName\":\"panel_069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"panelRefName\":\"panel_f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"panelRefName\":\"panel_ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"panelRefName\":\"panel_f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"648b3fc0-5826-4478-a8a8-be02ec93b757\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"648b3fc0-5826-4478-a8a8-be02ec93b757\",\"panelRefName\":\"panel_648b3fc0-5826-4478-a8a8-be02ec93b757\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"panelRefName\":\"panel_5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"365a5a5d-0a5a-4723-935c-346fafc76c55\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"365a5a5d-0a5a-4723-935c-346fafc76c55\",\"panelRefName\":\"panel_365a5a5d-0a5a-4723-935c-346fafc76c55\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"panelRefName\":\"panel_8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"panelRefName\":\"panel_6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd2a100e-72d7-4432-8fdf-2b8185964894\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"fd2a100e-72d7-4432-8fdf-2b8185964894\",\"panelRefName\":\"panel_fd2a100e-72d7-4432-8fdf-2b8185964894\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"panelRefName\":\"panel_0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"panelRefName\":\"panel_d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"36f7a988-2b45-4ce1-b613-5a97f2708865\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"36f7a988-2b45-4ce1-b613-5a97f2708865\",\"panelRefName\":\"panel_36f7a988-2b45-4ce1-b613-5a97f2708865\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"panelRefName\":\"panel_cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"162ca71c-5ea9-44d1-9667-c48682cd7292\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"162ca71c-5ea9-44d1-9667-c48682cd7292\",\"panelRefName\":\"panel_162ca71c-5ea9-44d1-9667-c48682cd7292\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4e858190-599f-4e73-8772-c8a0d3fe103f\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"4e858190-599f-4e73-8772-c8a0d3fe103f\",\"panelRefName\":\"panel_4e858190-599f-4e73-8772-c8a0d3fe103f\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Alerts] Policy",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02",
+      "name": "baaf2231-c596-479b-b0ad-238fc8c7405f:panel_baaf2231-c596-479b-b0ad-238fc8c7405f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02",
+      "name": "4202f297-6899-4b88-8d71-286c85369671:panel_4202f297-6899-4b88-8d71-286c85369671",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02",
+      "name": "5a6d5d65-1709-4f03-8bfb-f8fc721c932d:panel_5a6d5d65-1709-4f03-8bfb-f8fc721c932d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "714f5073-96fc-4838-a2b3-987a3b62bc33:panel_714f5073-96fc-4838-a2b3-987a3b62bc33",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "323b1896-5cd9-4382-982c-7be72721ae48:panel_323b1896-5cd9-4382-982c-7be72721ae48",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02",
+      "name": "bf72a578-2949-4de8-b4de-5d56b067efd0:panel_bf72a578-2949-4de8-b4de-5d56b067efd0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02",
+      "name": "069358fe-da68-4d45-a0f0-aa7eaa4c1db7:panel_069358fe-da68-4d45-a0f0-aa7eaa4c1db7",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02",
+      "name": "f4521dff-0b61-4d7c-b86d-8cd3fe341b61:panel_f4521dff-0b61-4d7c-b86d-8cd3fe341b61",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02",
+      "name": "ca498f3d-dee7-4ad3-ad0b-92e9719890f6:panel_ca498f3d-dee7-4ad3-ad0b-92e9719890f6",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "f7bb1094-f089-4f2d-98b2-8ad73597a045:panel_f7bb1094-f089-4f2d-98b2-8ad73597a045",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "648b3fc0-5826-4478-a8a8-be02ec93b757:panel_648b3fc0-5826-4478-a8a8-be02ec93b757",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02",
+      "name": "5ac14a5f-c30a-4e76-8d13-984f21ceb9ba:panel_5ac14a5f-c30a-4e76-8d13-984f21ceb9ba",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "365a5a5d-0a5a-4723-935c-346fafc76c55:panel_365a5a5d-0a5a-4723-935c-346fafc76c55",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02",
+      "name": "8dce8a31-9c43-4a5c-afcd-a0ca9cdda312:panel_8dce8a31-9c43-4a5c-afcd-a0ca9cdda312",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "6bfbea77-62ee-49f6-a0c4-d38b5894a137:panel_6bfbea77-62ee-49f6-a0c4-d38b5894a137",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02",
+      "name": "fd2a100e-72d7-4432-8fdf-2b8185964894:panel_fd2a100e-72d7-4432-8fdf-2b8185964894",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02",
+      "name": "0a553ef7-103e-495c-9e6d-3e3fe2945fbe:panel_0a553ef7-103e-495c-9e6d-3e3fe2945fbe",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02",
+      "name": "d7e9ce08-5c56-4606-a7c9-afc702edee17:panel_d7e9ce08-5c56-4606-a7c9-afc702edee17",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02",
+      "name": "36f7a988-2b45-4ce1-b613-5a97f2708865:panel_36f7a988-2b45-4ce1-b613-5a97f2708865",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02",
+      "name": "cbc5ad63-8ee6-4f93-8502-60ceb118e14e:panel_cbc5ad63-8ee6-4f93-8502-60ceb118e14e",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02",
+      "name": "162ca71c-5ea9-44d1-9667-c48682cd7292:panel_162ca71c-5ea9-44d1-9667-c48682cd7292",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02",
+      "name": "4e858190-599f-4e73-8772-c8a0d3fe103f:panel_4e858190-599f-4e73-8772-c8a0d3fe103f",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..36550b0059
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,147 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"729f9e92-d075-4a1a-bcf0-db456d39e724\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"729f9e92-d075-4a1a-bcf0-db456d39e724\",\"panelRefName\":\"panel_729f9e92-d075-4a1a-bcf0-db456d39e724\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"panelRefName\":\"panel_1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"panelRefName\":\"panel_66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"panelRefName\":\"panel_e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"92b187cb-5b44-404e-890b-fa8326868e36\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"92b187cb-5b44-404e-890b-fa8326868e36\",\"panelRefName\":\"panel_92b187cb-5b44-404e-890b-fa8326868e36\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"panelRefName\":\"panel_89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"23dfb547-1341-4b1a-9011-02f307aed221\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"23dfb547-1341-4b1a-9011-02f307aed221\",\"panelRefName\":\"panel_23dfb547-1341-4b1a-9011-02f307aed221\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"panelRefName\":\"panel_2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"panelRefName\":\"panel_faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"panelRefName\":\"panel_a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"55bda241-c95f-4c9f-ad5b-8a199890b163\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"55bda241-c95f-4c9f-ad5b-8a199890b163\",\"panelRefName\":\"panel_55bda241-c95f-4c9f-ad5b-8a199890b163\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8eee17e1-802f-47f7-b29d-669762b68849\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8eee17e1-802f-47f7-b29d-669762b68849\",\"panelRefName\":\"panel_8eee17e1-802f-47f7-b29d-669762b68849\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"panelRefName\":\"panel_9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"panelRefName\":\"panel_decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"41f74a84-f471-4895-9443-cdf02a955cd8\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"41f74a84-f471-4895-9443-cdf02a955cd8\",\"panelRefName\":\"panel_41f74a84-f471-4895-9443-cdf02a955cd8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"panelRefName\":\"panel_ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f3a73b11-012a-4517-9a2f-623494321346\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f3a73b11-012a-4517-9a2f-623494321346\",\"panelRefName\":\"panel_f3a73b11-012a-4517-9a2f-623494321346\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f43a0df7-6e17-4523-891c-04e65c22ad22\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"f43a0df7-6e17-4523-891c-04e65c22ad22\",\"panelRefName\":\"panel_f43a0df7-6e17-4523-891c-04e65c22ad22\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"774541fd-cefb-422b-ac26-12f4b8528e7e\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"774541fd-cefb-422b-ac26-12f4b8528e7e\",\"panelRefName\":\"panel_774541fd-cefb-422b-ac26-12f4b8528e7e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"38569123-9613-46c8-ae0f-10f87bee71ed\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"38569123-9613-46c8-ae0f-10f87bee71ed\",\"panelRefName\":\"panel_38569123-9613-46c8-ae0f-10f87bee71ed\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"panelRefName\":\"panel_a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"panelRefName\":\"panel_1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"89576865-7807-4305-abee-1b92248de9fc\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"89576865-7807-4305-abee-1b92248de9fc\",\"panelRefName\":\"panel_89576865-7807-4305-abee-1b92248de9fc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"panelRefName\":\"panel_2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Alerts] DLP",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-516130e0-71eb-11ec-8c4b-cb281099ee02",
+      "name": "729f9e92-d075-4a1a-bcf0-db456d39e724:panel_729f9e92-d075-4a1a-bcf0-db456d39e724",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02",
+      "name": "1c47cf4d-6ec1-48fd-9db4-237bbf50dcde:panel_1c47cf4d-6ec1-48fd-9db4-237bbf50dcde",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02",
+      "name": "66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc:panel_66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02",
+      "name": "e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c:panel_e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02",
+      "name": "92b187cb-5b44-404e-890b-fa8326868e36:panel_92b187cb-5b44-404e-890b-fa8326868e36",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9:panel_89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "23dfb547-1341-4b1a-9011-02f307aed221:panel_23dfb547-1341-4b1a-9011-02f307aed221",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02",
+      "name": "2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b:panel_2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02",
+      "name": "faced4fb-cc57-4a4e-a51b-5b27fda57ab0:panel_faced4fb-cc57-4a4e-a51b-5b27fda57ab0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02",
+      "name": "a2bf7e9f-4500-4848-b180-0a567d702d6b:panel_a2bf7e9f-4500-4848-b180-0a567d702d6b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02",
+      "name": "55bda241-c95f-4c9f-ad5b-8a199890b163:panel_55bda241-c95f-4c9f-ad5b-8a199890b163",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "8eee17e1-802f-47f7-b29d-669762b68849:panel_8eee17e1-802f-47f7-b29d-669762b68849",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "9175a01c-5781-4771-b5ab-fceaf12bfcc7:panel_9175a01c-5781-4771-b5ab-fceaf12bfcc7",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "decfcd4a-6565-43ab-bccf-0ba7a992fd94:panel_decfcd4a-6565-43ab-bccf-0ba7a992fd94",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02",
+      "name": "41f74a84-f471-4895-9443-cdf02a955cd8:panel_41f74a84-f471-4895-9443-cdf02a955cd8",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0:panel_ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02",
+      "name": "f3a73b11-012a-4517-9a2f-623494321346:panel_f3a73b11-012a-4517-9a2f-623494321346",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02",
+      "name": "f43a0df7-6e17-4523-891c-04e65c22ad22:panel_f43a0df7-6e17-4523-891c-04e65c22ad22",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02",
+      "name": "774541fd-cefb-422b-ac26-12f4b8528e7e:panel_774541fd-cefb-422b-ac26-12f4b8528e7e",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02",
+      "name": "38569123-9613-46c8-ae0f-10f87bee71ed:panel_38569123-9613-46c8-ae0f-10f87bee71ed",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02",
+      "name": "a9d1659e-0caf-416c-8520-f96b7e765fb1:panel_a9d1659e-0caf-416c-8520-f96b7e765fb1",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02",
+      "name": "1e02ac55-c2e1-4383-a282-129bcf97ef4f:panel_1e02ac55-c2e1-4383-a282-129bcf97ef4f",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02",
+      "name": "89576865-7807-4305-abee-1b92248de9fc:panel_89576865-7807-4305-abee-1b92248de9fc",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02",
+      "name": "2b3e3a8f-4689-4aad-a5ef-8380200768c0:panel_2b3e3a8f-4689-4aad-a5ef-8380200768c0",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..8f2f13b1cf
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,132 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"9b39019c-58f4-4613-9109-2865e86acee2\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"9b39019c-58f4-4613-9109-2865e86acee2\",\"panelRefName\":\"panel_9b39019c-58f4-4613-9109-2865e86acee2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"panelRefName\":\"panel_ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"panelRefName\":\"panel_8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"fa6b11ac-3e40-4a52-9596-52d73081690d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"fa6b11ac-3e40-4a52-9596-52d73081690d\",\"panelRefName\":\"panel_fa6b11ac-3e40-4a52-9596-52d73081690d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"panelRefName\":\"panel_a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"panelRefName\":\"panel_ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b7a38f86-d6e4-45d5-a490-34a522910597\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"b7a38f86-d6e4-45d5-a490-34a522910597\",\"panelRefName\":\"panel_b7a38f86-d6e4-45d5-a490-34a522910597\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"panelRefName\":\"panel_8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"panelRefName\":\"panel_3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"428a29ce-c3cf-4c1e-8884-28216396972a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"428a29ce-c3cf-4c1e-8884-28216396972a\",\"panelRefName\":\"panel_428a29ce-c3cf-4c1e-8884-28216396972a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8236132e-146b-46b9-80c7-8566b41ac58c\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"8236132e-146b-46b9-80c7-8566b41ac58c\",\"panelRefName\":\"panel_8236132e-146b-46b9-80c7-8566b41ac58c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"panelRefName\":\"panel_bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87729323-edef-43f8-9ec7-b9c3212ba067\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"87729323-edef-43f8-9ec7-b9c3212ba067\",\"panelRefName\":\"panel_87729323-edef-43f8-9ec7-b9c3212ba067\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"panelRefName\":\"panel_6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"panelRefName\":\"panel_014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"29065c13-ac1a-49d3-a76e-de75726936ac\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"29065c13-ac1a-49d3-a76e-de75726936ac\",\"panelRefName\":\"panel_29065c13-ac1a-49d3-a76e-de75726936ac\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"panelRefName\":\"panel_49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"13b86156-05e3-4be7-98b9-1e4b9833c411\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"13b86156-05e3-4be7-98b9-1e4b9833c411\",\"panelRefName\":\"panel_13b86156-05e3-4be7-98b9-1e4b9833c411\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"panelRefName\":\"panel_fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1aa39804-8029-4770-bc25-e2e94a29e83b\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"1aa39804-8029-4770-bc25-e2e94a29e83b\",\"panelRefName\":\"panel_1aa39804-8029-4770-bc25-e2e94a29e83b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"panelRefName\":\"panel_85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope][Events] Page",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02",
+      "name": "9b39019c-58f4-4613-9109-2865e86acee2:panel_9b39019c-58f4-4613-9109-2865e86acee2",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02",
+      "name": "ad69cae5-30ec-424e-b6b9-44e3d3979273:panel_ad69cae5-30ec-424e-b6b9-44e3d3979273",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02",
+      "name": "8c6f7513-48aa-4457-ab23-7e528bfe1dcd:panel_8c6f7513-48aa-4457-ab23-7e528bfe1dcd",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02",
+      "name": "fa6b11ac-3e40-4a52-9596-52d73081690d:panel_fa6b11ac-3e40-4a52-9596-52d73081690d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02",
+      "name": "a1e0af01-0501-4fa8-96ab-b5f8cccd50c3:panel_a1e0af01-0501-4fa8-96ab-b5f8cccd50c3",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-528169b0-72b6-11ec-8c4b-cb281099ee02",
+      "name": "ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745:panel_ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02",
+      "name": "b7a38f86-d6e4-45d5-a490-34a522910597:panel_b7a38f86-d6e4-45d5-a490-34a522910597",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02",
+      "name": "8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5:panel_8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02",
+      "name": "3729697c-99a7-44aa-b08f-956fbdd7fd52:panel_3729697c-99a7-44aa-b08f-956fbdd7fd52",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02",
+      "name": "428a29ce-c3cf-4c1e-8884-28216396972a:panel_428a29ce-c3cf-4c1e-8884-28216396972a",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02",
+      "name": "8236132e-146b-46b9-80c7-8566b41ac58c:panel_8236132e-146b-46b9-80c7-8566b41ac58c",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02",
+      "name": "bc8801ce-4f2e-43ee-94f9-7dbed415fa95:panel_bc8801ce-4f2e-43ee-94f9-7dbed415fa95",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02",
+      "name": "87729323-edef-43f8-9ec7-b9c3212ba067:panel_87729323-edef-43f8-9ec7-b9c3212ba067",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02",
+      "name": "6ae15ec6-52a8-4037-82f4-0c6d6438a301:panel_6ae15ec6-52a8-4037-82f4-0c6d6438a301",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02",
+      "name": "014d7310-feb8-4078-9ff4-4174cf8f0c7a:panel_014d7310-feb8-4078-9ff4-4174cf8f0c7a",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02",
+      "name": "29065c13-ac1a-49d3-a76e-de75726936ac:panel_29065c13-ac1a-49d3-a76e-de75726936ac",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02",
+      "name": "49f8d21b-3a7b-4d6e-a478-e815766c292a:panel_49f8d21b-3a7b-4d6e-a478-e815766c292a",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "13b86156-05e3-4be7-98b9-1e4b9833c411:panel_13b86156-05e3-4be7-98b9-1e4b9833c411",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02",
+      "name": "fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8:panel_fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02",
+      "name": "1aa39804-8029-4770-bc25-e2e94a29e83b:panel_1aa39804-8029-4770-bc25-e2e94a29e83b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02",
+      "name": "85675e54-cd8f-4ca1-b0a6-e4f2766011e2:panel_85675e54-cd8f-4ca1-b0a6-e4f2766011e2",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..f6150287fe
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,137 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"panelRefName\":\"panel_7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"w\":24,\"x\":0,\"y\":5},\"panelIndex\":\"a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"panelRefName\":\"panel_a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"w\":24,\"x\":24,\"y\":5},\"panelIndex\":\"3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"panelRefName\":\"panel_3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"panelRefName\":\"panel_758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"panelRefName\":\"panel_50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"panelRefName\":\"panel_92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e71428cd-6aa7-410e-9401-b00c6661589d\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"e71428cd-6aa7-410e-9401-b00c6661589d\",\"panelRefName\":\"panel_e71428cd-6aa7-410e-9401-b00c6661589d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"panelRefName\":\"panel_5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e6adbd85-a30a-4210-a05a-0c56c2362657\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"e6adbd85-a30a-4210-a05a-0c56c2362657\",\"panelRefName\":\"panel_e6adbd85-a30a-4210-a05a-0c56c2362657\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"w\":24,\"x\":0,\"y\":65},\"panelIndex\":\"3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"panelRefName\":\"panel_3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"w\":24,\"x\":24,\"y\":65},\"panelIndex\":\"a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"panelRefName\":\"panel_a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"panelRefName\":\"panel_651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"panelRefName\":\"panel_454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"panelRefName\":\"panel_bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"22dad9c8-4909-4efa-9f59-02a3ca979151\",\"w\":24,\"x\":24,\"y\":95},\"panelIndex\":\"22dad9c8-4909-4efa-9f59-02a3ca979151\",\"panelRefName\":\"panel_22dad9c8-4909-4efa-9f59-02a3ca979151\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"w\":24,\"x\":0,\"y\":110},\"panelIndex\":\"8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"panelRefName\":\"panel_8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"w\":24,\"x\":24,\"y\":110},\"panelIndex\":\"a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"panelRefName\":\"panel_a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7846948a-db42-497c-b956-ac5d7dd7383d\",\"w\":24,\"x\":0,\"y\":140},\"panelIndex\":\"7846948a-db42-497c-b956-ac5d7dd7383d\",\"panelRefName\":\"panel_7846948a-db42-497c-b956-ac5d7dd7383d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"w\":24,\"x\":24,\"y\":125},\"panelIndex\":\"8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"panelRefName\":\"panel_8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"de6f44ab-bef8-4518-bbb0-4afde2144001\",\"w\":24,\"x\":0,\"y\":125},\"panelIndex\":\"de6f44ab-bef8-4518-bbb0-4afde2144001\",\"panelRefName\":\"panel_de6f44ab-bef8-4518-bbb0-4afde2144001\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"w\":24,\"x\":24,\"y\":140},\"panelIndex\":\"b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"panelRefName\":\"panel_b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"w\":24,\"x\":0,\"y\":155},\"panelIndex\":\"d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"panelRefName\":\"panel_d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"w\":24,\"x\":24,\"y\":155},\"panelIndex\":\"17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"panelRefName\":\"panel_17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Netskope] Alerts Overview",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "netskope-de309310-71d9-11ec-8c4b-cb281099ee02",
+      "name": "7b3d09e3-1987-4202-a3a7-6f0ea3c441d3:panel_7b3d09e3-1987-4202-a3a7-6f0ea3c441d3",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "a6294ee5-eaed-4c98-9e3d-2ddcc1c24649:panel_a6294ee5-eaed-4c98-9e3d-2ddcc1c24649",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02",
+      "name": "3f9bbd86-5074-4a11-82e0-dd80b2727b63:panel_3f9bbd86-5074-4a11-82e0-dd80b2727b63",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02",
+      "name": "758d5f91-4e32-4dba-b9a2-78dd39a2ae33:panel_758d5f91-4e32-4dba-b9a2-78dd39a2ae33",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02",
+      "name": "50a67c99-45bf-4877-a02a-1c2fbabf5a7d:panel_50a67c99-45bf-4877-a02a-1c2fbabf5a7d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a:panel_92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02",
+      "name": "e71428cd-6aa7-410e-9401-b00c6661589d:panel_e71428cd-6aa7-410e-9401-b00c6661589d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02",
+      "name": "5296e207-4ad5-4936-b802-7a57e9bad6f5:panel_5296e207-4ad5-4936-b802-7a57e9bad6f5",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02",
+      "name": "e6adbd85-a30a-4210-a05a-0c56c2362657:panel_e6adbd85-a30a-4210-a05a-0c56c2362657",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02",
+      "name": "3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2:panel_3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02",
+      "name": "a7581748-99c7-4a63-aa09-61a0c039fe4b:panel_a7581748-99c7-4a63-aa09-61a0c039fe4b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "651622f6-9e33-486b-b996-6fe0a89d3ad9:panel_651622f6-9e33-486b-b996-6fe0a89d3ad9",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "454a5cbd-3538-4448-84fc-b0f83c8a1970:panel_454a5cbd-3538-4448-84fc-b0f83c8a1970",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "bcd9b35e-19ef-42d9-847a-d7518a21b0d9:panel_bcd9b35e-19ef-42d9-847a-d7518a21b0d9",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02",
+      "name": "22dad9c8-4909-4efa-9f59-02a3ca979151:panel_22dad9c8-4909-4efa-9f59-02a3ca979151",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02",
+      "name": "8c6ab1fd-e0c5-438b-b0c9-392d90c273b1:panel_8c6ab1fd-e0c5-438b-b0c9-392d90c273b1",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02",
+      "name": "a5927e76-29f1-4c6b-85e0-ed1dee3de6c9:panel_a5927e76-29f1-4c6b-85e0-ed1dee3de6c9",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02",
+      "name": "7846948a-db42-497c-b956-ac5d7dd7383d:panel_7846948a-db42-497c-b956-ac5d7dd7383d",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02",
+      "name": "8cb62986-e557-4d71-8de0-6f88ec7535d8:panel_8cb62986-e557-4d71-8de0-6f88ec7535d8",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02",
+      "name": "de6f44ab-bef8-4518-bbb0-4afde2144001:panel_de6f44ab-bef8-4518-bbb0-4afde2144001",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02",
+      "name": "b2e8e6c8-d585-49c1-ba49-5a8c4fab5080:panel_b2e8e6c8-d585-49c1-ba49-5a8c4fab5080",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02",
+      "name": "d1633b77-5ee0-42ed-995f-d5e01cef7d3b:panel_d1633b77-5ee0-42ed-995f-d5e01cef7d3b",
+      "type": "visualization"
+    },
+    {
+      "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02",
+      "name": "17fbf33c-a3be-4e8e-afae-195fb4a37fa8:panel_17fbf33c-a3be-4e8e-afae-195fb4a37fa8",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..e63d8d3ea0
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.telemetry.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.telemetry.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by Telemetery App",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Telemetry App\",\"exclude\":\"none\",\"field\":\"netskope.alerts.telemetry.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of UBA Alerts by Telemetery App\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-03150a40-720b-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..de6a746151
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.access_method\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Access Method",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.events.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Access Method\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..65bda788f2
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.page.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.page.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Page Site",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Page Site\",\"field\":\"netskope.alerts.page.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Page Site\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-0922ae70-720a-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..82e9f663f4
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.category.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.category.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Category",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"netskope.events.category.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Category\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..d150083ad3
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.os.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by OS",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by OS\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..97177729c6
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.sa.rule.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.sa.rule.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Security Assessment Rule Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Security Assessment Rule Name\",\"field\":\"netskope.alerts.sa.rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Security Assessment Rule Name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-187e0140-71f5-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..155dfcfe37
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.activity.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.activity.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Activity",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Activity\",\"field\":\"netskope.alerts.activity.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Activity\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..7dcdb32b6d
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,40 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.tunnel.up_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.up_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Tunnel Uptime Over Time",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Tunnel Uptime\",\"field\":\"netskope.events.tunnel.up_time\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Tunnel Uptime\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Tunnel Uptime\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Tunnel Uptime Over Time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..06e6a0996b
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Severity Level Over Time",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity Level\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Severity Level Over Time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-24907420-72b0-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..1db1e211f9
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.dlp.file\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.dlp.file\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 DLP Files",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"DLP Files\",\"field\":\"netskope.alerts.dlp.file\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 DLP Files\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..b076fbb38e
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"file.mime_type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"file.mime_type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 File Types",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Types\",\"field\":\"file.mime_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 File Types\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..1aeeb1b3e6
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.access_method\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Access Method",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.alerts.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Access Method\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..fbf09761cb
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 UBA Policy",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 UBA Policy\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..0362694068
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.managed.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.managed.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by Percentage of Managed Apps",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Managed App\",\"field\":\"netskope.alerts.managed.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Percentage of Managed Apps\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..dd7813210d
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Network Events by Tunnel Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Network Events by Tunnel Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-327320f0-72ac-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..55fea541c8
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Sites",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Site\",\"field\":\"netskope.events.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Sites\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..3b2074fa94
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.app.category\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.app.category\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by App Category",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Category\",\"field\":\"netskope.alerts.app.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by App Category\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..a5bcfcf409
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.threshold.value\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.threshold.value\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Max Threshold Value per User",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threshold Value\",\"field\":\"netskope.alerts.threshold.value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Max Threshold Value per User\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..e233be9f9a
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,40 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.city_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"source.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.region_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"source.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Source Location, Source Region, Source Country",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Location\",\"field\":\"source.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Region\",\"field\":\"source.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Location, Source Region, Source Country\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..75dd366a3f
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.device.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.device.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Device",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"netskope.events.device.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Device\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..0291951a06
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,40 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.tunnel.up_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.up_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Highest Tunnel Uptime for Tunnel Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Max Tunnel Uptime\",\"field\":\"netskope.events.tunnel.up_time\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Highest Tunnel Uptime for Tunnel Type\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-464ce970-72b7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..7636bd384a
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Cloud Confidence Level",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.events.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Cloud Confidence Level\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..8308ba4195
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Trend of Cloud Confidence Level Over Time",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.alerts.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Trend of Cloud Confidence Level Over Time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..f08ad9f6bf
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.dlp.rule.severity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.dlp.rule.severity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of DLP Alerts by DLP Rule Severity",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"DLP Rule Severity\",\"field\":\"netskope.alerts.dlp.rule.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of DLP Alerts by DLP Rule Severity\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-516130e0-71eb-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..72987c814c
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Browser, Browser Version",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Browser, Browser Version\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..ff92cee1a0
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.domain\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.domain\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Domain Accessed by Page Events",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"netskope.events.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Domain Accessed by Page Events\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-528169b0-72b6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..ece13da665
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Policy used",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.events.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy used\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-55144a90-72ab-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..ea167e2cc1
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.object.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.object.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Object Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"netskope.alerts.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Object Type\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..8c2a0beaab
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.action\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"event.action\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Network Events by Action",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Network Events by Action\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..08db6fd3dc
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Policy for Quarantine Alerts",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy for Quarantine Alerts\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..5bc1f93605
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"policy\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"policy\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Policy Alerts by Alert Name ",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Policy Alerts by Alert Name \",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..264570500c
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,40 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.app.activity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.activity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Application Activities by Application",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Application Activities\",\"field\":\"netskope.events.app.activity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Application\",\"field\":\"netskope.events.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Application Activities by Application\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-5e243140-72b5-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..c8ee17f5e9
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Application Activities",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Applications\",\"field\":\"netskope.events.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Application Activities\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..585f434e24
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.acked\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.acked\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Acknowledgement",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"netskope.alerts.acked : false\"},\"label\":\"False\"},{\"input\":{\"language\":\"kuery\",\"query\":\"netskope.alerts.acked : true\"},\"label\":\"True\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Acknowledgement\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..35dd2ab157
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.actions\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.actions\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by Policy Action",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Action\",\"field\":\"netskope.alerts.policy.actions\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Policy Action\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-648c79d0-720a-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..a6e659852a
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Source Country",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Country\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..b66ef1d6cd
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.device.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.device.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Infrastructure Events by Device Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"netskope.events.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Infrastructure Events by Device Name\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-719e0f30-72af-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..a801c22acc
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Page Accessed by Page Events",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Page Accessed by Page Events\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..c50947064c
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.ip.protocol\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ip.protocol\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Networks Events by IP Protocol",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Protocol\",\"field\":\"netskope.events.ip.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Networks Events by IP Protocol\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..8bc7685fcb
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.region.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.region.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of SA Alerts by Region Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Region Name\",\"field\":\"netskope.alerts.region.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of SA Alerts by Region Name\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..d51452f475
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.file.lang\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.file.lang\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by File Language  ",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Language\",\"field\":\"netskope.alerts.file.lang\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by File Language  \",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..5f68195714
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Site",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Site\",\"field\":\"netskope.alerts.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Site\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..9453bd293f
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Cloud Confidence Level",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.alerts.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Cloud Confidence Level\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..65c66d83c7
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.orig_ty\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.orig_ty\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by Event Type of Original Event ",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event type of Original Event\",\"field\":\"netskope.alerts.orig_ty\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Event Type of Original Event \",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..179a06a4ba
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.access_method\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top Users By Access Method",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.events.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top Users By Access Method\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..b21098fd2a
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Alert Type by User ",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Alert Type by User \",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..63cd952080
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,40 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.country_iso_code\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"destination.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.region_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"destination.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Destination Location, Destination Region, Destination Country",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Region\",\"field\":\"destination.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Location, Destination Region, Destination Country\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..24544002e8
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.original.shared\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.original.shared\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Quarantine Events by File Shared ",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Shared\",\"field\":\"netskope.alerts.quarantine.original.shared\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Quarantine Events by File Shared \",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..26b81c25f7
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Source Location",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Location\",\"field\":\"source.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Location\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..aa1a3fd85e
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.audit.log.event\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.audit.log.event\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Audit Events by User, Audit Log Event",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Audit Log Event\",\"field\":\"netskope.events.audit.log.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Distribution of Audit Events by User, Audit Log Event\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..0510139e15
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Severity",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Severity\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..dbdd28303a
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.object.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.object.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Objects which is being acted on",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object\",\"field\":\"netskope.events.object.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Objects which is being acted on\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-917c9230-72b5-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..53cadf2c6b
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Trend of Cloud Confidence Level Over Time for Events",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.events.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Trend of Cloud Confidence Level Over Time for Events\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..95533fb16a
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Browser",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Browser\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..b2644fad90
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Security Assessment Alert Names",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"json\":\"\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Security Assessment Alert Names\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..6b50b42626
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"network.protocol\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Networks Events by Protocol",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Networks Events by Protocol\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..344a4153b5
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Application Events by Browser",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Application Events by Browser\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..613ab40309
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,40 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.request.count\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.request.count\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Request Count for Page",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Request Count\",\"field\":\"netskope.events.request.count\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Request Count for Page\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..c7a1d45680
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.object.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.object.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Application Events by Object Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"netskope.events.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Application Events by Object Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..3972019d7b
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.traffic.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.traffic.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Traffic Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Traffic Type\",\"field\":\"netskope.alerts.traffic.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Traffic Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..bf2807eacf
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Netskope][Events] Select Event Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"netskope.events.event_type\",\"id\":\"1641881851553\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Event Type Selection\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Netskope][Events] Select Event Type\",\"type\":\"input_control_vis\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "control_0_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..8dc80cbff7
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by Severity",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.alerts.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Severity\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..bc2e9cf751
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.region_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Source Region",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Region\",\"field\":\"source.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Source Region\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..65b9d928d6
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Destination Country",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Country\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..e157906e4e
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.os.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by OS Version",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by OS Version\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-bc70e470-7209-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..054db583b4
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.device.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.device.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Device",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"netskope.alerts.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Device\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..fdc31c9ea6
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Quarantine Applications",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Quarantine Application\",\"field\":\"netskope.alerts.quarantine.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Quarantine Applications\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..875f0b687c
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Severity Over Time",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":13},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Severity Over Time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..48b1e7a670
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.app.category\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.category\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by App Category",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Category\",\"field\":\"netskope.events.app.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by App Category\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..44b8effcdb
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Users doing Activities ",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Users doing Activities \",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..b108b09856
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.app.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Apps",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Applications\",\"field\":\"netskope.alerts.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Apps\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..39f63b6634
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Type\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..ff38d96f8b
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Destination Location",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Location\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..cfa47a672b
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.traffic.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.traffic.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Traffic Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Traffic Type\",\"field\":\"netskope.events.traffic.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Traffic Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..bbac81c480
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,40 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.response.count\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.response.count\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Top 10 Response Count for Page",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Count\",\"field\":\"netskope.events.response.count\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Response Count for Page\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..3de7dd6294
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.os.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.os.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by OS, OS Version",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by OS, OS Version\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..eba12a9f4e
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Top 10 Policy ",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top 10 DLP Policy\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy \",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..354947d7c5
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "[Netskope][Alerts] Select Alert Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"netskope.alerts.type\",\"id\":\"1641794009450\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Alert Type Selection\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Netskope][Alerts] Select Alert Type\",\"type\":\"input_control_vis\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-de309310-71d9-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "control_0_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..de6dadfd9d
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.event_type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Event Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"netskope.events.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Event Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..1dde9bccd5
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.alarm.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.alarm.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Infrastructure Events by Alarm Name ",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alarm Name\",\"field\":\"netskope.events.alarm.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Infrastructure Events by Alarm Name \",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..74969e6a5d
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Events by Type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"netskope.events.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Type\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..414d3d6f30
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.device.classification\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.device.classification\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by Device Classification",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Classification\",\"field\":\"netskope.alerts.device.classification\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Device Classification\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..fc285b9b3f
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of UBA Alerts by Alert Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of UBA Alerts by Alert Name\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-f1c99420-7207-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..6dbf820574
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.category.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.category.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Category ",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"netskope.alerts.category.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Category \",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..e32e00549f
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.sa.rule.severity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.sa.rule.severity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of SA Alerts by SA Rule Severity",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"SA Rule Severity\",\"field\":\"netskope.alerts.sa.rule.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of SA Alerts by SA Rule Severity\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-f9097160-71f3-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..5cb3c8d1e5
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Total Number of Apps Quarantined",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Quarantined Applications\",\"field\":\"netskope.alerts.quarantine.app\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Netskope] Total Number of Apps Quarantined\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..d8d371bba7
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}"
+    },
+    "title": "[Netskope] Distribution of Alerts by Alert Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/0.1.2/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json
new file mode 100755
index 0000000000..9ed3fc8eca
--- /dev/null
+++ b/packages/netskope/0.1.2/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}"
+    },
+    "title": "[Netskope] Distribution of Audit Events by Severity Level",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity Level\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Audit Events by Severity Level\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "netskope-feb43930-72af-11ec-8c4b-cb281099ee02",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/netskope/0.1.2/manifest.yml b/packages/netskope/0.1.2/manifest.yml
new file mode 100755
index 0000000000..8867454ed1
--- /dev/null
+++ b/packages/netskope/0.1.2/manifest.yml
@@ -0,0 +1,74 @@
+format_version: 1.0.0
+name: netskope
+title: "Netskope"
+version: 0.1.2
+license: basic
+description: Collect logs from Netskope with Elastic Agent.
+type: integration
+categories:
+  - security
+release: beta
+conditions:
+  kibana.version: ^7.17.0 || ^8.0.0
+screenshots:
+  - src: /img/netskope-alerts-screenshot.png
+    title: Netskope Alert logs screenshot
+    size: 600x600
+    type: image/png
+  - src: /img/netskope-events-screenshot.png
+    title: Netskope Event logs screenshot
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/netskope-logo.svg
+    title: Netskope logo
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: netskope
+    title: Netskope logs
+    description: Collect Netskope logs
+    inputs:
+      - type: tcp
+        vars:
+          - name: listen_address
+            type: text
+            title: Listen Address
+            description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.
+            multi: false
+            required: true
+            show_user: true
+            default: localhost
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            multi: false
+            required: false
+            show_user: false
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
+        title: Collect Netskope logs via TCP input
+        description: Collecting Netskope logs via TCP input
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/o365/1.4.3/changelog.yml b/packages/o365/1.4.3/changelog.yml
new file mode 100755
index 0000000000..e5c960664d
--- /dev/null
+++ b/packages/o365/1.4.3/changelog.yml
@@ -0,0 +1,142 @@
+# newer versions go on top
+- version: "1.4.3"
+  changes:
+    - description: Replace invalid field value
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/xxxx
+- version: "1.4.2"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.4.1"
+  changes:
+    - description: Fix grok parsing errors due to invalid IP addresses.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2669
+- version: "1.4.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2427
+- version: "1.3.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.3.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2252
+- version: "1.2.4"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2096
+- version: "1.2.3"
+  changes:
+    - description: Fix processors configuration
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2113
+- version: "1.2.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1976
+- version: "1.2.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1837
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1670
+- version: "1.1.4"
+  changes:
+    - description: additional type assertions in painless scripts
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1642
+- version: "1.1.3"
+  changes:
+    - description: Convert to generated ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1493
+- version: '1.1.2'
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1402
+- version: "1.1.1"
+  changes:
+    - description: Escape special characters in docs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1405
+- version: "1.1.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1219
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1219
+- version: "0.6.2"
+  changes:
+    - description: Use `wildcard` field type for the relevant ECS fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1180
+- version: "0.6.1"
+  changes:
+    - description: small pipeline fix for parameters when they are string instead of objects
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1136
+- version: "0.6.0"
+  changes:
+    - description: add system tests
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1119
+    - description: fixes o365audit config file
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1119
+- version: "0.5.0"
+  changes:
+    - description: update to ECS 1.10.0 and adding event.original options
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1117
+- version: "0.4.0"
+  changes:
+    - description: moving edge processing to ingest pipelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/983
+- version: "0.3.2"
+  changes:
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/860
+- version: "0.3.1"
+  changes:
+    - description: Change kibana.version constraint to be more conservative.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/749
+- version: "0.3.0"
+  changes:
+    - description: Add changes to use ECS 1.8 fields.
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/716
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/230
diff --git a/packages/o365/1.4.3/data_stream/audit/agent/stream/o365audit.yml.hbs b/packages/o365/1.4.3/data_stream/audit/agent/stream/o365audit.yml.hbs
new file mode 100755
index 0000000000..8656c87842
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/agent/stream/o365audit.yml.hbs
@@ -0,0 +1,39 @@
+{{#if application_id}}application_id: {{application_id}}{{/if}}
+tenant_id:
+{{#each tenants}}
+ - "{{this}}"
+{{/each}}
+{{#if certificate}}certificate: {{certificate}}{{/if}}
+{{#if key}}key: {{key}}{{/if}}
+{{#if key_passphrase}}key_passphrase: {{key_passphrase}}{{/if}}
+{{#if client_secret}}client_secret: {{client_secret}}{{/if}}
+content_type:
+{{#each content_type}}
+ - "{{this}}"
+{{/each}}
+{{#if api}}
+api:
+  {{api}}
+{{/if}}
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+api.preserve_original_event: true
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_fields:
+   target: "_conf"
+   fields:
+     tenants:
+       {{#each tenant_names}}
+         {{this}}
+       {{/each}}
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/o365/1.4.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/1.4.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..6845e47632
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1041 @@
+---
+description: Pipeline for Office 365 Audit logs
+
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.type
+      value: info
+  - append:
+      field: event.category
+      value: web
+  # General Schema
+  - date:
+      field: o365audit.CreationTime
+      formats:
+        - ISO8601
+  - rename:
+      field: o365audit.Id
+      target_field: event.id
+      ignore_missing: true
+  - rename:
+      field: o365audit.ClientIPAddress
+      target_field: client._temp
+      ignore_missing: true
+  - rename:
+      field: o365audit.ClientIP
+      target_field: client._temp
+      ignore_missing: true
+      if: ctx.client?._temp == null
+  - rename:
+      field: o365audit.ActorIpAddress
+      target_field: client._temp
+      ignore_missing: true
+      if: ctx.client?._temp == null
+  - convert:
+      field: o365audit.UserId
+      target_field: user.id
+      type: string
+      ignore_missing: true
+  - rename:
+      field: o365audit.Workload
+      target_field: event.provider
+      ignore_missing: true
+  - rename:
+      field: o365audit.Operation
+      target_field: event.action
+      ignore_missing: true
+  - rename:
+      field: o365audit.OrganizationId
+      target_field: organization.id
+      ignore_missing: true
+  - rename:
+      field: o365audit.UserAgent
+      target_field: user_agent.original
+      ignore_missing: true
+  - script:
+      if: ctx.o365audit?.RecordType != null
+      lang: painless
+      params:
+        "1": "ExchangeAdmin"
+        "2": "ExchangeItem"
+        "3": "ExchangeItemGroup"
+        "4": "SharePoint"
+        "6": "SharePointFileOperation"
+        "8": "AzureActiveDirectory"
+        "9": "AzureActiveDirectoryAccountLogon"
+        "10": "DataCenterSecurityCmdlet"
+        "11": "ComplianceDLPSharePoint"
+        "12": "Sway"
+        "13": "ComplianceDLPExchange"
+        "14": "SharePointSharingOperation"
+        "15": "AzureActiveDirectoryStsLogon"
+        "18": "SecurityComplianceCenterEOPCmdlet"
+        "20": "PowerBIAudit"
+        "21": "CRM"
+        "22": "Yammer"
+        "23": "SkypeForBusinessCmdlets"
+        "24": "Discovery"
+        "25": "MicrosoftTeams"
+        "28": "ThreatIntelligence"
+        "30": "MicrosoftFlow"
+        "31": "AeD"
+        "32": "MicrosoftStream"
+        "33": "ComplianceDLPSharePointClassification"
+        "35": "Project"
+        "36": "SharePointListOperation"
+        "38": "DataGovernance"
+        "40": "SecurityComplianceAlerts"
+        "41": "ThreatIntelligenceUrl"
+        "42": "SecurityComplianceInsights"
+        "44": "WorkplaceAnalytics"
+        "45": "PowerAppsApp"
+        "47": "ThreatIntelligenceAtpContent"
+        "49": "TeamsHealthcare"
+        "52": "DataInsightsRestApiAudit"
+        "54": "SharePointListItemOperation"
+        "55": "SharePointContentTypeOperation"
+        "56": "SharePointFieldOperation"
+        "64": "AirInvestigation"
+        "66": "MicrosoftForms"
+      source: >
+        def schemaId = ctx.o365audit.RecordType.toString();
+        def schema = params[schemaId];
+        if (schema != null) {
+          if (ctx.event == null) {
+            ctx.event = new HashMap();
+          }
+          ctx.event.code = schema;
+        }
+  - set: 
+      field: event.outcome
+      value: success
+      if: 'ctx.o365audit?.ResultStatus != null && ["succeeded", "success", "partiallysucceeded", "true"].contains(ctx.o365audit?.ResultStatus.toLowerCase())'
+  - set: 
+      field: event.outcome
+      value: failure
+      if: 'ctx.o365audit?.ResultStatus != null && ["failed", "false"].contains(ctx.o365audit?.ResultStatus.toLowerCase())'
+  - set: 
+      field: event.outcome
+      value: success
+      if: ctx.event?.outcome == null
+  - script:
+      lang: painless
+      if: 'ctx.o365audit?.Parameters != null && ctx.o365audit?.Parameters instanceof List'
+      source: >
+        def newparams = new HashMap(); 
+        def oldparams = ctx.o365audit.Parameters;
+        for (int i = 0; i < oldparams.length; ++i) {
+          if (oldparams[i]["Value"] != null) {
+            newparams[oldparams[i]["Name"]] = oldparams[i]["Value"];
+          }
+        }
+        ctx.o365audit.Parameters = newparams;
+  - rename:
+      field: o365audit.Parameters
+      target_field: o365audit.Parameters._raw
+      if: 'ctx.o365audit?.Parameters != null && ctx.o365audit?.Parameters instanceof String'
+  - script:
+      lang: painless
+      if: 'ctx.o365audit?.ExtendedProperties != null && ctx.o365audit?.ExtendedProperties instanceof List'
+      source: >
+        def newparams = new HashMap(); 
+        def oldparams = ctx.o365audit.ExtendedProperties;
+        for (int i = 0; i < oldparams.length; ++i) {
+          if (oldparams[i]["Value"] != null) {
+            newparams[oldparams[i]["Name"]] = oldparams[i]["Value"];
+          }
+        }
+        ctx.o365audit.ExtendedProperties = newparams;
+  - rename:
+      field: o365audit.ExtendedProperties
+      target_field: o365audit.ExtendedProperties._raw
+      if: 'ctx.o365audit?.ExtendedProperties != null && ctx.o365audit?.ExtendedProperties instanceof String'
+  - script:
+      lang: painless
+      if: 'ctx.o365audit?.ModifiedProperties != null && ctx.o365audit?.ModifiedProperties instanceof List'
+      source: >
+        def newparams = new HashMap(); 
+        def oldparams = ctx.o365audit.ModifiedProperties;
+        for (int i = 0; i < oldparams.length; ++i) {
+          if (oldparams[i]["OldValue"] != null && oldparams[i]["NewValue"] != null) {
+            def validname = oldparams[i]["Name"].replace(" ","_").replace(".","_");
+            newparams[validname] = new HashMap();
+            newparams[validname]["NewValue"] = oldparams[i]["NewValue"];
+            newparams[validname]["OldValue"] = oldparams[i]["OldValue"];
+          }
+        }
+        if (newparams == null) {
+          ctx.o365audit.remove("ModifiedProperties");
+          return;
+        }
+        ctx.o365audit.ModifiedProperties = newparams;
+  - rename:
+      field: o365audit.ModifiedProperties
+      target_field: o365audit.ModifiedProperties._raw
+      if: 'ctx.o365audit?.ModifiedProperties != null && ctx.o365audit?.ModifiedProperties instanceof String'
+  - script:
+      lang: painless
+      if: 'ctx.o365audit?.AlertLinks != null && ctx.o365audit?.AlertLinks instanceof List'
+      source: >
+        def list = ctx.o365audit.AlertLinks;
+        def links = new ArrayList();
+        for (int i = 0; i < list.length; ++i) {
+          if (list[i] instanceof Map && list[i].containsKey("AlertLinkHref") && list[i]["AlertLinkHref"] != null && list[i]["AlertLinkHref"] instanceof String) {
+            links.add(list[i]["AlertLinkHref"]);
+          }
+        }
+        if (links.length == 0) {
+          ctx.o365audit.remove("AlertLinks");
+          return;
+        }
+        ctx.o365audit.AlertLinks = links;
+  - set: 
+      field: event.severity
+      value: 1
+      if: ctx.o365audit?.Severity == "informational"
+  - set: 
+      field: event.severity
+      value: 2
+      if: ctx.o365audit?.Severity == "low"
+  - set: 
+      field: event.severity
+      value: 3
+      if: ctx.o365audit?.Severity == "medium"
+  - set: 
+      field: event.severity
+      value: 4
+      if: ctx.o365audit?.Severity == "high"
+  # ExchangeAdmin Schema
+  - rename:
+      field: o365audit.OrganizationName
+      target_field: organization.name
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeAdmin"
+  - rename:
+      field: o365audit.OriginatingServer
+      target_field: server._temp
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeAdmin"
+  # ExchangeItem Schema
+  - rename:
+      field: o365audit.MailboxOwnerUPN
+      target_field: user.email
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeItem"
+  - convert:
+      field: o365audit.LogonUserSid
+      target_field: user.id
+      type: string
+      ignore_missing: true
+      if: 'ctx.user?.id == null && ctx.o365audit?.LogonUserSid != null && ctx.event?.code == "ExchangeItem"'
+  - rename:
+      field: o365audit.LogonUserDisplayName
+      target_field: user.full_name
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeItem"
+  - rename:
+      field: o365audit.OrganizationName
+      target_field: organization.name
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeItem"
+  - rename:
+      field: o365audit.OriginatingServer
+      target_field: server._temp
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeItem"
+  - rename:
+      field: o365audit.ClientIPAddress
+      target_field: client._temp
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeItem"
+  - rename:
+      field: o365audit.ClientProcessName
+      target_field: process.name
+      ignore_missing: true
+      if: ctx.event?.code == "ExchangeItem"
+  # AzureActiveDirectory Schema
+  - set: 
+      field: user.target.id
+      copy_from: o365audit.ObjectId
+      if: ctx.event?.code == "AzureActiveDirectory"
+  ## AzureActiveDirectory Schema new user
+  - set: 
+      field: event.action
+      value: added-user-account
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "Add user."'
+  - append: 
+      field: event.category
+      value: iam
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "added-user-account"'
+  - append: 
+      field: event.type
+      value: user
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "added-user-account"'
+  - append: 
+      field: event.type
+      value: creation
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "added-user-account"'
+  ## AzureActiveDirectory Schema update user
+  - set: 
+      field: event.action
+      value: modified-user-account
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "Update user."'
+  - append: 
+      field: event.category
+      value: iam
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "modified-user-account"'
+  - append: 
+      field: event.type
+      value: user
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "modified-user-account"'
+  - append: 
+      field: event.type
+      value: change
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "modified-user-account"'
+  ## AzureActiveDirectory Schema delete user
+  - set: 
+      field: event.action
+      value: deleted-user-account
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "Delete user."'
+  - append: 
+      field: event.category
+      value: iam
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "deleted-user-account"'
+  - append: 
+      field: event.type
+      value: user
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "deleted-user-account"'
+  - append: 
+      field: event.type
+      value: deletion
+      if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "deleted-user-account"'
+  # AzureActiveDirectoryStsLogon Schema
+  - append: 
+      field: event.category
+      value: authentication
+      if: ctx.event?.code == "AzureActiveDirectoryStsLogon"
+  - append: 
+      field: event.type
+      value: start
+      if: ctx.event?.code == "AzureActiveDirectoryStsLogon"
+  - append: 
+      field: event.type
+      value: access
+      if: 'ctx.event?.code == "AzureActiveDirectoryStsLogon"'
+  # SharePointFileOperation Schema
+  - rename:
+      field: o365audit.ObjectId
+      target_field: url.original
+      ignore_missing: true
+      if: ctx.event?.code == "SharePointFileOperation"
+  - rename:
+      field: o365audit.SourceRelativeUrl
+      target_field: file.directory
+      ignore_missing: true
+      if: ctx.event?.code == "SharePointFileOperation"
+  - rename:
+      field: o365audit.SourceFileName
+      target_field: file.name
+      ignore_missing: true
+      if: ctx.event?.code == "SharePointFileOperation"
+  - rename:
+      field: o365audit.SourceFileExtension
+      target_field: file.extension
+      ignore_missing: true
+      if: ctx.event?.code == "SharePointFileOperation"
+  - append: 
+      field: event.category
+      value: file
+      if: 'ctx.event?.action != null && ["FileAccessed", "FileDeleted", "FileDownloaded", "FileModified", "FileMoved", "FileRenamed", "FileRestored", "FileUploaded", "FolderCopied", "FolderCreated", "FolderDeleted", "FolderModified", "FolderMoved", "FolderRenamed", "FolderRestored"].contains(ctx.event?.action)'
+  - append: 
+      field: event.category
+      value: configuration
+      if: ctx.event?.action == "ComplianceSettingChanged"
+  - append: 
+      field: event.type
+      value: access
+      if: 'ctx.event?.action != null && ["FileAccessed", "FileDownloaded"].contains(ctx.event?.action)'
+  - append: 
+      field: event.type
+      value: change
+      if: 'ctx.event?.action != null && ["ComplianceSettingChanged", "FileModified", "FileMoved", "FileRenamed", "FileRestored", "FolderModified", "FolderMoved", "FolderRenamed", "FolderRestored"].contains(ctx.event?.action)'
+  - append: 
+      field: event.type
+      value: deletion
+      if: 'ctx.event?.action != null && ["FileDeleted", "FolderDeleted"].contains(ctx.event?.action)'
+  - append: 
+      field: event.type
+      value: creation
+      if: 'ctx.event?.action != null && ["FileUploaded", "FolderCopied", "FolderCreated"].contains(ctx.event?.action)'
+  # SecurityComplianceAlerts Schema
+  - rename:
+      field: o365audit.Comments
+      target_field: message
+      ignore_missing: true
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - rename:
+      field: o365audit.Name
+      target_field: rule.name
+      ignore_missing: true
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - rename:
+      field: o365audit.PolicyId
+      target_field: rule.id
+      ignore_missing: true
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - rename:
+      field: o365audit.Category
+      target_field: rule.category
+      ignore_missing: true
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - rename:
+      field: o365audit.EntityType
+      target_field: rule.ruleset
+      ignore_missing: true
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - rename:
+      field: o365audit.AlertEntityId
+      target_field: rule.description
+      ignore_missing: true
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - rename:
+      field: o365audit.AlertLinks
+      target_field: rule.reference
+      ignore_missing: true
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - set: 
+      field: event.kind
+      value: alert
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - append: 
+      field: event.category
+      value: authentication
+      if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category == "AccessGovernance"'
+  - append: 
+      field: event.category
+      value: file
+      if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category != null && ["DataGovernance", "DataLossPrevention"].contains(ctx.o365audit?.Category)'
+  - append: 
+      field: event.category
+      value: malware
+      if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category == "ThreatManagement"'
+  - append: 
+      field: event.category
+      value: authentication
+      allow_duplicates: false
+      if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category != null && !["DataGovernance", "DataLossPrevention", "ThreatManagement", "AccessGovernance"].contains(ctx.o365audit?.Category)'
+  - append: 
+      field: event.category
+      value: web
+      allow_duplicates: false
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - append: 
+      field: event.type
+      value: info
+      allow_duplicates: false
+      if: ctx.event?.code == "SecurityComplianceAlerts"
+  - convert:
+      field: o365audit.AlertEntityId
+      target_field: user.id
+      type: string
+      ignore_missing: true
+      if: 'ctx.user?.id == null && ctx.event?.code == "SecurityComplianceAlerts" && ctx.rule?.ruleset == "User"'
+  - rename:
+      field: o365audit.AlertEntityId
+      target_field: user.email
+      ignore_missing: true
+      if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.rule?.ruleset != null && ["Recipients", "Sender"].contains(ctx.rule?.ruleset)'
+  - rename:
+      field: o365audit.AlertEntityId
+      target_field: threat.technique.id
+      ignore_missing: true
+      if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.rule?.ruleset == "MalwareFamily"'
+  # DLP Schema
+  - set: 
+      field: event.kind
+      value: alert
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - append: 
+      field: event.category
+      value: file
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - append: 
+      field: event.type
+      value: access
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.SharePointMetaData.From
+      target_field: user.id
+      ignore_missing: true
+      if: 'ctx.user?.id == null && ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.SharePointMetaData.FileName
+      target_field: file.name
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.SharePointMetaData.FilePathUrl
+      target_field: url.original
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.SharePointMetaData.UniqueId
+      target_field: file.inode
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.SharePointMetaData.UniqueID
+      target_field: file.inode
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.SharePointMetaData.FileOwner
+      target_field: file.owner
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.ExchangeMetaData.From
+      target_field: source.user.email
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.ExchangeMetaData.Subject
+      target_field: message
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.PolicyId
+      target_field: rule.id
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - rename:
+      field: o365audit.PolicyName
+      target_field: rule.name
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+  - date:
+      field: o365audit.SharePointMetaData.LastModifiedTime
+      target_field: file.mtime
+      formats:
+        - ISO8601
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code) && ctx.o365audit?.SharePointMetaData?.LastModifiedTime != null'
+  - script:
+      lang: painless
+      if: 'ctx.event?.code != null && ctx.o365audit?.ExchangeMetaData!= null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+      source: >
+        def fields = new def[] {"To", "CC", "BCC"};
+        if (ctx.destination == null) {
+          ctx.destination = new HashMap();
+        }
+        if (ctx.destination.user == null) {
+          ctx.destination.user = new HashMap();
+        }
+        ctx.destination.user.email = new ArrayList();
+        for (int i = 0; i < fields.length; ++i) {
+          if (ctx.o365audit.ExchangeMetaData instanceof Map && ctx.o365audit.ExchangeMetaData.containsKey(fields[i])) {
+            def emails = ctx.o365audit.ExchangeMetaData[fields[i]];
+            if (emails instanceof List){
+              for (int e = 0; e < emails.length; ++e) {
+                ctx.destination.user.email.add(emails[e]);
+              }
+            }
+            if (emails instanceof String){
+              ctx.destination.user.email.add(emails);
+            }
+          }
+        }
+  - rename:
+      field: o365audit.ExceptionInfo
+      target_field: o365audit.ExceptionInfo.Reason
+      ignore_missing: true
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code) && ctx.o365audit?.ExceptionInfo != null && ctx.o365audit?.ExceptionInfo instanceof String'
+  - script:
+      lang: painless
+      if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code) && ctx.o365audit?.PolicyDetails != null'
+      source: >
+        int severityToCode(def x) { 
+          if (x.toLowerCase() == "informational") {
+            return 1;
+          }
+          if (x.toLowerCase() == "low") {
+            return 2;
+          }
+          if (x.toLowerCase() == "medium") {
+            return 3;
+          }
+          if (x.toLowerCase() == "high") {
+            return 4;
+          }
+          return 0;
+        }
+        def policies = ctx.o365audit.PolicyDetails;
+        if (policies == null) {
+          return;
+        }
+        if (ctx.rule == null) {
+          ctx.rule = new HashMap();
+        }
+        if (ctx.rule.id == null) {
+          ctx.rule.id = new ArrayList();
+        }
+        if (ctx.rule.name == null) {
+          ctx.rule.name = new ArrayList();
+        }
+        def maxSeverity = 0;
+        def allowed = true;
+        for (int i = 0; i < policies.length && policies instanceof List; ++i) {
+          def rules = policies[i].Rules;
+          if (rules == null) {
+            continue;
+          }
+          for (int j = 0; j < rules.length; ++j) {
+            def rule = rules[j];
+            def id = rule.RuleId;
+            def name = rule.RuleName;
+            def sev = severityToCode(rule.Severity);
+            if (id != null && name != null) {
+              ctx.rule.id.add(id);
+              ctx.rule.name.add(name);
+            }
+            if (sev > maxSeverity) {
+              maxSeverity = sev;
+            }
+            if (allowed) {
+              if (rule.Actions != null && rule.Actions.contains("BlockAccess")) {
+                allowed = false;
+              }
+            }
+          }
+        }
+        if (maxSeverity > -1) {
+          ctx.event.severity = maxSeverity;
+        }
+        if (allowed) {
+          ctx.event.outcome = "success";
+          return;
+        }
+        if (ctx.event?.action == "DlpRuleUndo") {
+          ctx.event.outcome = "success";
+          return;
+        }
+        if (ctx.event?.action == "DlpInfo") {
+          ctx.event.outcome = "failure";
+          return;
+        }
+        if (ctx.o365audit?.ExceptionInfo != null && !ctx.o365audit?.ExceptionInfo.isEmpty()) {
+          ctx.event.outcome = "success";
+          return;
+        }
+        ctx.event.outcome = "failure";
+  # Yammer Schema
+  - rename:
+      field: o365audit.ActorUserId
+      target_field: user.email
+      ignore_missing: true
+      if: ctx.event?.code == "Yammer"
+  - convert:
+      field: o365audit.ActorYammerUserId
+      target_field: user.id
+      type: string
+      ignore_missing: true
+      if: 'ctx.user?.id == null && ctx.event?.code == "Yammer"'
+  - rename:
+      field: o365audit.FileId
+      target_field: file.inode
+      ignore_missing: true
+      if: ctx.event?.code == "Yammer"
+  - rename:
+      field: o365audit.FileName
+      target_field: file.name
+      ignore_missing: true
+      if: ctx.event?.code == "Yammer"
+  - rename:
+      field: o365audit.GroupName
+      target_field: group.name
+      ignore_missing: true
+      if: ctx.event?.code == "Yammer"
+  - rename:
+      field: o365audit.TargetUserId
+      target_field: destination.user.email
+      ignore_missing: true
+      if: ctx.event?.code == "Yammer"
+  - rename:
+      field: o365audit.TargetYammerUserId
+      target_field: destination.user.id
+      ignore_missing: true
+      if: ctx.event?.code == "Yammer"
+  - append: 
+      field: event.category
+      value: configuration
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["NetworkConfigurationUpdated", "NetworkSecurityConfigurationUpdated", "SoftDeleteSettingsUpdated", "ProcessProfileFields", "SupervisorAdminToggled"].contains(ctx.event?.action)'
+  - append: 
+      field: event.category
+      value: iam
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["NetworkSecurityConfigurationUpdated", "GroupCreation", "GroupDeletion", "NetworkUserSuspended", "UserSuspension"].contains(ctx.event?.action)'
+  - append: 
+      field: event.category
+      value: file
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["FileCreated", "FileDownloaded", "FileShared", "FileUpdateDescription", "FileUpdateName", "FileVisited"].contains(ctx.event?.action)'
+  - append: 
+      field: event.type
+      value: change
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["NetworkConfigurationUpdated", "NetworkSecurityConfigurationUpdated", "SoftDeleteSettingsUpdated", "ProcessProfileFields", "SupervisorAdminToggled"].contains(ctx.event?.action)'
+  - append: 
+      field: event.type
+      value: admin
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action == "NetworkSecurityConfigurationUpdated"'
+  - append: 
+      field: event.type
+      value: creation
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["FileCreated", "GroupCreation", "FileUpdateName"].contains(ctx.event?.action)'
+  - append: 
+      field: event.type
+      value: deletion
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action == "GroupDeletion"'
+  - append: 
+      field: event.type
+      value: access
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["FileDownloaded", "FileShared", "FileUpdateDescription", "FileVisited"].contains(ctx.event?.action)'
+  - append: 
+      field: event.type
+      value: group
+      if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["GroupCreation", "GroupDeletion"].contains(ctx.event?.action)'
+  # Teams Schema
+  - set: 
+      field: event.action
+      value: added-group-account-to
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "TeamCreated"'
+  - append: 
+      field: event.category
+      value: iam
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-group-account-to"'
+  - append: 
+      field: event.type
+      value: group
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-group-account-to"'
+  - append: 
+      field: event.type
+      value: creation
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-group-account-to"'
+  - rename:
+      field: o365audit.TeamName
+      target_field: group.name
+      ignore_missing: true
+      if: ctx.event?.code == "MicrosoftTeams"
+  - set: 
+      field: event.action
+      value: added-users-to-group
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "MemberAdded"'
+  - append: 
+      field: event.category
+      value: iam
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-users-to-group"'
+  - append: 
+      field: event.type
+      value: group
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-users-to-group"'
+  - append: 
+      field: event.type
+      value: change
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-users-to-group"'
+  - set: 
+      field: event.action
+      value: deleted-user-account
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "Delete user."'
+  - append: 
+      field: event.category
+      value: iam
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+  - append: 
+      field: event.type
+      value: user
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+  - append: 
+      field: event.type
+      value: deletion
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+  - rename:
+      field: o365audit.ObjectId
+      target_field: user.target.id
+      ignore_missing: true
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+  - script:
+      lang: painless
+      if: 'ctx.event?.code == "MicrosoftTeams" && ctx.o365audit?.Members != null && ctx.o365audit.Members instanceof List'
+      source: >
+        def members = ctx.o365audit?.Members;
+        if (ctx.related == null) {
+          ctx.related = new HashMap();
+        }
+        if (ctx.related.user == null) {
+          ctx.related.user = new ArrayList();
+        }
+        for (int i = 0; i < members.length; ++i) {
+          if (members[i] instanceof Map && members[i].containsKey("UPN") && !members[i]["UPN"].isEmpty()) {
+            ctx.related.user.add(members[i]["UPN"]);
+          }
+        }
+  - gsub:
+      field: client._temp
+      pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)'
+      replacement: '$1'
+      ignore_missing: true
+  - grok:
+      field: client._temp
+      patterns: 
+        - '%{IPANDPORTBRACKETS}'
+        - '^%{IP:client.address}$'
+        - '^\[%{IP:client.address}\]$'
+        - '%{IPANDPORT}'
+        - '^%{NOTSPACE:client.domain}$'
+        - '%{HOSTNAMEANDPORTBRACKETS}'
+        - '%{HOSTNAMEANDPORT}'
+        - '^\[%{HOSTNAMEANDIP}\]$'
+        - '^%{HOSTNAMEANDIP}$'
+        - '%{GREEDYDATA:client.address}'
+      pattern_definitions:
+        IPANDPORTBRACKETS: '^\[%{IP:client.address}\]:%{POSINT:client._port}'
+        IPANDPORT: '^%{IP:client.address}:%{POSINT:client._port}'
+        HOSTNAMEANDPORTBRACKETS: '^\[%{NOTSPACE:client.domain}\]:%{POSINT:client._port}'
+        HOSTNAMEANDPORT: '^%{NOTSPACE:client.domain}:%{POSINT:client._port}'
+        NOTCLOSINGPARENS: '[^)]*'
+        HOSTNAMEANDIP: '%{NOTSPACE:client.domain} \(%{NOTCLOSINGPARENS:client.address}\)'
+      if: 'ctx.client?._temp != null && !ctx.client?._temp.isEmpty()'
+  - gsub:
+      field: server._temp
+      pattern: "[\n\r]"
+      replacement: ""
+      ignore_missing: true
+  - grok:
+      field: server._temp
+      patterns:
+        - '^\[%{HOSTNAMEANDIP}\]$'
+        - '%{HOSTNAMEANDIP}'
+        - '%{GREEDYDATA:server.address}'
+      pattern_definitions:
+        NOTCLOSINGPARENS: '[^)]*'
+        HOSTNAMEANDIP: '%{NOTSPACE:server.domain} \(%{NOTCLOSINGPARENS:server.address}\)'
+      if: 'ctx.server?._temp != null && !ctx.server?._temp.isEmpty()'
+      ignore_failure: true
+  - convert:
+      field: client.address
+      target_field: client.ip
+      type: ip
+      ignore_failure: true
+  - convert:
+      field: client._port
+      target_field: client.port
+      type: long
+      ignore_missing: true
+  - convert:
+      field: server.address
+      target_field: server.ip
+      type: ip
+      ignore_failure: true
+  - remove: 
+      field:
+        - client._port
+        - client._temp
+        - server._temp
+      ignore_missing: true
+  - set:
+      field: source.ip
+      copy_from: client.ip
+      if: ctx.client?.ip != null
+  - set:
+      field: source.port
+      copy_from: client.port
+      if: ctx.client?.port != null
+  - set:
+      field: destination.ip
+      copy_from: server.ip
+      if: ctx.server?.ip != null
+  - script:
+      lang: painless
+      if: 'ctx.user?.id != null && ctx.user?.id.contains("@")'
+      source: >
+        String[] splitmail = ctx.user.id.splitOnToken("@");
+        if (splitmail.length != 2) {
+          return;
+        }
+        ctx.user.email = ctx.user.id;
+        ctx.user.domain = splitmail[1];
+        ctx.user.name = splitmail[0];
+  - script:
+      lang: painless
+      if: 'ctx.user?.target?.id != null && ctx.user?.target?.id.contains("@")'
+      source: >
+        String[] splitmail = ctx.user.target.id.splitOnToken("@");
+        if (splitmail.length != 2) {
+          return;
+        }
+        ctx.user.target.email = ctx.user.target.id;
+        ctx.user.target.domain = splitmail[1];
+        ctx.user.target.name = splitmail[0];
+  - script:
+      lang: painless
+      if: 'ctx.source?.user?.id != null && ctx.source?.user?.id.contains("@")'
+      source: >
+        String[] splitmail = ctx.source.user.id.splitOnToken("@");
+        if (splitmail.length != 2) {
+          return;
+        }
+        ctx.source.user.email = ctx.source.user.id;
+        ctx.source.user.domain = splitmail[1];
+        ctx.source.user.name = splitmail[0];
+  - script:
+      lang: painless
+      if: 'ctx.destination?.user?.id != null && ctx.destination?.user?.id.contains("@")'
+      source: >
+        String[] splitmail = ctx.destination.user.id.splitOnToken("@");
+        if (splitmail.length != 2) {
+          return;
+        }
+        ctx.destination.user.email = ctx.destination.user.id;
+        ctx.destination.user.domain = splitmail[1];
+        ctx.destination.user.name = splitmail[0];
+  - set:
+      field: network.type
+      value: ipv6
+      if: 'ctx.client?.ip != null && ctx.client?.ip.contains(":")'
+  - set:
+      field: network.type
+      value: ipv4
+      if: 'ctx.network?.type == null && ctx.client?.ip != null'
+  - append:
+      field: related.ip
+      value: "{{client.ip}}"
+      allow_duplicates: false
+      if: ctx.client?.ip != null
+  - append:
+      field: related.ip
+      value: "{{server.ip}}"
+      allow_duplicates: false
+      if: ctx.server?.ip != null
+  - append:
+      field: related.user
+      value: "{{user.name}}"
+      allow_duplicates: false
+      if: ctx.user?.name != null
+  - append:
+      field: related.user
+      value: "{{user.target.name}}"
+      allow_duplicates: false
+      if: ctx.user?.target?.name != null
+  - append:
+      field: related.user
+      value: "{{file.owner}}"
+      allow_duplicates: false
+      if: ctx.file?.owner != null
+  - rename:
+      field: o365audit.ExtendedProperties.UserAgent
+      target_field: user_agent.original
+      ignore_missing: true
+      if: ctx.o365audit?.ExtendedProperties?.UserAgent != null
+  # Add Host and Organization fields
+  - lowercase:
+      field: organization.id
+      ignore_missing: true
+  - set:
+      field: host.id
+      copy_from: organization.id
+      if: ctx.organization?.id != null
+  - script:
+      lang: painless
+      if: 'ctx.organization?.id != null && ctx._conf?.tenants != null'
+      source: >
+        def conftenants = ctx._conf.tenants;
+        def orgid = ctx.organization.id;
+        if (conftenants instanceof Map && conftenants.containsKey(orgid)) {
+          ctx.organization.name = conftenants[orgid];
+          ctx.host.name = conftenants[orgid];
+        }
+  - set:
+      field: host.name
+      copy_from: organization.name
+      if: ctx.organization?.name != null && ctx.host?.name == null
+  - set:
+      field: host.name
+      copy_from: user.domain
+      if: ctx.user?.domain != null && ctx.host?.name == null
+  # Convert field values
+  - convert:
+      field: o365audit.AzureActiveDirectoryEventType
+      type: string
+      ignore_missing: true
+  - convert:
+      field: o365audit.RecordType
+      type: string
+      ignore_missing: true
+  - convert:
+      field: o365audit.UserType
+      type: string
+      ignore_missing: true
+  - convert:
+      field: o365audit.Version
+      type: string
+      ignore_missing: true
+  - convert:
+      field: o365audit.InternalLogonType
+      type: string
+      ignore_missing: true
+  - convert:
+      field: o365audit.LogonType
+      type: string
+      ignore_missing: true
+  - convert:
+      field: o365audit.ActorYammerUserId
+      type: string
+      ignore_missing: true
+  - convert:
+      field: o365audit.YammerNetworkId
+      type: string
+      ignore_missing: true
+  - rename:
+      field: o365audit
+      target_field: o365.audit
+      ignore_missing: true
+  - user_agent:
+      field: user_agent.original
+      ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - remove:
+      field:
+        - _conf
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/o365/1.4.3/data_stream/audit/fields/agent.yml b/packages/o365/1.4.3/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/o365/1.4.3/data_stream/audit/fields/base-fields.yml b/packages/o365/1.4.3/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..f43cebe668
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: o365
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: o365.audit
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/o365/1.4.3/data_stream/audit/fields/beats.yml b/packages/o365/1.4.3/data_stream/audit/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/o365/1.4.3/data_stream/audit/fields/ecs.yml b/packages/o365/1.4.3/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..2bf1d87305
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,338 @@
+- description: |-
+    Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: client.address
+  type: keyword
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: Unique container id.
+  name: container.id
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: User email address.
+  name: destination.user.email
+  type: keyword
+- description: Unique identifier of the user.
+  name: destination.user.id
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Identification code for this event, if one exists.
+    Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+  name: event.code
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Source of the event.
+    Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+  name: event.provider
+  type: keyword
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: Directory where the file is located. It should include the drive letter, when appropriate.
+  name: file.directory
+  type: keyword
+- description: |-
+    File extension, excluding the leading dot.
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: file.extension
+  type: keyword
+- description: Inode representing the file in the filesystem.
+  name: file.inode
+  type: keyword
+- description: Last time the file content was modified.
+  name: file.mtime
+  type: date
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: File owner's username.
+  name: file.owner
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+    The field value must be normalized to lowercase for querying.
+  name: network.type
+  type: keyword
+- description: Unique identifier for the organization.
+  name: organization.id
+  type: keyword
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: organization.name
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: A categorization value keyword used by the entity using the rule for detection of this event.
+  name: rule.category
+  type: keyword
+- description: The description of the rule generating the event.
+  name: rule.description
+  type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+  name: rule.id
+  type: keyword
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: |-
+    Reference URL to additional information about the rule used to generate this event.
+    The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.
+  name: rule.reference
+  type: keyword
+- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+  name: rule.ruleset
+  type: keyword
+- description: |-
+    Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: server.address
+  type: keyword
+- description: |-
+    The domain name of the server system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: server.domain
+  type: keyword
+- description: IP address of the server (IPv4 or IPv6).
+  name: server.ip
+  type: ip
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: User email address.
+  name: source.user.email
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+  name: threat.technique.id
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.target.domain
+  type: keyword
+- description: User email address.
+  name: user.target.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.full_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.target.group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.target.group.id
+  type: keyword
+- description: Name of the group.
+  name: user.target.group.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.target.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/o365/1.4.3/data_stream/audit/fields/fields.yml b/packages/o365/1.4.3/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..ca908de5ae
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/fields/fields.yml
@@ -0,0 +1,199 @@
+- name: o365.audit
+  type: group
+  fields:
+    - name: Actor
+      type: array
+      fields:
+        - name: ID
+          type: keyword
+        - name: Type
+          type: keyword
+    - name: ActorContextId
+      type: keyword
+    - name: ActorIpAddress
+      type: keyword
+    - name: ActorUserId
+      type: keyword
+    - name: ActorYammerUserId
+      type: keyword
+    - name: AlertEntityId
+      type: keyword
+    - name: AlertId
+      type: keyword
+    - name: AlertLinks
+      type: array
+    - name: AlertType
+      type: keyword
+    - name: AppId
+      type: keyword
+    - name: ApplicationDisplayName
+      type: keyword
+    - name: ApplicationId
+      type: keyword
+    - name: AzureActiveDirectoryEventType
+      type: keyword
+    - name: ExchangeMetaData.*
+      type: object
+    - name: Category
+      type: keyword
+    - name: ClientAppId
+      type: keyword
+    - name: ClientInfoString
+      type: keyword
+    - name: ClientIP
+      type: keyword
+    - name: ClientIPAddress
+      type: keyword
+    - name: Comments
+      type: text
+    - name: CorrelationId
+      type: keyword
+    - name: CreationTime
+      type: keyword
+    - name: CustomUniqueId
+      type: boolean
+    - name: Data
+      type: keyword
+    - name: DataType
+      type: keyword
+    - name: EntityType
+      type: keyword
+    - name: ErrorNumber
+      type: keyword
+    - name: EventData
+      type: keyword
+    - name: EventSource
+      type: keyword
+    - name: ExceptionInfo.*
+      type: object
+    - name: ExtendedProperties.*
+      type: object
+    - name: ExternalAccess
+      type: boolean
+    - name: GroupName
+      type: keyword
+    - name: Id
+      type: keyword
+    - name: ImplicitShare
+      type: keyword
+    - name: IncidentId
+      type: keyword
+    - name: InternalLogonType
+      type: keyword
+    - name: InterSystemsId
+      type: keyword
+    - name: IntraSystemId
+      type: keyword
+    - name: Item.*
+      type: object
+    - name: Item.*.*
+      type: object
+    - name: ItemName
+      type: keyword
+    - name: ItemType
+      type: keyword
+    - name: ListId
+      type: keyword
+    - name: ListItemUniqueId
+      type: keyword
+    - name: LogonError
+      type: keyword
+    - name: LogonType
+      type: keyword
+    - name: LogonUserSid
+      type: keyword
+    - name: MailboxGuid
+      type: keyword
+    - name: MailboxOwnerMasterAccountSid
+      type: keyword
+    - name: MailboxOwnerSid
+      type: keyword
+    - name: MailboxOwnerUPN
+      type: keyword
+    - name: Members
+      type: array
+    - name: Members.*
+      type: object
+    - name: ModifiedProperties.*.*
+      type: object
+    - name: Name
+      type: keyword
+    - name: ObjectId
+      type: keyword
+    - name: Operation
+      type: keyword
+    - name: OrganizationId
+      type: keyword
+    - name: OrganizationName
+      type: keyword
+    - name: OriginatingServer
+      type: keyword
+    - name: Parameters.*
+      type: object
+    - name: PolicyDetails
+      type: array
+    - name: PolicyId
+      type: keyword
+    - name: RecordType
+      type: keyword
+    - name: ResultStatus
+      type: keyword
+    - name: SensitiveInfoDetectionIsIncluded
+      type: boolean
+    - name: SharePointMetaData.*
+      type: object
+    - name: SessionId
+      type: keyword
+    - name: Severity
+      type: keyword
+    - name: Site
+      type: keyword
+    - name: SiteUrl
+      type: keyword
+    - name: Source
+      type: keyword
+    - name: SourceFileExtension
+      type: keyword
+    - name: SourceFileName
+      type: keyword
+    - name: SourceRelativeUrl
+      type: keyword
+    - name: Status
+      type: keyword
+    - name: SupportTicketId
+      type: keyword
+    - name: Target
+      type: array
+      fields:
+        - name: ID
+          type: keyword
+        - name: Type
+          type: keyword
+    - name: TargetContextId
+      type: keyword
+    - name: TargetUserOrGroupName
+      type: keyword
+    - name: TargetUserOrGroupType
+      type: keyword
+    - name: TeamName
+      type: keyword
+    - name: TeamGuid
+      type: keyword
+    - name: UniqueSharingId
+      type: keyword
+    - name: UserAgent
+      type: keyword
+    - name: UserId
+      type: keyword
+    - name: UserKey
+      type: keyword
+    - name: UserType
+      type: keyword
+    - name: Version
+      type: keyword
+    - name: WebId
+      type: keyword
+    - name: Workload
+      type: keyword
+    - name: YammerNetworkId
+      type: keyword
diff --git a/packages/o365/1.4.3/data_stream/audit/manifest.yml b/packages/o365/1.4.3/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..2c1315f9c1
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/manifest.yml
@@ -0,0 +1,103 @@
+type: logs
+title: Office 365 audit logs
+streams:
+  - input: o365audit
+    title: "Collect Office 365 audit logs"
+    description: "Collect audit logs from Office 365 via the Management Activity API"
+    vars:
+      - name: application_id
+        type: text
+        title: Application (client) ID
+        multi: false
+        required: true
+        show_user: true
+      - name: client_secret
+        title: Client secret (API key)
+        type: password
+        multi: false
+        required: false
+        show_user: true
+      - name: certificate
+        type: text
+        title: Path to certificate file
+        multi: false
+        required: false
+        show_user: true
+      - name: key
+        type: text
+        title: Path to private key file
+        multi: false
+        required: false
+        show_user: true
+      - name: key_passphrase
+        type: text
+        title: Private key passphrase
+        multi: false
+        required: false
+        show_user: true
+      - name: tenants
+        type: text
+        multi: true
+        title: Directory (tenant) IDs
+        required: true
+        show_user: true
+        default:
+          - tenant-id
+      - name: tenant_names
+        type: text
+        multi: true
+        title: Directory (tenant) domains mapping
+        required: true
+        show_user: true
+        default:
+          - "tenant-id: domain-name"
+      - name: content_type
+        type: text
+        title: Content types
+        multi: true
+        default:
+          - "Audit.AzureActiveDirectory"
+          - "Audit.Exchange"
+          - "Audit.SharePoint"
+          - "Audit.General"
+          - "DLP.All"
+        required: true
+        show_user: true
+      - name: api
+        type: yaml
+        title: Advanced API settings
+        multi: false
+        required: false
+        show_user: false
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - o365-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        default: |-
+          #- add_fields:
+          #    target: foo
+          #    fields:
+          #      bar: baz
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: o365audit.yml.hbs
diff --git a/packages/o365/1.4.3/data_stream/audit/sample_event.json b/packages/o365/1.4.3/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..e5cd6aba50
--- /dev/null
+++ b/packages/o365/1.4.3/data_stream/audit/sample_event.json
@@ -0,0 +1,111 @@
+{
+    "@timestamp": "2020-02-07T16:43:53.000Z",
+    "agent": {
+        "ephemeral_id": "14ad310a-30bb-45d4-9dd4-20f22267fbd5",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "client": {
+        "address": "213.97.47.133",
+        "ip": "213.97.47.133"
+    },
+    "data_stream": {
+        "dataset": "o365.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "PageViewed",
+        "agent_id_status": "verified",
+        "category": [
+            "web"
+        ],
+        "code": "SharePoint",
+        "dataset": "o365.audit",
+        "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
+        "ingested": "2022-01-02T03:51:15Z",
+        "kind": "event",
+        "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"Operation\": \"PageViewed\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"RecordType\": 4}",
+        "outcome": "success",
+        "provider": "OneDrive",
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
+        "name": "testsiem.onmicrosoft.com"
+    },
+    "input": {
+        "type": "o365audit"
+    },
+    "network": {
+        "type": "ipv4"
+    },
+    "o365": {
+        "audit": {
+            "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
+            "CreationTime": "2020-02-07T16:43:53",
+            "CustomUniqueId": true,
+            "EventSource": "SharePoint",
+            "ItemType": "Page",
+            "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875",
+            "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
+            "RecordType": "4",
+            "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3",
+            "UserId": "asr@testsiem.onmicrosoft.com",
+            "UserKey": "i:0h.f|membership|1003200096971f55@live.com",
+            "UserType": "0",
+            "Version": "1",
+            "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30"
+        }
+    },
+    "organization": {
+        "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"
+    },
+    "related": {
+        "ip": [
+            "213.97.47.133"
+        ],
+        "user": [
+            "asr"
+        ]
+    },
+    "source": {
+        "ip": "213.97.47.133"
+    },
+    "tags": [
+        "forwarded",
+        "o365-audit",
+        "preserve_original_event"
+    ],
+    "user": {
+        "domain": "testsiem.onmicrosoft.com",
+        "email": "asr@testsiem.onmicrosoft.com",
+        "id": "asr@testsiem.onmicrosoft.com",
+        "name": "asr"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Mac"
+        },
+        "name": "Firefox",
+        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
+        "os": {
+            "full": "Mac OS X 10.14",
+            "name": "Mac OS X",
+            "version": "10.14"
+        },
+        "version": "72.0."
+    }
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/docs/README.md b/packages/o365/1.4.3/docs/README.md
new file mode 100755
index 0000000000..3f34736de6
--- /dev/null
+++ b/packages/o365/1.4.3/docs/README.md
@@ -0,0 +1,373 @@
+# Microsoft Office 365 Integration
+
+This integration is for Microsoft Office 365. It currently supports user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs exposed by the Office 365 Management Activity API.
+
+## Configuration
+
+To use this package you need to enable _Audit Log Search_ and register an application in Azure AD.
+
+Once this application is registered note the _Application (client) ID_ and the _Directory (tenant) ID._ Then configure the authentication in the _Certificates & Secrets_ section.
+
+To use client-secret authentication, add you secret to the _Client Secret (API key)_ field.
+
+To use certificate-based authentication, set the paths to the certificate and private key files. If the key file is protected with a passphrase, set this passphrase in the _Private key passphrase_ field. Paths must be absolute and files must exist in the host where _Elastic Agent_ is running.
+
+
+Add your tenant ID(s) to the _Directory (tenant) IDs_ field, then add the hostname that this tenant identifies to the _Directory (tenant) domains_ field. For example:
+- Directory IDs: `my-id-a` `my-id-b`
+- Directory domains: `a.onmicrosoft.com` `b.onmicrosoft.com`
+
+## Compatibility
+
+The `ingest-geoip` and `ingest-user_agent` Elasticsearch plugins are required to run this module.
+
+## Logs
+
+### Audit
+
+Uses the Office 365 Management Activity API to retrieve audit messages from Office 365 and Azure AD activity logs. These are the same logs that are available under Audit Log Search in the Security and Compliance Center.
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2020-02-07T16:43:53.000Z",
+    "agent": {
+        "ephemeral_id": "14ad310a-30bb-45d4-9dd4-20f22267fbd5",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "client": {
+        "address": "213.97.47.133",
+        "ip": "213.97.47.133"
+    },
+    "data_stream": {
+        "dataset": "o365.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "PageViewed",
+        "agent_id_status": "verified",
+        "category": [
+            "web"
+        ],
+        "code": "SharePoint",
+        "dataset": "o365.audit",
+        "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
+        "ingested": "2022-01-02T03:51:15Z",
+        "kind": "event",
+        "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"Operation\": \"PageViewed\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"RecordType\": 4}",
+        "outcome": "success",
+        "provider": "OneDrive",
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
+        "name": "testsiem.onmicrosoft.com"
+    },
+    "input": {
+        "type": "o365audit"
+    },
+    "network": {
+        "type": "ipv4"
+    },
+    "o365": {
+        "audit": {
+            "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
+            "CreationTime": "2020-02-07T16:43:53",
+            "CustomUniqueId": true,
+            "EventSource": "SharePoint",
+            "ItemType": "Page",
+            "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875",
+            "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
+            "RecordType": "4",
+            "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3",
+            "UserId": "asr@testsiem.onmicrosoft.com",
+            "UserKey": "i:0h.f|membership|1003200096971f55@live.com",
+            "UserType": "0",
+            "Version": "1",
+            "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30"
+        }
+    },
+    "organization": {
+        "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"
+    },
+    "related": {
+        "ip": [
+            "213.97.47.133"
+        ],
+        "user": [
+            "asr"
+        ]
+    },
+    "source": {
+        "ip": "213.97.47.133"
+    },
+    "tags": [
+        "forwarded",
+        "o365-audit",
+        "preserve_original_event"
+    ],
+    "user": {
+        "domain": "testsiem.onmicrosoft.com",
+        "email": "asr@testsiem.onmicrosoft.com",
+        "id": "asr@testsiem.onmicrosoft.com",
+        "name": "asr"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Mac"
+        },
+        "name": "Firefox",
+        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
+        "os": {
+            "full": "Mac OS X 10.14",
+            "name": "Mac OS X",
+            "version": "10.14"
+        },
+        "version": "72.0."
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.user.email | User email address. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.mtime | Last time the file content was modified. | date |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.owner | File owner's username. | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| o365.audit.Actor.ID |  | keyword |
+| o365.audit.Actor.Type |  | keyword |
+| o365.audit.ActorContextId |  | keyword |
+| o365.audit.ActorIpAddress |  | keyword |
+| o365.audit.ActorUserId |  | keyword |
+| o365.audit.ActorYammerUserId |  | keyword |
+| o365.audit.AlertEntityId |  | keyword |
+| o365.audit.AlertId |  | keyword |
+| o365.audit.AlertLinks |  | array |
+| o365.audit.AlertType |  | keyword |
+| o365.audit.AppId |  | keyword |
+| o365.audit.ApplicationDisplayName |  | keyword |
+| o365.audit.ApplicationId |  | keyword |
+| o365.audit.AzureActiveDirectoryEventType |  | keyword |
+| o365.audit.Category |  | keyword |
+| o365.audit.ClientAppId |  | keyword |
+| o365.audit.ClientIP |  | keyword |
+| o365.audit.ClientIPAddress |  | keyword |
+| o365.audit.ClientInfoString |  | keyword |
+| o365.audit.Comments |  | text |
+| o365.audit.CorrelationId |  | keyword |
+| o365.audit.CreationTime |  | keyword |
+| o365.audit.CustomUniqueId |  | boolean |
+| o365.audit.Data |  | keyword |
+| o365.audit.DataType |  | keyword |
+| o365.audit.EntityType |  | keyword |
+| o365.audit.ErrorNumber |  | keyword |
+| o365.audit.EventData |  | keyword |
+| o365.audit.EventSource |  | keyword |
+| o365.audit.ExceptionInfo.\* |  | object |
+| o365.audit.ExchangeMetaData.\* |  | object |
+| o365.audit.ExtendedProperties.\* |  | object |
+| o365.audit.ExternalAccess |  | boolean |
+| o365.audit.GroupName |  | keyword |
+| o365.audit.Id |  | keyword |
+| o365.audit.ImplicitShare |  | keyword |
+| o365.audit.IncidentId |  | keyword |
+| o365.audit.InterSystemsId |  | keyword |
+| o365.audit.InternalLogonType |  | keyword |
+| o365.audit.IntraSystemId |  | keyword |
+| o365.audit.Item.\* |  | object |
+| o365.audit.Item.\*.\* |  | object |
+| o365.audit.ItemName |  | keyword |
+| o365.audit.ItemType |  | keyword |
+| o365.audit.ListId |  | keyword |
+| o365.audit.ListItemUniqueId |  | keyword |
+| o365.audit.LogonError |  | keyword |
+| o365.audit.LogonType |  | keyword |
+| o365.audit.LogonUserSid |  | keyword |
+| o365.audit.MailboxGuid |  | keyword |
+| o365.audit.MailboxOwnerMasterAccountSid |  | keyword |
+| o365.audit.MailboxOwnerSid |  | keyword |
+| o365.audit.MailboxOwnerUPN |  | keyword |
+| o365.audit.Members |  | array |
+| o365.audit.Members.\* |  | object |
+| o365.audit.ModifiedProperties.\*.\* |  | object |
+| o365.audit.Name |  | keyword |
+| o365.audit.ObjectId |  | keyword |
+| o365.audit.Operation |  | keyword |
+| o365.audit.OrganizationId |  | keyword |
+| o365.audit.OrganizationName |  | keyword |
+| o365.audit.OriginatingServer |  | keyword |
+| o365.audit.Parameters.\* |  | object |
+| o365.audit.PolicyDetails |  | array |
+| o365.audit.PolicyId |  | keyword |
+| o365.audit.RecordType |  | keyword |
+| o365.audit.ResultStatus |  | keyword |
+| o365.audit.SensitiveInfoDetectionIsIncluded |  | boolean |
+| o365.audit.SessionId |  | keyword |
+| o365.audit.Severity |  | keyword |
+| o365.audit.SharePointMetaData.\* |  | object |
+| o365.audit.Site |  | keyword |
+| o365.audit.SiteUrl |  | keyword |
+| o365.audit.Source |  | keyword |
+| o365.audit.SourceFileExtension |  | keyword |
+| o365.audit.SourceFileName |  | keyword |
+| o365.audit.SourceRelativeUrl |  | keyword |
+| o365.audit.Status |  | keyword |
+| o365.audit.SupportTicketId |  | keyword |
+| o365.audit.Target.ID |  | keyword |
+| o365.audit.Target.Type |  | keyword |
+| o365.audit.TargetContextId |  | keyword |
+| o365.audit.TargetUserOrGroupName |  | keyword |
+| o365.audit.TargetUserOrGroupType |  | keyword |
+| o365.audit.TeamGuid |  | keyword |
+| o365.audit.TeamName |  | keyword |
+| o365.audit.UniqueSharingId |  | keyword |
+| o365.audit.UserAgent |  | keyword |
+| o365.audit.UserId |  | keyword |
+| o365.audit.UserKey |  | keyword |
+| o365.audit.UserType |  | keyword |
+| o365.audit.Version |  | keyword |
+| o365.audit.WebId |  | keyword |
+| o365.audit.Workload |  | keyword |
+| o365.audit.YammerNetworkId |  | keyword |
+| organization.id | Unique identifier for the organization. | keyword |
+| organization.name | Organization name. | keyword |
+| organization.name.text | Multi-field of `organization.name`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.description | The description of the rule generating the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| source.user.email | User email address. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.email | User email address. | keyword |
+| user.target.full_name | User's full name, if available. | keyword |
+| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text |
+| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
diff --git a/packages/o365/1.4.3/img/filebeat-o365-audit.png b/packages/o365/1.4.3/img/filebeat-o365-audit.png
new file mode 100755
index 0000000000..a2413e7b90
Binary files /dev/null and b/packages/o365/1.4.3/img/filebeat-o365-audit.png differ
diff --git a/packages/o365/1.4.3/img/filebeat-o365-azure-permissions.png b/packages/o365/1.4.3/img/filebeat-o365-azure-permissions.png
new file mode 100755
index 0000000000..19a98e687a
Binary files /dev/null and b/packages/o365/1.4.3/img/filebeat-o365-azure-permissions.png differ
diff --git a/packages/o365/1.4.3/img/logo-integrations-microsoft-365.svg b/packages/o365/1.4.3/img/logo-integrations-microsoft-365.svg
new file mode 100755
index 0000000000..3763f267ff
--- /dev/null
+++ b/packages/o365/1.4.3/img/logo-integrations-microsoft-365.svg
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="236px" height="54px" viewBox="0 0 236 54" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <title>logo-integrations-Desktop HD Copy 2</title>
+    <g id="Desktop-HD-Copy-2" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="Group-7" transform="translate(43.000000, 15.000000)" fill-rule="nonzero">
+            <g id="logoparade-microsoft">
+                <path d="M102.769834,9.92205606 L102.769834,8.12256492 L100.522955,8.12256492 L100.522955,5.30899596 L100.44342,5.32887984 L98.3357286,5.97510593 L98.2959612,5.98504788 L98.2959612,8.12256492 L94.965411,8.12256492 L94.965411,6.92953218 C94.965411,6.37278354 95.0847132,5.95522205 95.3332626,5.67684773 C95.5718688,5.39847341 95.919837,5.25928625 96.357282,5.25928625 C96.6754236,5.25928625 97.0035084,5.33882177 97.331592,5.47800893 L97.411128,5.51777669 L97.411128,3.61886616 L97.3713606,3.60892421 C97.0631604,3.49956288 96.6455988,3.43991124 96.1286178,3.43991124 C95.47245,3.43991124 94.8759336,3.5790984 94.3589526,3.86741465 C93.8419716,4.14578897 93.434352,4.55340852 93.1460358,5.0703894 C92.857719,5.58737028 92.7185322,6.17394474 92.7185322,6.83011278 L92.7185322,8.12256492 L91.1675904,8.12256492 L91.1675904,9.931998 L92.7284748,9.931998 L92.7284748,17.5475242 L94.9753524,17.5475242 L94.9753524,9.931998 L98.3059026,9.931998 L98.3059026,14.7737229 C98.3059026,16.7621109 99.2503872,17.7761887 101.099588,17.7761887 C101.407788,17.7761887 101.72593,17.736421 102.054014,17.6668274 C102.39204,17.5972339 102.610763,17.5276402 102.74995,17.4481046 L102.779776,17.4282209 L102.779776,15.6088457 L102.690298,15.6684974 C102.570995,15.748033 102.411924,15.8176265 102.24291,15.8673362 C102.063956,15.917046 101.914827,15.9468718 101.795524,15.9468718 C101.358079,15.9468718 101.039936,15.8275685 100.841098,15.5989039 C100.642259,15.3702392 100.532897,14.9626198 100.532897,14.3859871 L100.532897,9.94194 L102.769834,9.92205606 L102.769834,9.92205606 Z M86.1568518,15.9369298 C85.3416132,15.9369298 84.7053288,15.6684974 84.2479992,15.1316326 C83.7906702,14.5947679 83.5620054,13.8391805 83.5620054,12.8648703 C83.5620054,11.8706763 83.7906702,11.085263 84.2479992,10.5384564 C84.7053288,10.0015916 85.3416132,9.72321726 86.1369684,9.72321726 C86.912439,9.72321726 87.5387814,9.98170776 87.976227,10.4986886 C88.423614,11.0156695 88.6522788,11.7911408 88.6522788,12.8052187 C88.6522788,13.8292385 88.443498,14.6146517 88.0159944,15.1415746 C87.608376,15.6684974 86.982033,15.9369298 86.1568518,15.9369298 M86.2562712,7.89390036 C84.7053288,7.89390036 83.472528,8.3512296 82.587696,9.24600414 C81.7128048,10.1407788 81.2654172,11.3835214 81.2654172,12.9444058 C81.2654172,14.4158129 81.7028628,15.6088457 82.55787,16.4737946 C83.412876,17.3387434 84.5860254,17.7761887 86.0276064,17.7761887 C87.5288388,17.7761887 88.7417562,17.3188594 89.6265894,16.4042009 C90.50148,15.4994844 90.9488664,14.2666838 90.9488664,12.745567 C90.9488664,11.2443341 90.531306,10.0513013 89.7061248,9.19629456 C88.880943,8.33134572 87.7276788,7.89390036 86.2562712,7.89390036 M77.6465508,7.89390036 C76.592706,7.89390036 75.7178148,8.16233268 75.051705,8.69919744 C74.3756532,9.23606232 74.0376276,9.94194 74.0376276,10.787005 C74.0376276,11.2244503 74.1072204,11.6221279 74.2563498,11.9601538 C74.4054792,12.2981798 74.6242014,12.586496 74.9224596,12.8350445 C75.2207178,13.083593 75.6780474,13.3321416 76.2845052,13.6005739 C76.7915448,13.8093547 77.1792804,13.9883095 77.4178872,14.1274968 C77.6564934,14.2666838 77.8255062,14.4058711 77.9149836,14.5351162 C78.004461,14.6643614 78.054171,14.8433165 78.054171,15.071981 C78.054171,15.7082652 77.576958,16.0164653 76.6026474,16.0164653 C76.2447378,16.0164653 75.8271768,15.9369298 75.3797886,15.7878007 C74.9324016,15.6386717 74.504898,15.4298909 74.1271044,15.1515166 L74.0376276,15.081923 L74.0376276,17.2393239 L74.0674524,17.2592078 C74.3855946,17.4083369 74.7832722,17.5276402 75.2604852,17.6270597 C75.7277568,17.726479 76.1552604,17.7761887 76.533054,17.7761887 C77.6763768,17.7761887 78.6009774,17.5077564 79.2770292,16.9708915 C79.953081,16.4340269 80.3010492,15.7082652 80.3010492,14.8333745 C80.3010492,14.1970903 80.1121524,13.6502837 79.7542422,13.2128383 C79.3963326,12.775393 78.7600482,12.3777154 77.8851576,12.0198055 C77.1892224,11.7414312 76.7418348,11.5028246 76.552938,11.3238696 C76.3739832,11.1548566 76.2845052,10.9063082 76.2845052,10.598108 C76.2845052,10.3197337 76.3938672,10.101011 76.622532,9.92205606 C76.8511956,9.7431012 77.1792804,9.65362368 77.576958,9.65362368 C77.9547516,9.65362368 78.3325452,9.71327544 78.7103388,9.83257872 C79.088133,9.951882 79.4261586,10.101011 79.7045328,10.2899078 L79.7940102,10.3495596 L79.7940102,8.30151984 L79.7542422,8.28163596 C79.495752,8.17227468 79.1577258,8.07285528 78.7501068,8.00326164 C78.3424872,7.93366812 77.9746356,7.89390036 77.6465508,7.89390036 M68.1917664,15.9369298 C67.3765272,15.9369298 66.7402434,15.6684974 66.2829138,15.1316326 C65.8255848,14.5947679 65.59692,13.8391805 65.59692,12.8648703 C65.59692,11.8706763 65.8255848,11.085263 66.2829138,10.5384564 C66.7303014,10.0015916 67.3665852,9.72321726 68.1718824,9.72321726 C68.9473536,9.72321726 69.573696,9.98170776 70.0111416,10.4986886 C70.4585286,11.0156695 70.6871934,11.7911408 70.6871934,12.8052187 C70.6871934,13.8292385 70.4784126,14.6146517 70.050909,15.1415746 C69.633348,15.6684974 69.0070056,15.9369298 68.1917664,15.9369298 M68.2911858,7.89390036 C66.7402434,7.89390036 65.5074426,8.3512296 64.62261,9.24600414 C63.7477194,10.1407788 63.3003318,11.3835214 63.3003318,12.9444058 C63.3003318,14.4158129 63.7377774,15.6088457 64.592784,16.4737946 C65.4477912,17.3387434 66.62094,17.7761887 68.062521,17.7761887 C69.563754,17.7761887 70.7766708,17.3188594 71.6615034,16.4042009 C72.536394,15.4994844 72.9837816,14.2666838 72.9837816,12.745567 C72.9837816,11.2443341 72.56622,10.0513013 71.7410388,9.19629456 C70.9158582,8.33134572 69.7526508,7.89390036 68.2911858,7.89390036 M59.8902466,9.7530432 L59.8902466,8.12256492 L57.673194,8.12256492 L57.673194,17.5475242 L59.8902466,17.5475242 L59.8902466,12.7256832 C59.8902466,11.9104441 60.0791436,11.2343921 60.4469952,10.7273532 C60.8049048,10.2203143 61.2920604,9.97176576 61.8786348,9.97176576 C62.0774736,9.97176576 62.3061378,10.0015916 62.5447446,10.0711853 C62.7833508,10.1407788 62.9623062,10.2103723 63.0617256,10.2799659 L63.151203,10.3495596 L63.151203,8.11262304 L63.111435,8.09273916 C62.9026542,8.00326164 62.614338,7.96349388 62.2464864,7.96349388 C61.689738,7.96349388 61.1926404,8.1424488 60.7651374,8.49041676 C60.3873432,8.79861696 60.118911,9.22612032 59.9101305,9.7530432 C59.9101305,9.7530432 59.8902466,9.7530432 59.8902466,9.7530432 Z M53.7063598,7.89390036 C52.692282,7.89390036 51.7875655,8.11262304 51.0120941,8.5401264 C50.2366229,8.96762982 49.6401065,9.58403016 49.2324869,10.3694434 C48.8248673,11.1449148 48.6260285,12.0595733 48.6260285,13.073651 C48.6260285,13.9684258 48.8248673,14.7836647 49.2225449,15.4994844 C49.6202225,16.2252461 50.1769711,16.7819947 50.8828489,17.1796723 C51.5887267,17.5674079 52.4039657,17.7662467 53.3086822,17.7662467 C54.3625279,17.7662467 55.2573025,17.5574661 55.9830641,17.1399046 L56.0128899,17.1200206 L56.0128899,15.0918649 L55.9234126,15.1614586 C55.5953285,15.4000651 55.2274766,15.5889619 54.839741,15.728149 C54.4520054,15.8673362 54.0940956,15.9369298 53.7759535,15.9369298 C52.9110046,15.9369298 52.2051269,15.6684974 51.698088,15.1316326 C51.1910491,14.5947679 50.9325586,13.8391805 50.9325586,12.8946962 C50.9325586,11.94027 51.2009909,11.1647986 51.7279138,10.598108 C52.2548366,10.0314175 52.9507724,9.7431012 53.8057793,9.7431012 C54.531541,9.7431012 55.2473606,9.99164976 55.9134706,10.4788047 L56.0029481,10.5483984 L56.0029481,8.41088124 L55.9731221,8.39099736 C55.7245738,8.2518102 55.3766057,8.13250692 54.9491023,8.0430294 C54.521599,7.93366812 54.1040374,7.89390036 53.7063598,7.89390036 M47.0949698,8.12256492 L44.8779171,8.12256492 L44.8779171,17.5475242 L47.0949698,17.5475242 L47.0949698,8.12256492 Z M46.0112983,4.10602121 C45.6434465,4.10602121 45.3253044,4.22532449 45.0668141,4.473873 C44.8083235,4.72242149 44.6691365,5.03062164 44.6691365,5.39847341 C44.6691365,5.75638325 44.7983816,6.0645834 45.0568721,6.30318996 C45.3153625,6.54179652 45.6335045,6.6610998 46.0013563,6.6610998 C46.3692082,6.6610998 46.6972922,6.54179652 46.9557826,6.30318996 C47.2142731,6.0645834 47.3534602,5.75638325 47.3534602,5.39847341 C47.3534602,5.04056357 47.2242149,4.73236344 46.9657246,4.48381493 C46.717176,4.23526644 46.3990339,4.10602121 46.0112983,4.10602121 M40.4835797,7.42662912 L40.4835797,17.5475242 L42.750342,17.5475242 L42.750342,4.39433748 L39.618631,4.39433748 L35.641855,14.1573226 L31.7843822,4.39433748 L28.5234259,4.39433748 L28.5234259,17.5375822 L30.651001,17.5375822 L30.651001,7.42662912 L30.7205945,7.42662912 L34.79679,17.5475242 L36.3974424,17.5475242 L40.4040442,7.42662912 L40.4835797,7.42662912 L40.4835797,7.42662912 Z" id="path5056" fill="#716E6F"></path>
+                <polygon id="path5058" fill="#F05423" points="10.4290951 10.4290951 0 10.4290951 0 0 10.4290951 0"></polygon>
+                <polygon id="path5060" fill="#84C441" points="21.9418615 10.4290951 11.5127665 10.4290951 11.5127665 0 21.9418615 0"></polygon>
+                <polygon id="path5062" fill="#2DABE2" points="10.4290951 21.9418615 0 21.9418615 0 11.5127665 10.4290951 11.5127665"></polygon>
+                <polygon id="path5064" fill="#F9BC15" points="21.9418615 21.9418615 11.5127665 21.9418615 11.5127665 11.5127665 21.9418615 11.5127665"></polygon>
+            </g>
+            <path d="M114.136364,20.1363636 L114.136364,1 L113,1 L113,20.1363636 L114.136364,20.1363636 Z M125.818182,16.5454545 C126.57197,16.5454545 127.244318,16.4015152 127.835227,16.1136364 C128.426136,15.8257576 128.892992,15.4308712 129.235795,14.9289773 C129.578598,14.4270833 129.75,13.8598485 129.75,13.2272727 C129.75,12.4886364 129.543561,11.8683712 129.130682,11.3664773 C128.717803,10.8645833 128.143939,10.5530303 127.409091,10.4318182 L127.409091,10.4318182 L127.409091,10.3409091 C127.996212,10.1628788 128.461174,9.84280303 128.803977,9.38068182 C129.14678,8.91856061 129.318182,8.35984848 129.318182,7.70454545 C129.318182,7.15530303 129.179924,6.64393939 128.903409,6.17045455 C128.626894,5.6969697 128.231061,5.31534091 127.715909,5.02556818 C127.200758,4.73579545 126.583333,4.59090909 125.863636,4.59090909 C125.193182,4.59090909 124.578598,4.71969697 124.019886,4.97727273 C123.461174,5.23484848 123.00947,5.59375 122.664773,6.05397727 C122.320076,6.51420455 122.136364,7.04924242 122.113636,7.65909091 L122.113636,7.65909091 L123.477273,7.65909091 C123.496212,7.27272727 123.617424,6.94223485 123.840909,6.66761364 C124.064394,6.39299242 124.35322,6.18276515 124.707386,6.03693182 C125.061553,5.89109848 125.439394,5.81818182 125.840909,5.81818182 C126.484848,5.81818182 126.998106,5.99715909 127.380682,6.35511364 C127.763258,6.71306818 127.954545,7.18560606 127.954545,7.77272727 C127.954545,8.38636364 127.736742,8.87689394 127.301136,9.24431818 C126.86553,9.61174242 126.30303,9.79545455 125.613636,9.79545455 L125.613636,9.79545455 L124.681818,9.79545455 L124.681818,11.0454545 L125.613636,11.0454545 C126.496212,11.0454545 127.175189,11.2481061 127.650568,11.6534091 C128.125947,12.0587121 128.363636,12.5833333 128.363636,13.2272727 C128.363636,13.844697 128.122159,14.34375 127.639205,14.7244318 C127.15625,15.1051136 126.541667,15.2954545 125.795455,15.2954545 C125.121212,15.2954545 124.546402,15.1325758 124.071023,14.8068182 C123.595644,14.4810606 123.337121,14.0378788 123.295455,13.4772727 L123.295455,13.4772727 L121.863636,13.4772727 C121.893939,14.0871212 122.080492,14.6221591 122.423295,15.0823864 C122.766098,15.5426136 123.230114,15.9015152 123.815341,16.1590909 C124.400568,16.4166667 125.068182,16.5454545 125.818182,16.5454545 Z M135.931818,16.5454545 C136.715909,16.5530303 137.398674,16.3816288 137.980114,16.03125 C138.561553,15.6808712 139.013258,15.2073864 139.335227,14.6107955 C139.657197,14.0142045 139.818182,13.3560606 139.818182,12.6363636 C139.818182,11.8863636 139.651515,11.2206439 139.318182,10.6392045 C138.984848,10.0577652 138.541667,9.60132576 137.988636,9.26988636 C137.435606,8.93844697 136.825758,8.77272727 136.159091,8.77272727 C135.560606,8.77272727 135.013258,8.91003788 134.517045,9.18465909 C134.020833,9.4592803 133.613636,9.83712121 133.295455,10.3181818 L133.295455,10.3181818 L133.204545,10.3181818 C133.208333,8.89015152 133.46875,7.78314394 133.985795,6.99715909 C134.502841,6.21117424 135.212121,5.81818182 136.113636,5.81818182 C136.727273,5.81818182 137.219697,5.99147727 137.590909,6.33806818 C137.962121,6.68465909 138.212121,7.125 138.340909,7.65909091 L138.340909,7.65909091 L139.727273,7.65909091 C139.587121,6.74242424 139.194129,5.99810606 138.548295,5.42613636 C137.902462,4.85416667 137.090909,4.56818182 136.113636,4.56818182 C134.80303,4.56818182 133.770833,5.12689394 133.017045,6.24431818 C132.263258,7.36174242 131.886364,8.95454545 131.886364,11.0227273 C131.886364,12.0984848 132.005682,12.9914773 132.244318,13.7017045 C132.482955,14.4119318 132.799242,14.9744318 133.193182,15.3892045 C133.587121,15.8039773 134.022727,16.0984848 134.5,16.2727273 C134.977273,16.4469697 135.454545,16.5378788 135.931818,16.5454545 Z M135.931818,15.2954545 C135.44697,15.2954545 135.014205,15.1723485 134.633523,14.9261364 C134.252841,14.6799242 133.953598,14.3560606 133.735795,13.9545455 C133.517992,13.5530303 133.409091,13.1212121 133.409091,12.6590909 C133.412879,12.1931818 133.528409,11.7604167 133.755682,11.3607955 C133.982955,10.9611742 134.289773,10.6382576 134.676136,10.3920455 C135.0625,10.1458333 135.496212,10.0227273 135.977273,10.0227273 C136.454545,10.0227273 136.879735,10.1401515 137.252841,10.375 C137.625947,10.6098485 137.919508,10.9251894 138.133523,11.3210227 C138.347538,11.7168561 138.454545,12.155303 138.454545,12.6363636 C138.454545,13.1287879 138.34375,13.5757576 138.122159,13.9772727 C137.900568,14.3787879 137.599432,14.6988636 137.21875,14.9375 C136.838068,15.1761364 136.409091,15.2954545 135.931818,15.2954545 Z M145.681818,16.5454545 C146.420455,16.5454545 147.079545,16.3778409 147.659091,16.0426136 C148.238636,15.7073864 148.694129,15.249053 149.025568,14.6676136 C149.357008,14.0861742 149.522727,13.4242424 149.522727,12.6818182 C149.522727,11.9280303 149.362689,11.2575758 149.042614,10.6704545 C148.722538,10.0833333 148.283144,9.62026515 147.724432,9.28125 C147.16572,8.94223485 146.530303,8.77272727 145.818182,8.77272727 C145.42803,8.77272727 145.05303,8.83522727 144.693182,8.96022727 C144.333333,9.08522727 144.034091,9.24242424 143.795455,9.43181818 L143.795455,9.43181818 L143.727273,9.43181818 L144.136364,6 L149,6 L149,4.75 L142.954545,4.75 L142.25,10.4772727 L143.568182,10.6363636 C143.810606,10.4621212 144.119318,10.3191288 144.494318,10.2073864 C144.869318,10.0956439 145.234848,10.0416667 145.590909,10.0454545 C146.087121,10.0492424 146.528409,10.1666667 146.914773,10.3977273 C147.301136,10.6287879 147.605114,10.9441288 147.826705,11.34375 C148.048295,11.7433712 148.159091,12.1969697 148.159091,12.7045455 C148.159091,13.2007576 148.052083,13.6448864 147.838068,14.0369318 C147.624053,14.4289773 147.330492,14.7367424 146.957386,14.9602273 C146.58428,15.1837121 146.159091,15.2954545 145.681818,15.2954545 C145.087121,15.2954545 144.576705,15.124053 144.150568,14.78125 C143.724432,14.438447 143.484848,14.0037879 143.431818,13.4772727 L143.431818,13.4772727 L142.068182,13.4772727 C142.098485,14.0681818 142.274621,14.594697 142.596591,15.0568182 C142.918561,15.5189394 143.346591,15.8825758 143.880682,16.1477273 C144.414773,16.4128788 145.015152,16.5454545 145.681818,16.5454545 Z" id="|365" fill="#343741"></path>
+        </g>
+    </g>
+</svg>
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..a261099e07
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,54 @@
+{
+  "attributes": {
+    "description": "Sample dashboard for Office 365 Management Activity events",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Total audit events\"},\"gridData\":{\"h\":6,\"i\":\"b6942e2a-81dc-40e4-a932-8b7a864b28bc\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"b6942e2a-81dc-40e4-a932-8b7a864b28bc\",\"panelRefName\":\"panel_0\",\"title\":\"Total audit events\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"Event histogram by service\"},\"gridData\":{\"h\":14,\"i\":\"9673e6df-4b1e-4771-b1c6-c41c9bfc7272\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"9673e6df-4b1e-4771-b1c6-c41c9bfc7272\",\"panelRefName\":\"panel_1\",\"title\":\"Event histogram by service\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"colors\":{\"alert\":\"#EF843C\",\"event\":\"#7EB26D\"},\"legendOpen\":true,\"title\":\"Events by type\",\"vis\":{\"colors\":{\"alert\":\"#E24D42\",\"event\":\"#7EB26D\"},\"legendOpen\":true}},\"gridData\":{\"h\":8,\"i\":\"70ab7239-c65c-41da-8242-da61750745d7\",\"w\":10,\"x\":0,\"y\":6},\"panelIndex\":\"70ab7239-c65c-41da-8242-da61750745d7\",\"panelRefName\":\"panel_2\",\"title\":\"Events by type\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#629E51\"},\"legendOpen\":false,\"title\":\"Top users by authentication failures\",\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#629E51\"},\"legendOpen\":true}},\"gridData\":{\"h\":17,\"i\":\"775ced7d-7c58-44bc-8d4e-2a757d2c218c\",\"w\":10,\"x\":0,\"y\":14},\"panelIndex\":\"775ced7d-7c58-44bc-8d4e-2a757d2c218c\",\"panelRefName\":\"panel_3\",\"title\":\"Top users by authentication failures\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":42.68781,\"lon\":-48.94209,\"zoom\":1.88},\"openTOCDetails\":[],\"title\":\"Client geolocation map\"},\"gridData\":{\"h\":17,\"i\":\"15fe975b-6b8b-4445-872d-e06c041e2c31\",\"w\":38,\"x\":10,\"y\":14},\"panelIndex\":\"15fe975b-6b8b-4445-872d-e06c041e2c31\",\"panelRefName\":\"panel_4\",\"title\":\"Client geolocation map\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"Data Loss Prevention alerts\"},\"gridData\":{\"h\":13,\"i\":\"481f1778-caad-4971-b598-bb61c94bf998\",\"w\":48,\"x\":0,\"y\":31},\"panelIndex\":\"481f1778-caad-4971-b598-bb61c94bf998\",\"panelRefName\":\"panel_5\",\"title\":\"Data Loss Prevention alerts\",\"version\":\"7.6.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs o365] Audit Dashboard",
+    "version": 1
+  },
+  "id": "o365-712e2c00-685d-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "dashboard": "7.3.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "o365-0be1adb0-6860-11ea-8d6a-292ef5d68366",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "o365-8b033510-685a-11ea-8d6a-292ef5d68366",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "o365-d43c95a0-6864-11ea-8d6a-292ef5d68366",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "o365-897d0c70-6869-11ea-8d6a-292ef5d68366",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "o365-dbae13c0-685c-11ea-8d6a-292ef5d68366",
+      "name": "panel_4",
+      "type": "map"
+    },
+    {
+      "id": "o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366",
+      "name": "panel_5",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/map/o365-dbae13c0-685c-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/map/o365-dbae13c0-685c-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..d7c061e5c4
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/map/o365-dbae13c0-685c-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,24 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"0b910b6c-77c8-4223-892a-1ebf69b0ccb4\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"acc53b7b-3411-406b-9371-6fa62b6b9365\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"geoField\":\"source.geo.location\",\"id\":\"3ba31ffc-7051-44bf-96a0-a684020cd2a3\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"requestType\":\"point\",\"resolution\":\"FINE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\",\"useCustomColorRamp\":false},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"airfield\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"maxSize\":32,\"minSize\":8},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"}},\"type\":\"DYNAMIC\"},\"lineColor\":{\"options\":{\"color\":\"#FFF\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":0},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+    "mapStateJSON": "{\"center\":{\"lat\":30.87292,\"lon\":16.67387},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"o365.audit\\\" \"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"2020-02-05T03:25:59.045Z\",\"to\":\"2020-02-29T10:59:01.067Z\"},\"zoom\":2.88}",
+    "title": "Client Geo Map [Logs o365 audit]",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "id": "o365-dbae13c0-685c-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "map": "7.9.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..7c0cb148aa
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,56 @@
+{
+  "attributes": {
+    "columns": [
+      "event.category",
+      "event.type",
+      "event.action",
+      "event.outcome",
+      "user.name",
+      "file.name",
+      "rule.name"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"o365.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"o365.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"ComplianceDLPSharePoint\",\"ComplianceDLPExchange\"],\"type\":\"phrases\",\"value\":\"ComplianceDLPSharePoint, ComplianceDLPExchange\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"ComplianceDLPSharePoint\"}},{\"match_phrase\":{\"event.code\":\"ComplianceDLPExchange\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "Data Loss Prevention [Logs o365]",
+    "version": 1
+  },
+  "id": "o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "search": "7.4.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/search/o365-fdc14020-6859-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/search/o365-fdc14020-6859-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..aab59e7d3b
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/search/o365-fdc14020-6859-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "columns": [
+      "_source"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"o365.audit\\\" \"},\"version\":true}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "Audit Events [Logs O365]",
+    "version": 1
+  },
+  "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "search": "7.4.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/visualization/o365-0be1adb0-6860-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/visualization/o365-0be1adb0-6860-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..2fdb82d937
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/visualization/o365-0be1adb0-6860-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Audit Event Count [Logs o365]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":40,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Audit Event Count [Logs o365]\",\"type\":\"metric\"}"
+  },
+  "id": "o365-0be1adb0-6860-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/visualization/o365-897d0c70-6869-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/visualization/o365-897d0c70-6869-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..ba90a63e18
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/visualization/o365-897d0c70-6869-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,33 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"authentication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Authentication Failures [Logs o365]",
+    "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#629E51\"},\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"split\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":false,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.outcome: Ascending\",\"params\":{}}],\"splitRow\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"x\":null,\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":true},\"legendPosition\":\"bottom\",\"orderBucketsBySum\":true,\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":false,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":false,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top Authentication Failures [Logs o365]\",\"type\":\"horizontal_bar\"}"
+  },
+  "id": "o365-897d0c70-6869-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/visualization/o365-8b033510-685a-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/visualization/o365-8b033510-685a-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..6724878043
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/visualization/o365-8b033510-685a-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Events Histogram [Logs o365]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-02-05T03:25:59.045Z\",\"to\":\"2020-02-29T10:59:01.067Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.code: Descending\",\"params\":{}}],\"x\":{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per 12 hours\",\"params\":{\"bounds\":{\"max\":\"2020-02-29T10:59:01.067Z\",\"min\":\"2020-02-05T03:25:59.045Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":\"PT12H\",\"intervalESUnit\":\"h\",\"intervalESValue\":12}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Events Histogram [Logs o365]\",\"type\":\"histogram\"}"
+  },
+  "id": "o365-8b033510-685a-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/kibana/visualization/o365-d43c95a0-6864-11ea-8d6a-292ef5d68366.json b/packages/o365/1.4.3/kibana/visualization/o365-d43c95a0-6864-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..ec9ec39027
--- /dev/null
+++ b/packages/o365/1.4.3/kibana/visualization/o365-d43c95a0-6864-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Audit Event Type [Logs o365]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.kind\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Audit Event Type [Logs o365]\",\"type\":\"pie\"}"
+  },
+  "id": "o365-d43c95a0-6864-11ea-8d6a-292ef5d68366",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.4.3/manifest.yml b/packages/o365/1.4.3/manifest.yml
new file mode 100755
index 0000000000..8b35831ab0
--- /dev/null
+++ b/packages/o365/1.4.3/manifest.yml
@@ -0,0 +1,35 @@
+name: o365
+title: Office 365 Logs
+version: 1.4.3
+release: ga
+description: Collect and parse event logs from Office 365 with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+  kibana.version: ^7.14.0 || ^8.0.0
+icons:
+  - src: /img/logo-integrations-microsoft-365.svg
+    title: Microsoft Office 365
+    size: 216x216
+    type: image/svg+xml
+screenshots:
+  - src: /img/filebeat-o365-audit.png
+    title: Office 365 Dashboard
+    size: 1924x1409
+    type: image/png
+  - src: /img/filebeat-o365-azure-permissions.png
+    title: Azure Permissions
+    size: 2660x1030
+    type: image/png
+policy_templates:
+  - name: o365
+    title: Office 365 logs
+    description: Collect logs from Office 365
+    inputs:
+      - type: o365audit
+        title: "Collect Office 365 audit logs"
+        description: "Collect audit logs from Office 365 via the Management Activity API"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/okta/1.5.2/changelog.yml b/packages/okta/1.5.2/changelog.yml
new file mode 100755
index 0000000000..a0940465f1
--- /dev/null
+++ b/packages/okta/1.5.2/changelog.yml
@@ -0,0 +1,139 @@
+# newer versions go on top
+- version: "1.5.2"
+  changes:
+    - description: Handle invalid values in client.ipAddress
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3010
+- version: "1.5.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.5.0"
+  changes:
+    - description: Increase the limit for the number of results in an API response.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2791
+- version: "1.4.1"
+  changes:
+    - description: Add missing field mapping for event.created.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2774
+- version: "1.4.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2428
+- version: "1.3.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.3.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2264
+- version: "1.2.3"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2095
+- version: "1.2.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1977
+- version: "1.2.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1838
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1638
+- version: "1.1.3"
+  changes:
+    - description: Add proxy config
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1648
+- version: "1.1.2"
+  changes:
+    - description: Convert to generated ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1494
+- version: "1.1.1"
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1403
+- version: "1.1.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.1"
+  changes:
+    - description: add missing `initial_interval` option to the manifest
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1299
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1222
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1222
+- version: "0.6.0"
+  changes:
+    - description: Update to ECS 1.10.0 and add event.original options
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1067
+- version: "0.5.2"
+  changes:
+    - description: Add httpjson system tests and remove log input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1034
+- version: "0.5.1"
+  changes:
+    - description: Make event.original optional
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1009
+- version: "0.5.0"
+  changes:
+    - description: change okta.target to flattened type
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/899
+- version: "0.4.2"
+  changes:
+    - description: add fail_on_template_error on pagination
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/901
+- version: "0.4.1"
+  changes:
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/861
+- version: "0.4.0"
+  changes:
+    - description: Moves edge processing to ingest pipeline
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/759/
+- version: "0.3.1"
+  changes:
+    - description: Change kibana.version constraint to be more conservative.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/749
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/232
diff --git a/packages/okta/1.5.2/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/1.5.2/data_stream/system/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..24a3d77d72
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,56 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+
+request.rate_limit:
+  limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]'
+  remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]'
+  reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]'
+request.transforms:
+  - set:
+      target: header.Authorization
+      value: "SSWS {{api_key}}"
+  - set:
+      target: url.params.limit
+      value: '1000'
+  - set:
+      target: url.params.since
+      value: "[[.cursor.published]]"
+      default: '[[formatDate (now (parseDuration "-{{initial_interval}}")) "RFC3339"]]'
+response.pagination:
+  - set:
+      target: url.value
+      value: '[[ getRFC5988Link "next" .last_response.header.Link ]]'
+      fail_on_template_error: true
+
+cursor:
+  published:
+    value: "[[.last_event.published]]"
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/okta/1.5.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/1.5.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..8e9eb8a186
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,557 @@
+---
+description: Pipeline for Okta system logs.
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+  - json:
+      field: event.original
+      target_field: json
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean drop(Object o) {
+          if (o == null || o == "") {
+            return true;
+          } else if (o instanceof Map) {
+            ((Map) o).values().removeIf(v -> drop(v));
+            return (((Map) o).size() == 0);
+          } else if (o instanceof List) {
+            ((List) o).removeIf(v -> drop(v));
+            return (((List) o).length == 0);
+          }
+          return false;
+        }
+        drop(ctx);
+  - convert:
+      field: json.uuid
+      target_field: _id
+      type: string
+      ignore_failure: true
+      if: ctx?.json?.uuid != null && ctx?.json?.uuid != ""
+  - date:
+      field: json.published
+      formats:
+        - ISO8601
+      ignore_failure: true
+  - set:
+      field: event.kind
+      value: event
+  - rename:
+      field: json.displayMessage
+      target_field: okta.display_message
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.eventType
+      target_field: okta.event_type
+      ignore_missing: true
+      ignore_failure: true
+  - append:
+      field: event.category
+      value: iam
+      if: |
+        ["group.user_membership.add","group.user_membership.remove",
+        "user.lifecycle.activate","user.lifecycle.create",
+        "user.lifecycle.deactivate","user.lifecycle.suspend",
+        "user.lifecycle.unsuspend"].contains(ctx?.okta?.event_type)
+  - append:
+      field: event.category
+      value: configuration
+      if: |
+        ["policy.lifecycle.activate","policy.lifecycle.create",
+        "policy.lifecycle.deactivate","policy.lifecycle.delete",
+        "policy.lifecycle.update","policy.rule.activate","policy.rule.add",
+        "policy.rule.deactivate","policy.rule.delete",
+        "application.lifecycle.create","application.lifecycle.delete",
+        "policy.rule.update","application.lifecycle.activate",
+        "application.lifecycle.deactivate","application.lifecycle.update"].contains(ctx?.okta?.event_type)
+  - append:
+      field: event.category
+      value: authentication
+      if: '["user.session.start","user.session.end","user.authentication.sso","policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.category
+      value: session
+      if: '["user.session.start","user.session.end"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.type
+      value: info
+      if: |
+        ["system.org.rate_limit.warning","system.org.rate_limit.violation",
+        "core.concurrency.org.limit.violation"].contains(ctx?.okta?.event_type)
+  - append:
+      field: event.type
+      value: network
+      if: '["security.request.blocked"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.type
+      value: network
+      if: |
+        ["system.org.rate_limit.warning","system.org.rate_limit.violation",
+        "core.concurrency.org.limit.violation","security.request.blocked"].contains(ctx?.okta?.event_type)
+  - append:
+      field: event.type
+      value: start
+      if: '["user.session.start"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.type
+      value: end
+      if: '["user.session.end"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.type
+      value: group
+      if: '["group.user_membership.add","group.user_membership.remove"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.type
+      value: user
+      if: |
+        ["user.lifecycle.activate","user.lifecycle.create",
+        "user.lifecycle.deactivate","user.lifecycle.suspend",
+        "user.lifecycle.unsuspend","user.authentication.sso",
+        "user.session.start","user.session.end","application.user_membership.add",
+        "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type)
+  - append:
+      field: event.type
+      value: change
+      if: |
+        ["user.lifecycle.activate","user.lifecycle.deactivate",
+        "user.lifecycle.suspend","user.lifecycle.unsuspend",
+        "group.user_membership.add","group.user_membership.remove",
+        "policy.lifecycle.activate","policy.lifecycle.deactivate",
+        "policy.lifecycle.update","policy.rule.activate","policy.rule.add",
+        "policy.rule.deactivate","policy.rule.update","application.user_membership.add",
+        "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type)
+  - append:
+      field: event.type
+      value: creation
+      if: '["user.lifecycle.create","policy.lifecycle.create","application.lifecycle.create"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.type
+      value: deletion
+      if: '["policy.lifecycle.delete","application.lifecycle.delete"].contains(ctx?.okta?.event_type)'
+  - append:
+      field: event.type
+      value: info
+      if: '["policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)'
+  - rename:
+      field: json.uuid
+      target_field: okta.uuid
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.actor.alternateId
+      target_field: okta.actor.alternate_id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.actor.displayName
+      target_field: okta.actor.display_name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.actor.id
+      target_field: okta.actor.id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.actor.type
+      target_field: okta.actor.type
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.device
+      target_field: okta.client.device
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.geographicalContext.geolocation
+      target_field: client.geo.location
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.geographicalContext.city
+      target_field: client.geo.city_name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.geographicalContext.state
+      target_field: client.geo.region_name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.geographicalContext.country
+      target_field: client.geo.country_name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.id
+      target_field: okta.client.id
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: json.client.ipAddress
+      target_field: okta.client.ip
+      type: ip
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.userAgent.browser
+      target_field: okta.client.user_agent.browser
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.userAgent.os
+      target_field: okta.client.user_agent.os
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.userAgent.rawUserAgent
+      target_field: okta.client.user_agent.raw_user_agent
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.client.zone
+      target_field: okta.client.zone
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.outcome.reason
+      target_field: okta.outcome.reason
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.outcome.result
+      target_field: okta.outcome.result
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.target
+      target_field: okta.target
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.transaction.id
+      target_field: okta.transaction.id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.transaction.type
+      target_field: okta.transaction.type
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.deviceFingerprint
+      target_field: okta.debug_context.debug_data.device_fingerprint
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.requestId
+      target_field: okta.debug_context.debug_data.request_id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.requestUri
+      target_field: okta.debug_context.debug_data.request_uri
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.threatSuspected
+      target_field: okta.debug_context.debug_data.threat_suspected
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.debugContext.debugData.url
+      target_field: okta.debug_context.debug_data.url
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.authenticationContext.authenticationProvider
+      target_field: okta.authentication_context.authentication_provider
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.authenticationContext.authenticationStep
+      target_field: okta.authentication_context.authentication_step
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.authenticationContext.credentialProvider
+      target_field: okta.authentication_context.credential_provider
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.authenticationContext.credentialType
+      target_field: okta.authentication_context.credential_type
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.authenticationContext.externalSessionId
+      target_field: okta.authentication_context.external_session_id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.authenticationContext.interface
+      target_field: okta.authentication_context.authentication_provider
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.authenticationContext.issuer
+      target_field: okta.authentication_context.issuer
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.securityContext.asNumber
+      target_field: okta.security_context.as.number
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.securityContext.asOrg
+      target_field: okta.security_context.as.organization.name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.securityContext.domain
+      target_field: okta.security_context.domain
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.securityContext.isProxy
+      target_field: okta.security_context.is_proxy
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.securityContext.isp
+      target_field: okta.security_context.isp
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: okta.client.user_agent.raw_user_agent
+      target_field: user_agent.original
+      type: string
+      ignore_failure: true
+  - set:
+      field: client.ip
+      copy_from: okta.client.ip
+      if: ctx?.okta?.client?.ip != null
+  - set:
+      field: source.ip
+      copy_from: okta.client.ip
+      if: ctx?.okta?.client?.ip != null
+  - convert:
+      field: okta.event_type
+      target_field: event.action
+      type: string
+      ignore_failure: true
+  - convert:
+      field: okta.security_context.as.number
+      target_field: client.as.number
+      type: string
+      ignore_failure: true
+  - convert:
+      field: okta.security_context.as.organization.name
+      target_field: client.as.organization.name
+      type: string
+      ignore_failure: true
+  - convert:
+      field: okta.security_context.domain
+      target_field: client.domain
+      type: string
+      ignore_failure: true
+  - convert:
+      field: okta.security_context.domain
+      target_field: source.domain
+      type: string
+      ignore_failure: true
+  - convert:
+      field: okta.uuid
+      target_field: event.id
+      type: string
+      ignore_failure: true
+  - lowercase:
+      field: okta.outcome.result
+      target_field: okta.outcome.result_lower
+      ignore_missing: true
+  - set:
+      field: event.outcome
+      value: success
+      if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "success" || ctx?.okta?.outcome?.result_lower == "allow")
+  - set:
+      field: event.outcome
+      value: failure
+      if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "failure" || ctx?.okta?.outcome?.result_lower == "deny")
+  - set:
+      field: event.outcome
+      value: unknown
+      if: ctx?.event?.outcome == null
+  - remove:
+      field: okta.outcome.result_lower
+      ignore_missing: true
+  - script:
+      lang: painless
+      source: |
+        def arr = ctx?.okta?.target;
+        if (arr != null) {
+          for (def i = 0; i < arr.length; i++) {
+            arr[i]["alternate_id"] = arr[i]["alternateId"];
+            arr[i].remove("alternateId");
+            arr[i]["display_name"] = arr[i]["displayName"];
+            arr[i].remove("displayName");
+            arr[i].remove("detailEntry");
+          }
+        }
+  - script:
+      lang: painless
+      source: |
+        def arr = ctx?.okta?.target;
+        if (arr != null) {
+          for (def i = 0; i < arr.length; i++) {
+            if (arr[i]["type"].toLowerCase().contains("user")) {
+              ctx["okta_target_user"] = arr[i];
+              break;
+            }
+          }
+        }
+      if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("user.")
+  - script:
+      lang: painless
+      source: |
+        def arr = ctx?.okta?.target;
+        if (arr != null) {
+          for (def i = 0; i < arr.length; i++) {
+            if (arr[i]["type"].toLowerCase().contains("group")) {
+              ctx["okta_target_group"] = arr[i];
+              break;
+            }
+          }
+        }
+      if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("group.")
+  - rename:
+      field: okta_target_user.display_name
+      target_field: user.target.full_name
+      ignore_missing: true
+  - rename:
+      field: okta_target_user.id
+      target_field: user.target.id
+      ignore_missing: true
+  - rename:
+      field: okta_target_user.login
+      target_field: user.target.email
+      ignore_missing: true
+  - rename:
+      field: okta_target_group.display_name
+      target_field: user.target.group.name
+      ignore_missing: true
+  - rename:
+      field: okta_target_group.id
+      target_field: user.target.group.id
+      ignore_missing: true
+  - remove:
+      field:
+        - okta_target_user
+        - okta_target_group
+      ignore_missing: true
+  - set:
+      field: client.user.id
+      value: "{{okta.actor.id}}"
+      ignore_empty_value: true
+      if: ctx?.okta?.actor?.id != null
+  - set:
+      field: source.user.id
+      value: "{{okta.actor.id}}"
+      ignore_empty_value: true
+      if: ctx?.okta?.actor?.id != null
+  - set:
+      field: client.user.full_name
+      value: "{{okta.actor.display_name}}"
+      ignore_empty_value: true
+      if: ctx?.okta?.actor?.display_name != null
+  - set:
+      field: source.user.full_name
+      value: "{{okta.actor.display_name}}"
+      ignore_empty_value: true
+      if: ctx?.okta?.actor?.display_name != null
+  - set:
+      field: user.full_name
+      value: "{{okta.actor.display_name}}"
+      ignore_empty_value: true
+      if: ctx?.okta?.actor?.display_name != null
+  - append:
+      field: related.user
+      value: "{{okta.actor.display_name}}"
+      allow_duplicates: false
+      if: ctx?.okta?.actor?.display_name != null
+  - append:
+      field: related.user
+      value: "{{user.target.full_name}}"
+      allow_duplicates: false
+      if: ctx?.user?.target?.full_name != null
+  - append:
+      field: related.ip
+      value: "{{source.ip}}"
+      allow_duplicates: false
+      if: ctx?.source?.ip != null
+  - append:
+      field: related.ip
+      value: "{{destination.ip}}"
+      allow_duplicates: false
+      if: ctx?.destination?.ip != null
+  - remove:
+      field: json
+      ignore_missing: true
+  - user_agent:
+      field: user_agent.original
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/okta/1.5.2/data_stream/system/fields/agent.yml b/packages/okta/1.5.2/data_stream/system/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/okta/1.5.2/data_stream/system/fields/base-fields.yml b/packages/okta/1.5.2/data_stream/system/fields/base-fields.yml
new file mode 100755
index 0000000000..915728ae0c
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: okta
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: okta.system
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/okta/1.5.2/data_stream/system/fields/beats.yml b/packages/okta/1.5.2/data_stream/system/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/okta/1.5.2/data_stream/system/fields/ecs.yml b/packages/okta/1.5.2/data_stream/system/fields/ecs.yml
new file mode 100755
index 0000000000..70ee18f075
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/fields/ecs.yml
@@ -0,0 +1,300 @@
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: client.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.as.organization.name
+  type: keyword
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: City name.
+  name: client.geo.city_name
+  type: keyword
+- description: Country name.
+  name: client.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: client.geo.location
+  type: geo_point
+- description: Region name.
+  name: client.geo.region_name
+  type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.user.full_name
+  type: keyword
+- description: Unique identifier of the user.
+  name: client.user.id
+  type: keyword
+- description: Unique container id.
+  name: container.id
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: destination.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.full_name
+  type: keyword
+- description: Unique identifier of the user.
+  name: source.user.id
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.target.domain
+  type: keyword
+- description: User email address.
+  name: user.target.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.full_name
+  type: keyword
+- description: |-
+    Name of the directory the group is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.target.group.domain
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.target.group.id
+  type: keyword
+- description: Name of the group.
+  name: user.target.group.name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.target.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.target.name
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/okta/1.5.2/data_stream/system/fields/fields.yml b/packages/okta/1.5.2/data_stream/system/fields/fields.yml
new file mode 100755
index 0000000000..7cafbcba89
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/fields/fields.yml
@@ -0,0 +1,262 @@
+- name: okta.uuid
+  title: UUID
+  type: keyword
+  description: |
+    The unique identifier of the Okta LogEvent.
+- name: okta.event_type
+  title: Event Type
+  type: keyword
+  description: |
+    The type of the LogEvent.
+- name: okta.version
+  title: Version
+  type: keyword
+  description: |
+    The version of the LogEvent.
+- name: okta.severity
+  title: Severity
+  type: keyword
+  description: |
+    The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR.
+- name: okta.display_message
+  title: Display Message
+  type: keyword
+  description: |
+    The display message of the LogEvent.
+- name: okta.actor
+  title: Actor
+  type: group
+  fields:
+    - name: id
+      type: keyword
+      description: |
+        Identifier of the actor.
+    - name: type
+      type: keyword
+      description: |
+        Type of the actor.
+    - name: alternate_id
+      type: keyword
+      description: |
+        Alternate identifier of the actor.
+    - name: display_name
+      type: keyword
+      description: |
+        Display name of the actor.
+- name: okta.client
+  title: Client
+  type: group
+  fields:
+    - name: ip
+      type: ip
+      description: |
+        The IP address of the client.
+    - name: user_agent
+      type: group
+      fields:
+        - name: raw_user_agent
+          type: keyword
+          description: |
+            The raw informaton of the user agent.
+        - name: os
+          type: keyword
+          description: |
+            The OS informaton.
+        - name: browser
+          type: keyword
+          description: |
+            The browser informaton of the client.
+    - name: zone
+      type: keyword
+      description: |
+        The zone information of the client.
+    - name: device
+      type: keyword
+      description: |
+        The information of the client device.
+    - name: id
+      type: keyword
+      description: |
+        The identifier of the client.
+- name: okta.outcome
+  title: Outcome of the LogEvent.
+  type: group
+  fields:
+    - name: reason
+      type: keyword
+      description: |
+        The reason of the outcome.
+    - name: result
+      type: keyword
+      description: |
+        The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
+- name: okta.target
+  title: Target
+  type: flattened
+  description: |
+    The list of targets.
+  fields:
+    - name: id
+      type: keyword
+      description: |
+        Identifier of the actor.
+    - name: type
+      type: keyword
+      description: |
+        Type of the actor.
+    - name: alternate_id
+      type: keyword
+      description: |
+        Alternate identifier of the actor.
+    - name: display_name
+      type: keyword
+      description: |
+        Display name of the actor.
+- name: okta.transaction
+  title: Transaction
+  type: group
+  fields:
+    - name: id
+      type: keyword
+      description: |
+        Identifier of the transaction.
+    - name: type
+      type: keyword
+      description: |
+        The type of transaction. Must be one of "WEB", "JOB".
+- name: okta.debug_context
+  title: Debug Context
+  type: group
+  fields:
+    - name: debug_data
+      type: group
+      fields:
+        - name: device_fingerprint
+          type: keyword
+          description: |
+            The fingerprint of the device.
+        - name: request_id
+          type: keyword
+          description: |
+            The identifier of the request.
+        - name: request_uri
+          type: keyword
+          description: |
+            The request URI.
+        - name: threat_suspected
+          type: keyword
+          description: |
+            Threat suspected.
+        - name: url
+          type: keyword
+          description: |
+            The URL.
+- name: okta.authentication_context
+  title: Authentication Context
+  type: group
+  fields:
+    - name: authentication_provider
+      type: keyword
+      description: |
+        The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER.
+    - name: authentication_step
+      type: integer
+      description: |
+        The authentication step.
+    - name: credential_provider
+      type: keyword
+      description: |
+        The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY.
+    - name: credential_type
+      type: keyword
+      description: |
+        The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID.
+    - name: issuer
+      type: array
+      description: |
+        The information about the issuer.
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            The identifier of the issuer.
+        - name: type
+          type: keyword
+          description: |
+            The type of the issuer.
+    - name: external_session_id
+      type: keyword
+      description: |
+        The session identifer of the external session if any.
+    - name: interface
+      type: keyword
+      description: |
+        The interface used. e.g., Outlook, Office365, wsTrust
+- name: okta.security_context
+  title: Security Context
+  type: group
+  fields:
+    - name: as
+      type: group
+      fields:
+        - name: number
+          type: integer
+          description: |
+            The AS number.
+        - name: organization
+          type: group
+          fields:
+            - name: name
+              type: keyword
+              description: |
+                The organization name.
+    - name: isp
+      type: keyword
+      description: |
+        The Internet Service Provider.
+    - name: domain
+      type: keyword
+      description: |
+        The domain name.
+    - name: is_proxy
+      type: boolean
+      description: |
+        Whether it is a proxy or not.
+- name: okta.request
+  title: Request
+  type: group
+  fields:
+    - name: ip_chain
+      type: group
+      fields:
+        - name: ip
+          type: ip
+          description: |
+            IP address.
+        - name: version
+          type: keyword
+          description: |
+            IP version. Must be one of V4, V6.
+        - name: source
+          type: keyword
+          description: |
+            Source information.
+        - name: geographical_context
+          type: group
+          fields:
+            - name: city
+              type: keyword
+              description: The city.
+            - name: state
+              type: keyword
+              description: The state.
+            - name: postal_code
+              type: keyword
+              description: The postal code.
+            - name: country
+              type: keyword
+              description: The country.
+            - name: geolocation
+              type: geo_point
+              description: |
+                Geolocation information.
diff --git a/packages/okta/1.5.2/data_stream/system/manifest.yml b/packages/okta/1.5.2/data_stream/system/manifest.yml
new file mode 100755
index 0000000000..442cc16cd2
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/manifest.yml
@@ -0,0 +1,34 @@
+type: logs
+title: Okta system logs
+streams:
+  - input: httpjson
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - okta-system
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: Okta system logs
+    description: Collect Okta system logs
diff --git a/packages/okta/1.5.2/data_stream/system/sample_event.json b/packages/okta/1.5.2/data_stream/system/sample_event.json
new file mode 100755
index 0000000000..939354c90a
--- /dev/null
+++ b/packages/okta/1.5.2/data_stream/system/sample_event.json
@@ -0,0 +1,139 @@
+{
+    "@timestamp": "2020-02-14T20:18:57.718Z",
+    "agent": {
+        "ephemeral_id": "ef00e489-67a9-4e8f-999c-81305f2350f5",
+        "hostname": "docker-fleet-agent",
+        "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "client": {
+        "geo": {
+            "city_name": "Dublin",
+            "country_name": "United States",
+            "location": {
+                "lat": 37.7201,
+                "lon": -121.919
+            },
+            "region_name": "California"
+        },
+        "ip": "108.255.197.247",
+        "user": {
+            "full_name": "xxxxxx",
+            "id": "00u1abvz4pYqdM8ms4x6"
+        }
+    },
+    "data_stream": {
+        "dataset": "okta.system",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "action": "user.session.start",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication",
+            "session"
+        ],
+        "created": "2022-04-07T02:23:26.399Z",
+        "dataset": "okta.system",
+        "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
+        "ingested": "2022-04-07T02:23:27Z",
+        "kind": "event",
+        "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
+        "outcome": "success",
+        "type": [
+            "start",
+            "user"
+        ]
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "okta": {
+        "actor": {
+            "alternate_id": "xxxxxx@elastic.co",
+            "display_name": "xxxxxx",
+            "id": "00u1abvz4pYqdM8ms4x6",
+            "type": "User"
+        },
+        "authentication_context": {
+            "authentication_step": 0,
+            "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ"
+        },
+        "client": {
+            "device": "Computer",
+            "ip": "108.255.197.247",
+            "user_agent": {
+                "browser": "FIREFOX",
+                "os": "Mac OS X",
+                "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
+            },
+            "zone": "null"
+        },
+        "debug_context": {
+            "debug_data": {
+                "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
+                "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
+                "request_uri": "/api/v1/authn",
+                "threat_suspected": "false",
+                "url": "/api/v1/authn?"
+            }
+        },
+        "display_message": "User login to Okta",
+        "event_type": "user.session.start",
+        "outcome": {
+            "result": "SUCCESS"
+        },
+        "transaction": {
+            "id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
+            "type": "WEB"
+        },
+        "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546"
+    },
+    "related": {
+        "ip": [
+            "108.255.197.247"
+        ],
+        "user": [
+            "xxxxxx"
+        ]
+    },
+    "source": {
+        "ip": "108.255.197.247",
+        "user": {
+            "full_name": "xxxxxx",
+            "id": "00u1abvz4pYqdM8ms4x6"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "okta-system"
+    ],
+    "user": {
+        "full_name": "xxxxxx"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Mac"
+        },
+        "name": "Firefox",
+        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
+        "os": {
+            "full": "Mac OS X 10.15",
+            "name": "Mac OS X",
+            "version": "10.15"
+        },
+        "version": "72.0."
+    }
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/docs/README.md b/packages/okta/1.5.2/docs/README.md
new file mode 100755
index 0000000000..a12a02d307
--- /dev/null
+++ b/packages/okta/1.5.2/docs/README.md
@@ -0,0 +1,330 @@
+# Okta Integration
+
+The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API.
+
+## Logs
+
+### System
+
+The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta.
+
+An example event for `system` looks as following:
+
+```json
+{
+    "@timestamp": "2020-02-14T20:18:57.718Z",
+    "agent": {
+        "ephemeral_id": "ef00e489-67a9-4e8f-999c-81305f2350f5",
+        "hostname": "docker-fleet-agent",
+        "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.17.0"
+    },
+    "client": {
+        "geo": {
+            "city_name": "Dublin",
+            "country_name": "United States",
+            "location": {
+                "lat": 37.7201,
+                "lon": -121.919
+            },
+            "region_name": "California"
+        },
+        "ip": "108.255.197.247",
+        "user": {
+            "full_name": "xxxxxx",
+            "id": "00u1abvz4pYqdM8ms4x6"
+        }
+    },
+    "data_stream": {
+        "dataset": "okta.system",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "dd014e06-ac12-40b1-a20a-4453a5f99c84",
+        "snapshot": false,
+        "version": "7.17.0"
+    },
+    "event": {
+        "action": "user.session.start",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication",
+            "session"
+        ],
+        "created": "2022-04-07T02:23:26.399Z",
+        "dataset": "okta.system",
+        "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
+        "ingested": "2022-04-07T02:23:27Z",
+        "kind": "event",
+        "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
+        "outcome": "success",
+        "type": [
+            "start",
+            "user"
+        ]
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "okta": {
+        "actor": {
+            "alternate_id": "xxxxxx@elastic.co",
+            "display_name": "xxxxxx",
+            "id": "00u1abvz4pYqdM8ms4x6",
+            "type": "User"
+        },
+        "authentication_context": {
+            "authentication_step": 0,
+            "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ"
+        },
+        "client": {
+            "device": "Computer",
+            "ip": "108.255.197.247",
+            "user_agent": {
+                "browser": "FIREFOX",
+                "os": "Mac OS X",
+                "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"
+            },
+            "zone": "null"
+        },
+        "debug_context": {
+            "debug_data": {
+                "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0",
+                "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
+                "request_uri": "/api/v1/authn",
+                "threat_suspected": "false",
+                "url": "/api/v1/authn?"
+            }
+        },
+        "display_message": "User login to Okta",
+        "event_type": "user.session.start",
+        "outcome": {
+            "result": "SUCCESS"
+        },
+        "transaction": {
+            "id": "XkcAsWb8WjwDP76xh@1v8wAABp0",
+            "type": "WEB"
+        },
+        "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546"
+    },
+    "related": {
+        "ip": [
+            "108.255.197.247"
+        ],
+        "user": [
+            "xxxxxx"
+        ]
+    },
+    "source": {
+        "ip": "108.255.197.247",
+        "user": {
+            "full_name": "xxxxxx",
+            "id": "00u1abvz4pYqdM8ms4x6"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "okta-system"
+    ],
+    "user": {
+        "full_name": "xxxxxx"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Mac"
+        },
+        "name": "Firefox",
+        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
+        "os": {
+            "full": "Mac OS X 10.15",
+            "name": "Mac OS X",
+            "version": "10.15"
+        },
+        "version": "72.0."
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| client.as.organization.name | Organization name. | keyword |
+| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.geo.city_name | City name. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.region_name | Region name. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.user.full_name | User's full name, if available. | keyword |
+| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text |
+| client.user.id | Unique identifier of the user. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| okta.actor.alternate_id | Alternate identifier of the actor. | keyword |
+| okta.actor.display_name | Display name of the actor. | keyword |
+| okta.actor.id | Identifier of the actor. | keyword |
+| okta.actor.type | Type of the actor. | keyword |
+| okta.authentication_context.authentication_provider | The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. | keyword |
+| okta.authentication_context.authentication_step | The authentication step. | integer |
+| okta.authentication_context.credential_provider | The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. | keyword |
+| okta.authentication_context.credential_type | The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. | keyword |
+| okta.authentication_context.external_session_id | The session identifer of the external session if any. | keyword |
+| okta.authentication_context.interface | The interface used. e.g., Outlook, Office365, wsTrust | keyword |
+| okta.authentication_context.issuer.id | The identifier of the issuer. | keyword |
+| okta.authentication_context.issuer.type | The type of the issuer. | keyword |
+| okta.client.device | The information of the client device. | keyword |
+| okta.client.id | The identifier of the client. | keyword |
+| okta.client.ip | The IP address of the client. | ip |
+| okta.client.user_agent.browser | The browser informaton of the client. | keyword |
+| okta.client.user_agent.os | The OS informaton. | keyword |
+| okta.client.user_agent.raw_user_agent | The raw informaton of the user agent. | keyword |
+| okta.client.zone | The zone information of the client. | keyword |
+| okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword |
+| okta.debug_context.debug_data.request_id | The identifier of the request. | keyword |
+| okta.debug_context.debug_data.request_uri | The request URI. | keyword |
+| okta.debug_context.debug_data.threat_suspected | Threat suspected. | keyword |
+| okta.debug_context.debug_data.url | The URL. | keyword |
+| okta.display_message | The display message of the LogEvent. | keyword |
+| okta.event_type | The type of the LogEvent. | keyword |
+| okta.outcome.reason | The reason of the outcome. | keyword |
+| okta.outcome.result | The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. | keyword |
+| okta.request.ip_chain.geographical_context.city | The city. | keyword |
+| okta.request.ip_chain.geographical_context.country | The country. | keyword |
+| okta.request.ip_chain.geographical_context.geolocation | Geolocation information. | geo_point |
+| okta.request.ip_chain.geographical_context.postal_code | The postal code. | keyword |
+| okta.request.ip_chain.geographical_context.state | The state. | keyword |
+| okta.request.ip_chain.ip | IP address. | ip |
+| okta.request.ip_chain.source | Source information. | keyword |
+| okta.request.ip_chain.version | IP version. Must be one of V4, V6. | keyword |
+| okta.security_context.as.number | The AS number. | integer |
+| okta.security_context.as.organization.name | The organization name. | keyword |
+| okta.security_context.domain | The domain name. | keyword |
+| okta.security_context.is_proxy | Whether it is a proxy or not. | boolean |
+| okta.security_context.isp | The Internet Service Provider. | keyword |
+| okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword |
+| okta.target.alternate_id | Alternate identifier of the actor. | keyword |
+| okta.target.display_name | Display name of the actor. | keyword |
+| okta.target.id | Identifier of the actor. | keyword |
+| okta.target.type | Type of the actor. | keyword |
+| okta.transaction.id | Identifier of the transaction. | keyword |
+| okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword |
+| okta.uuid | The unique identifier of the Okta LogEvent. | keyword |
+| okta.version | The version of the LogEvent. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.user.full_name | User's full name, if available. | keyword |
+| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text |
+| source.user.id | Unique identifier of the user. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.email | User email address. | keyword |
+| user.target.full_name | User's full name, if available. | keyword |
+| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text |
+| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
diff --git a/packages/okta/1.5.2/img/filebeat-okta-dashboard.png b/packages/okta/1.5.2/img/filebeat-okta-dashboard.png
new file mode 100755
index 0000000000..6a28b4363b
Binary files /dev/null and b/packages/okta/1.5.2/img/filebeat-okta-dashboard.png differ
diff --git a/packages/okta/1.5.2/img/okta-logo.svg b/packages/okta/1.5.2/img/okta-logo.svg
new file mode 100755
index 0000000000..d806cb7dc6
--- /dev/null
+++ b/packages/okta/1.5.2/img/okta-logo.svg
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Generator: Adobe Illustrator 19.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 400 134.7" style="enable-background:new 0 0 400 134.7;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#007DC1;}
+</style>
+<g>
+	<g>
+		<g>
+			<path class="st0" d="M50.3,33.8C22.5,33.8,0,56.3,0,84.1s22.5,50.3,50.3,50.3s50.3-22.5,50.3-50.3S78.1,33.8,50.3,33.8z      M50.3,109.3c-13.9,0-25.2-11.3-25.2-25.2s11.3-25.2,25.2-25.2s25.2,11.3,25.2,25.2S64.2,109.3,50.3,109.3z"/>
+		</g>
+		<path class="st0" d="M138.7,101c0-4,4.8-5.9,7.6-3.1c12.6,12.8,33.4,34.8,33.5,34.9c0.3,0.3,0.6,0.8,1.8,1.2    c0.5,0.2,1.3,0.2,2.2,0.2l22.7,0c4.1,0,5.3-4.7,3.4-7.1l-37.6-38.5l-2-2c-4.3-5.1-3.8-7.1,1.1-12.3L201.2,41c1.9-2.4,0.7-7-3.5-7    h-20.6c-0.8,0-1.4,0-2,0.2c-1.2,0.4-1.7,0.8-2,1.2c-0.1,0.1-16.6,17.9-26.8,28.8c-2.8,3-7.8,1-7.8-3.1l0-57.1c0-2.9-2.4-4-4.3-4    h-16.8c-2.9,0-4.3,1.9-4.3,3.6v126.6c0,2.9,2.4,3.7,4.4,3.7h16.8c2.6,0,4.3-1.9,4.3-3.8v-1.3V101z"/>
+		<path class="st0" d="M275.9,129.6l-1.8-16.8c-0.2-2.3-2.4-3.9-4.7-3.5c-1.3,0.2-2.6,0.3-3.9,0.3c-13.4,0-24.3-10.5-25.1-23.8    c0-0.4,0-0.9,0-1.4V63.8c0-2.7,2-4.9,4.7-4.9l22.5,0c1.6,0,4-1.4,4-4.3V38.7c0-3.1-2-4.7-3.8-4.7h-22.7c-2.6,0-4.7-1.9-4.8-4.5    l0-25.5c0-1.6-1.2-4-4.3-4h-16.7c-2.1,0-4.1,1.3-4.1,3.9c0,0,0,81.5,0,81.9c0.7,27.2,23,48.9,50.3,48.9c2.3,0,4.5-0.2,6.7-0.5    C274.6,133.9,276.2,131.9,275.9,129.6z"/>
+	</g>
+	<g>
+		<path class="st0" d="M397.1,108.5c-14.2,0-16.4-5.1-16.4-24.2c0-0.1,0-0.1,0-0.2l0-45.9c0-1.6-1.2-4.3-4.4-4.3h-16.8    c-2.1,0-4.4,1.7-4.4,4.3l0,2.1c-7.3-4.2-15.8-6.6-24.8-6.6c-27.8,0-50.3,22.5-50.3,50.3c0,27.8,22.5,50.3,50.3,50.3    c12.5,0,23.9-4.6,32.7-12.1c4.7,7.2,12.3,12,24.2,12.1c2,0,12.8,0.4,12.8-4.7v-17.9C400,110.2,398.8,108.5,397.1,108.5z     M330.4,109.3c-13.9,0-25.2-11.3-25.2-25.2c0-13.9,11.3-25.2,25.2-25.2c13.9,0,25.2,11.3,25.2,25.2    C355.5,98,344.2,109.3,330.4,109.3z"/>
+	</g>
+</g>
+</svg>
\ No newline at end of file
diff --git a/packages/okta/1.5.2/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.5.2/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json
new file mode 100755
index 0000000000..d8725c4d60
--- /dev/null
+++ b/packages/okta/1.5.2/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json
@@ -0,0 +1,54 @@
+{
+  "attributes": {
+    "description": "Logs Okta integration Kibana dashboard",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":26.54701,\"lon\":-44.69098,\"zoom\":2.75},\"openTOCDetails\":[]},\"gridData\":{\"h\":22,\"i\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"w\":10,\"x\":0,\"y\":22},\"panelIndex\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"w\":9,\"x\":10,\"y\":22},\"panelIndex\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"w\":19,\"x\":29,\"y\":22},\"panelIndex\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"w\":10,\"x\":19,\"y\":22},\"panelIndex\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "[Logs Okta] Overview",
+    "version": 1
+  },
+  "id": "okta-749203a0-67b1-11ea-a76f-bf44814e437d",
+  "migrationVersion": {
+    "dashboard": "7.3.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d",
+      "name": "panel_0",
+      "type": "map"
+    },
+    {
+      "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d",
+      "name": "panel_5",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.5.2/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json
new file mode 100755
index 0000000000..916a10ca30
--- /dev/null
+++ b/packages/okta/1.5.2/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json
@@ -0,0 +1,24 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":false,\"geoField\":\"client.geo.location\",\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+    "mapStateJSON": "{\"center\":{\"lat\":26.54701,\"lon\":-44.69098},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"zoom\":2.75}",
+    "title": "Geolocation [Logs Okta]",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d",
+  "migrationVersion": {
+    "map": "7.9.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json b/packages/okta/1.5.2/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json
new file mode 100755
index 0000000000..35112753e0
--- /dev/null
+++ b/packages/okta/1.5.2/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json
@@ -0,0 +1,49 @@
+{
+  "attributes": {
+    "columns": [
+      "_source"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"FAILURE\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"FAILURE\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ],
+      [
+        "event.created",
+        "desc"
+      ]
+    ],
+    "title": "Okta Failure Events",
+    "version": 1
+  },
+  "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d",
+  "migrationVersion": {
+    "search": "7.4.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json b/packages/okta/1.5.2/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json
new file mode 100755
index 0000000000..e31342b53d
--- /dev/null
+++ b/packages/okta/1.5.2/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json
@@ -0,0 +1,32 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Actor Types [Logs Okta]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.actor.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Actor Types [Logs Okta]\",\"type\":\"pie\"}"
+  },
+  "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json b/packages/okta/1.5.2/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json
new file mode 100755
index 0000000000..c1c400b37c
--- /dev/null
+++ b/packages/okta/1.5.2/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json
@@ -0,0 +1,32 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Event Outcome [Logs Okta]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Outcome [Logs Okta]\",\"type\":\"pie\"}"
+  },
+  "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.5.2/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json
new file mode 100755
index 0000000000..beb76986ed
--- /dev/null
+++ b/packages/okta/1.5.2/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json
@@ -0,0 +1,32 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Transaction Types [Logs Okta]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.transaction.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Transaction Types [Logs Okta]\",\"type\":\"pie\"}"
+  },
+  "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.5.2/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json
new file mode 100755
index 0000000000..4e314cfd4c
--- /dev/null
+++ b/packages/okta/1.5.2/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json
@@ -0,0 +1,21 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "title": "Time Series [Logs Okta]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"abd68650-67c6-11ea-8c7d-ed286611413e\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Time Series [Logs Okta]\",\"type\":\"metrics\"}"
+  },
+  "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/okta/1.5.2/manifest.yml b/packages/okta/1.5.2/manifest.yml
new file mode 100755
index 0000000000..12b375d145
--- /dev/null
+++ b/packages/okta/1.5.2/manifest.yml
@@ -0,0 +1,77 @@
+name: okta
+title: Okta Logs
+version: 1.5.2
+release: ga
+description: Collect and parse event logs from Okta API with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+  kibana.version: ^7.14.0 || ^8.0.0
+icons:
+  - src: /img/okta-logo.svg
+    title: Okta
+    size: 216x216
+    type: image/svg+xml
+screenshots:
+  - src: /img/filebeat-okta-dashboard.png
+    title: Okta Dashboard
+    size: 1024x662
+    type: image/png
+policy_templates:
+  - name: okta
+    title: Okta logs
+    description: Collect logs from Okta
+    inputs:
+      - type: httpjson
+        vars:
+          - name: api_key
+            type: text
+            title: API Key
+            multi: false
+            required: false
+            show_user: true
+          - name: http_client_timeout
+            type: text
+            title: HTTP Client Timeout
+            multi: false
+            required: false
+            show_user: true
+          - name: interval
+            type: text
+            title: Interval
+            multi: false
+            required: true
+            show_user: true
+            default: 60s
+          - name: initial_interval
+            type: text
+            title: Initial Interval
+            multi: false
+            required: true
+            show_user: true
+            default: 24h
+          - name: ssl
+            type: yaml
+            title: SSL
+            multi: false
+            required: false
+            show_user: true
+          - name: url
+            type: text
+            title: Okta System Log API Url
+            multi: false
+            required: false
+            show_user: true
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            multi: false
+            required: false
+            show_user: false
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+        title: "Collect Okta logs via API"
+        description: "Collecting logs from Okta via API"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/panw/1.5.3/changelog.yml b/packages/panw/1.5.3/changelog.yml
new file mode 100755
index 0000000000..14e041f6a1
--- /dev/null
+++ b/packages/panw/1.5.3/changelog.yml
@@ -0,0 +1,130 @@
+# newer versions go on top
+- version: "1.5.3"
+  changes:
+    - description: Remove invalid field values
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3094
+- version: "1.5.2"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.5.1"
+  changes:
+    - description: Extend and explicitly link to event streams that are handled.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2810
+- version: "1.5.0"
+  changes:
+    - description: Add HIP Match event handling.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2758
+    - description: Add User ID event handling.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2758
+    - description: Add Global Protect event handling.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2758
+- version: "1.4.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2430
+- version: "1.3.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.3.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2221
+- version: "1.2.3"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2093
+- version: "1.2.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1979
+- version: "1.2.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1840
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1672
+- version: "1.1.3"
+  changes:
+    - description: Add time zone offset input
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1580
+- version: "1.1.2"
+  changes:
+    - description: Convert to generated ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1496
+- version: '1.1.1'
+  changes:
+    - description: update to ECS 1.11.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1408
+- version: "1.1.0"
+  changes:
+    - description: Update integration description
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1221
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1221
+- version: "0.8.1"
+  changes:
+    - description: use `wildcard` field type for the relevant ECS fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1182
+- version: "0.8.0"
+  changes:
+    - description: update to ECS 1.10.0 and add fixes to event.original
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1093
+- version: "0.7.2"
+  changes:
+    - description: Make event.original optional
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1007
+- version: "0.7.1"
+  changes:
+    - description: update to ECS 1.9.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/863
+- version: "0.7.0"
+  changes:
+    - description: Moving edge processing to ES Ingest pipelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/772
+- version: "0.6.1"
+  changes:
+    - description: Change kibana.version constraint to be more conservative.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/749
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/233
diff --git a/packages/panw/1.5.3/data_stream/panos/agent/stream/logfile.yml.hbs b/packages/panw/1.5.3/data_stream/panos/agent/stream/logfile.yml.hbs
new file mode 100755
index 0000000000..8fb7441b05
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/agent/stream/logfile.yml.hbs
@@ -0,0 +1,36 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+fields_under_root: true
+fields:
+  _conf:
+    tz_offset: {{tz_offset}}
+  {{#if internal_zones.length}}
+    internal_zones:
+      {{#each internal_zones as |zone i|}}
+      - {{zone}}
+      {{/each}}
+  {{/if}}
+  {{#if external_zones.length}}
+    external_zones:
+      {{#each external_zones as |zone i|}}
+      - {{zone}}
+      {{/each}}
+  {{/if}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/data_stream/panos/agent/stream/syslog.yml.hbs b/packages/panw/1.5.3/data_stream/panos/agent/stream/syslog.yml.hbs
new file mode 100755
index 0000000000..7493cd4efd
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/agent/stream/syslog.yml.hbs
@@ -0,0 +1,33 @@
+protocol.udp:
+  host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+fields_under_root: true
+fields:
+  _conf:
+    tz_offset: {{tz_offset}}
+  {{#if internal_zones.length}}
+    internal_zones:
+      {{#each internal_zones as |zone i|}}
+      - {{zone}}
+      {{/each}}
+  {{/if}}
+  {{#if external_zones.length}}
+    external_zones:
+      {{#each external_zones as |zone i|}}
+      - {{zone}}
+      {{/each}}
+  {{/if}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/default.yml b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..33c3edf738
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,579 @@
+---
+description: "Pipeline for Palo Alto Networks PAN-OS Logs"
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - set:
+      field: observer.vendor
+      value: Palo Alto Networks
+  - set:
+      field: observer.product
+      value: PAN-OS
+  - set:
+      field: observer.type
+      value: firewall
+
+  - set:
+      field: event.timezone
+      value: "{{{_conf.tz_offset}}}"
+      if: ctx?._conf?.tz_offset != null && ctx?._conf?.tz_offset != 'local'
+
+# Collects the first few parts of the message to be used for conditional parsing later
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - grok:
+      field: event.original
+      patterns:
+        - "^%{DATA},%{TIMESTAMP:event.created},%{FIELD:observer.serial_number},%{FIELD:panw.panos.type},(?:%{FIELD:panw.panos.sub_type})?,%{FIELD},%{TIMESTAMP:_temp_.generated_time},%{GREEDYDATA:message}$"
+      pattern_definitions:
+        TIMESTAMP: "%{PANW_DATE}|%{TIMESTAMP_ISO8601}"
+        PANW_DATE: "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}"
+        FIELD: "[^,]*"
+
+## TRAFFIC
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "TRAFFIC"
+      name: '{{ IngestPipeline "traffic" }}'
+## THREAT
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "THREAT"
+      name: '{{ IngestPipeline "threat" }}'
+## HIPMATCH
+  - pipeline:
+      if: 'ctx?.panw?.panos?.type == "HIPMATCH" || ctx?.panw?.panos?.type == "HIP-MATCH"'
+      name: '{{ IngestPipeline "hipmatch" }}'
+## USER ID
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "USERID"
+      name: '{{ IngestPipeline "userid" }}'
+## GLOBAL PROTECT
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "GLOBALPROTECT"
+      name: '{{ IngestPipeline "globalprotect" }}'
+
+# Set @timestamp to the time when the entry was generated at the data plane.
+  - date:
+      if: "ctx?.event?.timezone == null"
+      field: "_temp_.generated_time"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx?.event?.timezone != null"
+      field: "_temp_.generated_time"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      timezone: "{{{ event.timezone }}}"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+# event.created is the time the event was received at the management plane.
+  - date:
+      if: "ctx?.event?.timezone == null && ctx?.event?.created != null"
+      field: "event.created"
+      target_field: "event.created"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx?.event?.timezone != null && ctx?.event?.created != null"
+      field: "event.created"
+      target_field: "event.created"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      timezone: "{{{ event.timezone }}}"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+# convert integer fields as the output of the CSV processor is always a string.
+  - convert:
+      type: long
+      ignore_missing: true
+      field: source.bytes
+  - convert:
+      type: long
+      ignore_missing: true
+      field: source.packets
+  - convert:
+      type: long
+      ignore_missing: true
+      field: source.port
+  - convert:
+      type: long
+      ignore_missing: true
+      field: destination.bytes
+  - convert:
+      type: long
+      ignore_missing: true
+      field: destination.packets
+  - convert:
+      type: long
+      ignore_missing: true
+      field: destination.port
+  - convert:
+      type: long
+      ignore_missing: true
+      field: network.bytes
+  - convert:
+      type: long
+      ignore_missing: true
+      field: network.packets
+  - convert:
+      type: long
+      ignore_missing: true
+      field: event.duration
+  - convert:
+      type: long
+      ignore_missing: true
+      field: _temp_.labels
+  - convert:
+      type: long
+      ignore_missing: true
+      field: panw.panos.sequence_number
+  - convert:
+      type: long
+      ignore_missing: true
+      field: source.nat.port
+  - convert:
+      type: long
+      ignore_missing: true
+      field: destination.nat.port
+  - convert:
+      type: long
+      ignore_missing: true
+      field: panw.panos.repeat_count
+  - convert:
+      type: long
+      ignore_missing: true
+      field: panw.panos.scp.chunks
+  - convert:
+      type: long
+      ignore_missing: true
+      field: panw.panos.scp.chunks_sent
+  - convert:
+      type: long
+      ignore_missing: true
+      field: panw.panos.scp.chunks_received
+
+# Remove PCAP ID when zero (no packet capture).
+  - remove:
+      if: 'ctx?.panw?.panos?.network?.pcap_id == "0"'
+      field:
+        - panw.panos.network.pcap_id
+
+# Extract 'flags' bitfield into labels.
+  - script:
+      lang: painless
+      if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0'
+      params:
+        pcap_included: 0x80000000
+        ipv6_session: 0x02000000
+        ssl_decrypted: 0x01000000
+        url_filter_denied: 0x00800000
+        nat_translated: 0x00400000
+        captive_portal: 0x00200000
+        x_forwarded_for: 0x00080000
+        http_proxy: 0x00040000
+        container_page: 0x00008000
+        temporary_match: 0x00002000
+        symmetric_return: 0x00000800
+      # TODO: Remove the workaround for https://github.com/elastic/kibana/issues/85486
+      # that converts the param values from string to Long.
+      source: >
+        def labels = ctx?.labels;
+        if (labels == null) {
+          labels = new HashMap();
+          ctx['labels'] = labels;
+        }
+        long value = ctx._temp_.labels;
+        for (entry in params.entrySet()) {
+          def flag = entry.getValue();
+          if (flag instanceof String) {
+              flag = Long.decode(flag);
+          }
+          if ((value & flag) != 0) {
+              labels[entry.getKey()] = true;
+          }
+        }
+
+# normalize event.duration and determine event.end.
+  - script:
+      lang: painless
+      if: 'ctx?.event?.duration != null'
+      params:
+        NANOS_IN_A_SECOND: 1000000000
+      source: >
+        long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND;
+        ctx['event']['duration'] = nanos;
+        def start = ctx.event?.start;
+        if (start != null) {
+          ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos);
+        }
+
+# Set event.category.
+  - append:
+      field: event.type
+      value: allowed
+      if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)"
+  - append:
+      field: event.type
+      value: denied
+      if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)"
+  - set:
+      field: event.outcome
+      value: success
+
+# event.action for traffic logs.
+  - set:
+      field: event.action
+      value: flow_started
+      if: 'ctx?.panw?.panos?.sub_type == "start"'
+  - append:
+      field: event.type
+      value:
+        - start
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "start"'
+  - set:
+      field: event.action
+      value: flow_terminated
+      if: 'ctx?.panw?.panos?.sub_type == "end"'
+  - append:
+      field: event.type
+      value:
+        - end
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "end"'
+  - set:
+      field: event.action
+      value: flow_dropped
+      if: 'ctx?.panw?.panos?.sub_type == "drop"'
+  - append:
+      field: event.type
+      value:
+        - denied
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "drop"'
+  - set:
+      field: event.action
+      value: flow_denied
+      if: 'ctx?.panw?.panos?.sub_type == "deny"'
+  - append:
+      field: event.type
+      value:
+        - denied
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "deny"'
+
+# event.action for threat logs.
+  - set:
+      field: event.action
+      value: data_match
+      if: 'ctx?.panw?.panos?.sub_type == "data"'
+  - set:
+      field: event.action
+      value: file_match
+      if: 'ctx?.panw?.panos?.sub_type == "file"'
+  - set:
+      field: event.action
+      value: flood_detected
+      if: 'ctx?.panw?.panos?.sub_type == "flood"'
+  - set:
+      field: event.action
+      value: packet_attack
+      if: 'ctx?.panw?.panos?.sub_type == "packet"'
+  - set:
+      field: event.action
+      value: scan_detected
+      if: 'ctx?.panw?.panos?.sub_type == "scan"'
+  - set:
+      field: event.action
+      value: spyware_detected
+      if: 'ctx?.panw?.panos?.sub_type == "spyware"'
+  - set:
+      field: event.action
+      value: url_filtering
+      if: 'ctx?.panw?.panos?.sub_type == "url"'
+  - set:
+      field: event.action
+      value: virus_detected
+      if: 'ctx?.panw?.panos?.sub_type == "virus"'
+  - set:
+      field: event.action
+      value: exploit_detected
+      if: 'ctx?.panw?.panos?.sub_type == "vulnerability"'
+  - set:
+      field: event.action
+      value: wildfire_verdict
+      if: 'ctx?.panw?.panos?.sub_type == "wildfire"'
+  - set:
+      field: event.action
+      value: wildfire_virus_detected
+      if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"'
+
+# Set numeric log.level from event.severity.
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "critical"'
+      value: 1
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "high"'
+      value: 2
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "medium"'
+      value: 3
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "low"'
+      value: 4
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "informational"'
+      value: 5
+
+# Normalize event.outcome.
+# These values appear in the TRAFFIC docs but look like a mistake.
+  - set:
+      field: panw.panos.action
+      value: 'drop-icmp'
+      if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"'
+  - set:
+      field: panw.panos.action
+      value: 'reset-both'
+      if: 'ctx?.panw?.panos?.action == "reset both"'
+  - set:
+      field: panw.panos.action
+      value: 'reset-client'
+      if: 'ctx?.panw?.panos?.action == "reset client"'
+  - set:
+      field: panw.panos.action
+      value: 'reset-server'
+      if: 'ctx?.panw?.panos?.action == "reset server"'
+
+# Set original PANW NAT fields for backwards compatibility, should be removed in 8.0
+  - set:
+      field: panw.panos.destination.nat.ip
+      copy_from: destination.nat.ip
+      if: ctx?.destination?.nat?.ip != null
+  - set:
+      field: panw.panos.source.nat.ip
+      copy_from: source.nat.ip
+      if: ctx?.source?.nat?.ip != null
+  - convert: 
+      type: long
+      ignore_missing: true
+      field: destination.nat.port
+      target_field: panw.panos.destination.nat.port
+  - convert: 
+      type: long
+      ignore_missing: true
+      field: source.nat.port
+      target_field: panw.panos.source.nat.port
+
+# Build related.ip array from src/dest/NAT IPs.
+  - append:
+      if: 'ctx?.source?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{source.ip}}'
+  - append:
+      if: 'ctx?.destination?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{destination.ip}}'
+  - append:
+      if: 'ctx?.source?.nat?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{source.nat.ip}}'
+  - append:
+      if: 'ctx?.destination?.nat?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{destination.nat.ip}}'
+
+# Geolocation for source.
+  - geoip:
+      if: 'ctx?.source?.ip != null'
+      field: source.ip
+      target_field: source.geo
+
+# Geolocation for destination.
+  - geoip:
+      if: 'ctx?.destination?.ip != null'
+      field: destination.ip
+      target_field: destination.geo
+
+# IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+
+# Set source|destination.geo.name from panw's srcloc|dstloc
+  - rename:
+      if: 'ctx.source?.geo?.name == null'
+      field: _temp_.srcloc
+      target_field: source.geo.name
+      ignore_missing: true
+  - rename:
+      if: 'ctx.destination?.geo?.name == null'
+      field: _temp_.dstloc
+      target_field: destination.geo.name
+      ignore_missing: true
+  - convert:
+      field: source.port
+      type: integer
+      if: ctx?.source?.port != null
+  - convert:
+      field: destination.port
+      type: integer
+      if: ctx?.destination?.port != null
+  - convert:
+      field: source.nat.port
+      type: integer
+      if: ctx?.source?.nat?.port != null
+  - convert:
+      field: destination.nat.port
+      type: integer
+      if: ctx?.destination?.nat?.port != null
+
+# Set community network ID's
+  - community_id:
+      target_field: network.community_id
+      if: ctx?.source?.port != null && ctx?.source?.port != 0 && ctx?.destination?.port != null && ctx?.destination?.port != 0
+  - community_id:
+      target_field: panw.panos.network.nat.community_id
+      source_ip: source.nat.ip
+      source_port: source.nat.port
+      destination_ip: destination.nat.ip
+      destination_port: destination.nat.port
+      if: ctx?.source?.nat?.port != null && ctx?.source?.nat?.port != 0 && ctx?.destination?.nat?.port != null && ctx?.destination?.nat?.port != 0
+
+# Append NAT community_id to network.community_id
+  - append:
+      if: 'ctx?.panw?.panos?.network?.nat?.community_id != null && ctx.panw.panos.network.nat.community_id != ctx?.network?.community_id'
+      field: network.community_id
+      value:
+      - '{{panw.panos.network.nat.community_id}}'
+  - grok:
+      if: 'ctx?.panw?.panos?.threat?.name != null'
+      field: panw.panos.threat.name
+      ignore_failure: true
+      patterns:
+        - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)'
+  - set:
+      field: panw.panos.threat.name
+      value: 'URL-filtering'
+      if: 'ctx?.panw?.panos?.threat?.id == "9999"'
+  - set:
+      field: rule.name
+      value: "{{panw.panos.ruleset}}"
+      ignore_empty_value: true
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{client.user.name}}"
+      if: "ctx?.client?.user?.name != null"
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{source.user.name}}"
+      if: "ctx?.source?.user?.name != null"
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{server.user.name}}"
+      if: "ctx?.server?.user?.name != null"
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{destination.user.name}}"
+      if: "ctx?.destination?.user?.name != null"
+  - append:
+      field: related.hash
+      allow_duplicates: false
+      value: "{{panw.panos.file.hash}}"
+      if: "ctx?.panw?.panos?.file?.hash != null"
+  - append:
+      field: related.hosts
+      value: "{{observer.hostname}}"
+      if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''"
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{host.name}}"
+      if: "ctx?.host?.name != null && ctx.host?.name != ''"
+      allow_duplicates: false
+# Remove temporary fields.
+  - remove:
+      field:
+        - _temp_
+        - _conf
+      ignore_missing: true
+# Remove NAT fields when translation was not done.
+  - remove:
+      field:
+        - source.nat.ip
+        - source.nat.port
+      if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0'
+  - remove:
+      field:
+        - destination.nat.ip
+        - destination.nat.port
+      if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0'
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+
+on_failure:
+  - append:
+      field: "error.message"
+      value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
+  - remove:
+      field:
+        - _temp_
+        - _conf
+        - message
+      ignore_missing: true
diff --git a/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/globalprotect.yml b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/globalprotect.yml
new file mode 100755
index 0000000000..53d0472d94
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/globalprotect.yml
@@ -0,0 +1,87 @@
+---
+description: Pipeline for PanOS Global Protect Logs
+processors:
+  - csv:
+      field: message
+      target_fields:
+        - panw.panos.virtual_sys
+        - event.code
+        - panw.panos.stage
+        - panw.panos.auth_method
+        - panw.panos.tunnel_type
+        - _temp_.srcuser
+        - _temp_.srcloc
+        - host.name
+        - source.nat.ip
+        - _temp_.public_ipv6
+        - source.ip
+        - _temp_.private_ipv6
+        - host.id
+        - panw.panos.serial_number
+        - panw.panos.client_ver
+        - host.os.family
+        - host.os.full
+        - panw.panos.repeat_count
+        - event.reason
+        - panw.panos.error_message
+        - panw.panos.description
+        - event.outcome
+        - observer.geo.name
+        - event.duration
+        - panw.panos.connect_method
+        - panw.panos.error_code
+        - observer.hostname
+        - panw.panos.sequence_number
+        - panw.panos.action_flags
+        - panw.panos.selection_type
+        - panw.panos.response_time
+        - panw.panos.priority
+        - panw.panos.attempted_gateways
+        - panw.panos.gateway
+
+  - set:
+      field: source.ip
+      value: "{{_temp_.private_ipv6}}"
+      if: (ctx.source?.ip == null || ctx.source?.ip == "0.0.0.0") && ctx._temp_?.private_ipv6 != null && ctx._temp_?.private_ipv6 != "0.0.0.0"
+  - set:
+      field: host.ip
+      value: "{{source.ip}}"
+      if: ctx.source?.ip != null
+  - set:
+      field: source.nat.ip
+      value: "{{_temp_.public_ipv6}}"
+      if: (ctx.source?.nat?.ip == null || ctx.source?.nat?.ip == "0.0.0.0") && ctx._temp_?.public_ipv6 != null && ctx._temp_?.public_ipv6 != "0.0.0.0"
+  - grok:
+      field: _temp_.srcuser
+      ignore_missing: true
+      patterns:
+        - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
+        - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
+        - '%{USERNAME:source.user.name}'
+      if: ctx?._temp_?.srcuser != null
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: 'ctx.network?.type == null && ctx.source?.ip != null && ctx.source.ip.contains(".")'
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: 'ctx.network?.type == null && ctx.source?.ip != null && ctx.source.ip.contains(":")'
+
+# Set event.category.
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value:
+        - network
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in Global Protect pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/hipmatch.yml b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/hipmatch.yml
new file mode 100755
index 0000000000..3833612f18
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/hipmatch.yml
@@ -0,0 +1,69 @@
+---
+description: Pipeline for PanOS HIP Match Logs
+processors:
+  - csv:
+      field: message
+      target_fields:
+        - _temp_.srcuser
+        - panw.panos.virtual_sys
+        - host.name
+        - host.os.full
+        - source.ip
+        - panw.panos.matchname
+        - panw.panos.repeat_count
+        - panw.panos.matchtype
+        - _temp_.future_use3
+        - _temp_.future_use4
+        - panw.panos.sequence_number
+        - panw.panos.action_flags
+        - panw.panos.device_group_hierarchy1
+        - panw.panos.device_group_hierarchy2
+        - panw.panos.device_group_hierarchy3
+        - panw.panos.device_group_hierarchy4
+        - panw.panos.vsys_name
+        - observer.hostname
+        - panw.panos.vsys_id
+        - _temp_.source_ipv6
+        - host.id
+        - panw.panos.serial_number
+        - host.mac
+
+  - grok:
+      field: _temp_.srcuser
+      ignore_missing: true
+      ignore_failure: true
+      patterns:
+        - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
+        - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
+        - '%{USERNAME:source.user.name}'
+      if: ctx?._temp_?.srcuser != null
+  - set:
+      field: source.ip
+      value: "{{_temp_.source_ipv6}}"
+      if: ctx?._temp_?.source_ipv6 != null && ctx?._temp_?.source_ipv6 != "" && ctx?._temp_?.source_ipv6 != "0.0.0.0"
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")'
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'
+
+# Set event.category.
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value:
+        - network
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in HIP Match pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml
new file mode 100755
index 0000000000..791b422930
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml
@@ -0,0 +1,107 @@
+---
+description: Pipeline for PanOS Threat Logs
+processors:
+  - csv:
+      field: message
+      target_fields:
+        - source.ip
+        - destination.ip
+        - source.nat.ip
+        - destination.nat.ip
+        - panw.panos.ruleset
+        - source.user.name
+        - destination.user.name
+        - network.application
+        - panw.panos.related_vsys
+        - observer.ingress.zone
+        - observer.egress.zone
+        - observer.ingress.interface.name
+        - observer.egress.interface.name
+        - panw.panos.log_profile
+        - _temp_.future_use1
+        - panw.panos.flow_id
+        - panw.panos.repeat_count
+        - source.port
+        - destination.port
+        - source.nat.port
+        - destination.nat.port
+        - _temp_.labels
+        - network.transport
+        - panw.panos.action
+        - url.original
+        - panw.panos.threat.name
+        - panw.panos.url.category
+        - log.level
+        - _temp_.direction
+        - panw.panos.sequence_number
+        - panw.panos.action_flags
+        - _temp_.srcloc
+        - _temp_.dstloc
+        - _temp_.future_use2
+        - panw.panos.http_content_type
+        - panw.panos.network.pcap_id
+        - panw.panos.file.hash
+        - panw.panos.wildfire.name
+        - panw.panos.url_idx
+        - user_agent.original
+        - file.type
+        - network.forwarded_ip
+        - http.request.referer
+        - source.user.email
+        - panw.panos.subject
+        - destination.user.email
+        - panw.panos.wildfire.report_id
+        - panw.panos.device_group_hierarchy1
+        - panw.panos.device_group_hierarchy2
+        - panw.panos.device_group_hierarchy3
+        - panw.panos.device_group_hierarchy4
+        - panw.panos.vsys_name
+        - observer.hostname
+        - _temp_.future_use3
+        - panw.panos.source_vm_uuid
+        - panw.panos.destination_vm_uuid
+        - http.request.method
+        - panw.panos.imsi
+        - panw.panos.imei
+        - panw.panos.parent_session.id
+        - panw.panos.parent_session.start_time
+        - panw.panos.tunnel_type
+        - panw.panos.threat_category
+        - panw.panos.content_version
+        - panw.panos.scp.assoc_id
+        - panw.panos.payload_protocol_id
+        - panw.panos.http_headers
+
+
+# Set network.direction from threat direction (Threat logs).
+  - set:
+      field: network.direction
+      value: inbound
+      if: ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server"
+  - set:
+      field: network.direction
+      value: outbound
+      if: ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client"
+  - set:
+      field: network.direction
+      value: unknown
+      if: ctx?.network?.direction == null
+
+# Set event.category.
+  - set:
+      field: event.kind
+      value: alert
+  - append:
+      field: event.category
+      value:
+        - intrusion_detection
+        - network
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in Threat pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml
new file mode 100755
index 0000000000..63ebd2f507
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/traffic.yml
@@ -0,0 +1,186 @@
+---
+description: Pipeline for PanOS Traffic Logs
+processors:
+  - csv:
+      field: message
+      target_fields:
+        - source.ip
+        - destination.ip
+        - source.nat.ip
+        - destination.nat.ip
+        - panw.panos.ruleset
+        - source.user.name
+        - destination.user.name
+        - network.application
+        - panw.panos.related_vsys
+        - observer.ingress.zone
+        - observer.egress.zone
+        - observer.ingress.interface.name
+        - observer.egress.interface.name
+        - panw.panos.log_profile
+        - _temp_.future_use1
+        - panw.panos.flow_id
+        - panw.panos.repeat_count
+        - source.port
+        - destination.port
+        - source.nat.port
+        - destination.nat.port
+        - _temp_.labels
+        - network.transport
+        - panw.panos.action
+        - network.bytes
+        - source.bytes
+        - destination.bytes
+        - network.packets
+        - event.start
+        - event.duration
+        - panw.panos.url.category
+        - _temp_.future_use2
+        - panw.panos.sequence_number
+        - panw.panos.action_flags
+        - _temp_.srcloc
+        - _temp_.dstloc
+        - _temp_.future_use3
+        - source.packets
+        - destination.packets
+        - panw.panos.endreason
+        - panw.panos.device_group_hierarchy1
+        - panw.panos.device_group_hierarchy2
+        - panw.panos.device_group_hierarchy3
+        - panw.panos.device_group_hierarchy4
+        - panw.panos.vsys_name
+        - observer.hostname
+        - panw.panos.action_source
+        - panw.panos.source_vm_uuid
+        - panw.panos.destination_vm_uuid
+        - panw.panos.imsi
+        - panw.panos.imei
+        - panw.panos.parent_session.id
+        - panw.panos.parent_session.start_time
+        - panw.panos.tunnel_type
+        - panw.panos.scp.assoc_id
+        - panw.panos.scp.chunks
+        - panw.panos.scp.chunks_sent
+        - panw.panos.scp.chunks_received
+
+# Set network.direction using src/dst zone (traffic logs).
+  - set:
+      field: network.direction
+      value: inbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+  - set:
+      field: network.direction
+      value: outbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: internal
+      if: >
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: external
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: unknown
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        (
+          (
+            !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone)
+          ) ||
+          (
+            !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone)
+          )
+        )
+
+# Set network.type.
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: ctx?.labels?.ipv6_session == null
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: ctx?.labels?.ipv6_session != null
+
+# Set event.category.
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value:
+        - network
+
+# event.start is the time the session started.
+  - date:
+      if: "ctx?.event?.timezone == null && ctx?.event?.start != null"
+      field: "event.start"
+      target_field: "event.start"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx?.event?.timezone != null && ctx?.event?.start != null"
+      field: "event.start"
+      target_field: "event.start"
+      timezone: "{{{ event.timezone }}}"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+# Time the parent_session of the tunnel started.
+  - date:
+      if: "ctx?.event?.timezone == null && ctx?.panw?.panos?.parent_session?.start_time != null"
+      field: "panw.panos.parent_session.start_time"
+      target_field: "panw.panos.parent_session.start_time"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx?.event?.timezone != null && ctx?.panw?.panos?.parent_session?.start_time != null"
+      field: "panw.panos.parent_session.start_time"
+      target_field: "panw.panos.parent_session.start_time"
+      timezone: "{{{ event.timezone }}}"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+        - "strict_date_optional_time_nanos"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in Traffic pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/userid.yml b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/userid.yml
new file mode 100755
index 0000000000..078c7002df
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/elasticsearch/ingest_pipeline/userid.yml
@@ -0,0 +1,83 @@
+---
+description: Pipeline for PanOS User ID Logs
+processors:
+  - csv:
+      field: message
+      target_fields:
+        - panw.panos.virtual_sys
+        - source.ip
+        - _temp_.srcuser
+        - panw.panos.datasourcename
+        - event.code
+        - panw.panos.repeat_count
+        - panw.panos.timeout
+        - source.port
+        - destination.port
+        - panw.panos.datasource
+        - panw.panos.datasourcetype
+        - panw.panos.sequence_number
+        - panw.panos.action_flags
+        - panw.panos.device_group_hierarchy1
+        - panw.panos.device_group_hierarchy2
+        - panw.panos.device_group_hierarchy3
+        - panw.panos.device_group_hierarchy4
+        - panw.panos.vsys_name
+        - observer.hostname
+        - panw.panos.vsys_id
+        - panw.panos.factortype
+        - panw.panos.factorcompletiontime
+        - panw.panos.factorno
+        - panw.panos.ugflags
+        - source.user.name
+
+  - grok:
+      field: _temp_.srcuser
+      ignore_missing: true
+      ignore_failure: true
+      patterns:
+        - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
+        - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
+        - '%{USERNAME:source.user.name}'
+      if: ctx?._temp_?.srcuser != null
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")'
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'
+  - date:
+      if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone == null"
+      field: "panw.panos.factorcompletiontime"
+      target_field: "panw.panos.factorcompletiontime"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone != null"
+      field: "panw.panos.factorcompletiontime"
+      target_field: "panw.panos.factorcompletiontime"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      timezone: "{{{ event.timezone }}}"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+# Set event.category.
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value:
+        - network
+        - iam
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in User ID pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/packages/panw/1.5.3/data_stream/panos/fields/agent.yml b/packages/panw/1.5.3/data_stream/panos/fields/agent.yml
new file mode 100755
index 0000000000..79a7a39864
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/fields/agent.yml
@@ -0,0 +1,180 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on."
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime."
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes."
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider."
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine."
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`."
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use."
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment."
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/panw/1.5.3/data_stream/panos/fields/base-fields.yml b/packages/panw/1.5.3/data_stream/panos/fields/base-fields.yml
new file mode 100755
index 0000000000..fd2e344778
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: panw
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: panw.panos
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/panw/1.5.3/data_stream/panos/fields/beats.yml b/packages/panw/1.5.3/data_stream/panos/fields/beats.yml
new file mode 100755
index 0000000000..f69a96ea42
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/fields/beats.yml
@@ -0,0 +1,33 @@
+- description: Type of Filebeat input.
+  name: input.type
+  type: keyword
+- description: Flags for the log file.
+  name: log.flags
+  type: keyword
+- description: Offset of the entry in the log file.
+  name: log.offset
+  type: long
+- description: Path to the log file.
+  name: log.file.path
+  type: keyword
+- description: Source address from which the log event was read / sent from.
+  name: log.source.address
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referer
+  type: keyword
+- description: Syslog numeric facility of the event.
+  name: syslog.facility
+  type: long
+- description: Syslog text-based facility of the event.
+  name: syslog.facility_label
+  type: keyword
+- description: Syslog priority of the event.
+  name: syslog.priority
+  type: long
+- description: Syslog text-based severity of the event.
+  name: syslog.severity_label
+  type: keyword
+- description: Name of host parsed from syslog message.
+  name: hostname
+  type: keyword
diff --git a/packages/panw/1.5.3/data_stream/panos/fields/ecs.yml b/packages/panw/1.5.3/data_stream/panos/fields/ecs.yml
new file mode 100755
index 0000000000..9706c50c85
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/fields/ecs.yml
@@ -0,0 +1,417 @@
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: |-
+    Translated IP of source based NAT sessions (e.g. internal client to internet).
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: client.nat.ip
+  type: ip
+- description: |-
+    Translated port of source based NAT sessions (e.g. internal client to internet).
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: client.nat.port
+  type: long
+- description: Packets sent from the client to the server.
+  name: client.packets
+  type: long
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.user.name
+  type: keyword
+- description: Unique container id.
+  name: container.id
+  type: keyword
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: destination.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.ip
+  type: ip
+- description: |-
+    Port the source session is translated to by NAT Device.
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.port
+  type: long
+- description: Packets sent from the destination to the source.
+  name: destination.packets
+  type: long
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: User email address.
+  name: destination.user.email
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.user.name
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Duration of the event in nanoseconds.
+    If event.start and event.end are known this value should be the difference between the end and start time.
+  name: event.duration
+  type: long
+- description: event.end contains the date when the event ended or when the activity was last observed.
+  name: event.end
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+  name: event.start
+  type: date
+- description: |-
+    This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+  name: event.timezone
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: File type (file, dir, or symlink).
+  name: file.type
+  type: keyword
+- description: |-
+    Custom key/value pairs.
+    Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+    Example: `docker` and `k8s` labels.
+  name: labels
+  type: object
+- description: |-
+    Custom key/value pairs.
+    Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+    Example: `docker` and `k8s` labels.
+  name: labels
+  type: object
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+    For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+    The field value must be normalized to lowercase for querying.
+  name: network.application
+  type: keyword
+- description: |-
+    Total bytes transferred in both directions.
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+  name: network.bytes
+  type: long
+- description: |-
+    A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+    Learn more at https://github.com/corelight/community-id-spec.
+  name: network.community_id
+  type: keyword
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: Host IP address when the source IP address is the proxy.
+  name: network.forwarded_ip
+  type: ip
+- description: |-
+    Total packets transferred in both directions.
+    If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+  name: network.packets
+  type: long
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+    The field value must be normalized to lowercase for querying.
+  name: network.type
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.egress.interface.name
+  type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+  name: observer.egress.zone
+  type: keyword
+- description: Hostname of the observer.
+  name: observer.hostname
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.ingress.interface.name
+  type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+  name: observer.ingress.zone
+  type: keyword
+- description: The product name of the observer.
+  name: observer.product
+  type: keyword
+- description: Observer serial number.
+  name: observer.serial_number
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: Bytes sent from the server to the client.
+  name: server.bytes
+  type: long
+- description: IP address of the server (IPv4 or IPv6).
+  name: server.ip
+  type: ip
+- description: |-
+    Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: server.nat.ip
+  type: ip
+- description: |-
+    Translated port of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: server.nat.port
+  type: long
+- description: Packets sent from the server to the client.
+  name: server.packets
+  type: long
+- description: Port of the server.
+  name: server.port
+  type: long
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: server.user.name
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    Translated ip of source based NAT sessions (e.g. internal client to internet)
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: source.nat.ip
+  type: ip
+- description: |-
+    Translated port of source based NAT sessions. (e.g. internal client to internet)
+    Typically used with load balancers, firewalls, or routers.
+  name: source.nat.port
+  type: long
+- description: Packets sent from the source to the destination.
+  name: source.packets
+  type: long
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: User email address.
+  name: source.user.email
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: source.user.domain
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
diff --git a/packages/panw/1.5.3/data_stream/panos/fields/fields.yml b/packages/panw/1.5.3/data_stream/panos/fields/fields.yml
new file mode 100755
index 0000000000..3625a11874
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/fields/fields.yml
@@ -0,0 +1,356 @@
+- name: panw.panos
+  type: group
+  fields:
+    - name: ruleset
+      type: keyword
+      description: |
+        Name of the rule that matched this session.
+    - name: source
+      type: group
+      fields:
+        - name: zone
+          type: keyword
+          description: |
+            Source zone for this session.
+        - name: interface
+          type: keyword
+          description: |
+            Source interface for this session.
+        - name: nat
+          type: group
+          fields:
+            - name: ip
+              type: ip
+              description: |
+                Post-NAT source IP.
+            - name: port
+              type: long
+              description: |
+                Post-NAT source port.
+    - name: destination
+      type: group
+      fields:
+        - name: zone
+          type: keyword
+          description: |
+            Destination zone for this session.
+        - name: interface
+          type: keyword
+          description: |
+            Destination interface for this session.
+        - name: nat
+          type: group
+          fields:
+            - name: ip
+              type: ip
+              description: |
+                Post-NAT destination IP.
+            - name: port
+              type: long
+              description: |
+                Post-NAT destination port.
+    - name: endreason
+      type: keyword
+      description: |
+        The reason a session terminated.
+    - name: network
+      type: group
+      fields:
+        - name: pcap_id
+          type: keyword
+          description: |
+            Packet capture ID for a threat.
+        - name: nat
+          type: group
+          fields:
+            - name: community_id
+              type: keyword
+              description: |
+                Community ID flow-hash for the NAT 5-tuple.
+    - name: file
+      type: group
+      fields:
+        - name: hash
+          type: keyword
+          description: |
+            Binary hash for a threat file sent to be analyzed by the WildFire service.
+    - name: url
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'.
+    - name: flow_id
+      type: keyword
+      description: |
+        Internal numeric identifier for each session.
+    - name: sequence_number
+      type: long
+      description: |
+        Log entry identifier that is incremented sequentially. Unique for each log type.
+    - name: threat.resource
+      type: keyword
+      description: |
+        URL or file name for a threat.
+    - name: threat.id
+      type: keyword
+      description: |
+        Palo Alto Networks identifier for the threat.
+    - name: threat.name
+      type: keyword
+      description: |
+        Palo Alto Networks name for the threat.
+    - name: action
+      type: keyword
+      description: |
+        Action taken for the session.
+    - name: type
+      type: keyword
+      description: |
+        Specifies the type of the log.
+    - name: sub_type
+      type: keyword
+      description: |
+        Specifies the sub type of the log.
+    - name: related_vsys
+      type: keyword
+      description: |
+        Virtual System associated with the session.
+    - name: vsys_name
+      type: keyword
+      description: |
+        The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
+    - name: log_profile
+      type: keyword
+      description: |
+        Log Forwarding Profile that was applied to the session.
+    - name: repeat_count
+      type: long
+      description: |
+        Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
+    - name: action_flags
+      type: keyword
+      description: |
+        32-bit field that provides details on session, details about specific values is found in the Palo Alto Traffic Field documentation.
+    - name: action_source
+      type: keyword
+      description: |
+        Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
+    - name: source_vm_uuid
+      type: keyword
+      description: |
+        Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
+    - name: destination_vm_uuid
+      type: keyword
+      description: |
+        Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
+    - name: imsi
+      type: keyword
+      description: |
+        International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system
+    - name: imei
+      type: keyword
+      description: |
+        International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment.
+    - name: http_content_type
+      type: keyword
+      description: |
+        Content type of the HTTP response data
+    - name: content_version
+      type: keyword
+      description: |
+        Applications and Threats version on your firewall when the log was generated.
+    - name: threat_category
+      type: keyword
+      description: |
+        Describes threat categories used to classify different types of threat signatures.
+    - name: payload_protocol_id
+      type: keyword
+      description: |
+        ID of the protocol for the payload in the data portion of the data chunk.
+    - name: http_headers
+      type: keyword
+      description: |
+        Indicates the inserted HTTP header in the URL log entries on the firewall.
+    - name: wildfire_name
+      type: keyword
+      description: |
+        Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.
+    - name: url_idx
+      type: keyword
+      description: |
+        When an application uses TCP keepalives to keep a connection open for a length of time, all the log entries for that session have a single session ID. In such cases, when you have a single threat log (and session ID) that includes multiple URL entries, the url_idx is a counter that allows you to correlate the order of each log entry within the single session.
+    - name: wildfire
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.
+        - name: report_id
+          type: keyword
+          description: |
+            Identifies the analysis request on the WildFire cloud or the WildFire appliance.
+    - name: parent_session
+      type: group
+      fields:
+        - name: id
+          type: keyword
+          description: |
+            ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only.
+        - name: start_time
+          type: date
+          description: |
+            Date that the parent tunnel session began.
+    - name: tunnel_type
+      type: keyword
+      description: |
+        Type of tunnel, such as GRE or IPSec.
+    - name: device_group_hierarchy1
+      type: keyword
+      description: |
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+    - name: device_group_hierarchy2
+      type: keyword
+      description: |
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+    - name: device_group_hierarchy3
+      type: keyword
+      description: |
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+    - name: device_group_hierarchy4
+      type: keyword
+      description: |
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+    - name: scp
+      type: group
+      fields:
+        - name: assoc_id
+          type: keyword
+          description: |
+            Number that identifies all connections for an association between two SCTP endpoints.
+        - name: chunks
+          type: long
+          description: |
+            Sum of SCTP chunks sent and received for an association.
+        - name: chunks_sent
+          type: long
+          description: |
+            Number of SCTP chunks sent for an association.
+        - name: chunks_received
+          type: long
+          description: |
+            Number of SCTP chunks received for an association.
+    - name: matchname
+      type: keyword
+      description: |
+        Name of the HIP object or profile.
+    - name: matchtype
+      type: keyword
+      description: |
+        Whether the document represents a HIP object or a HIP profile.
+    - name: serial_number
+      type: keyword
+      description: |
+        The serial number of the user’s machine or device.
+    - name: vsys_id
+      type: keyword
+      description: |
+        A unique identifier for a virtual system on a Palo Alto Networks firewall.
+    - name: virtual_sys
+      type: keyword
+      description: |
+        Virtual System associated with the HIP match log.
+    - name: timeout
+      type: integer
+      description: |
+        Timeout after which the IP/User Mappings are cleared.
+    - name: datasource
+      type: keyword
+      description: |
+        Source from which mapping information is collected.
+    - name: datasourcetype
+      type: keyword
+      description: |
+        Mechanism used to identify the IP/User mappings within a data source.
+    - name: datasourcename
+      type: keyword
+      description: |
+        User-ID source that sends the IP (Port)-User Mapping.
+    - name: factorno
+      type: integer
+      description: |
+        Indicates the use of primary authentication (1) or additional factors (2, 3).
+    - name: factortype
+      type: keyword
+      description: |
+        Vendor used to authenticate a user when Multi Factor authentication is present.
+    - name: factorcompletiontime
+      type: date
+      description: |
+        Time the authentication was completed.
+    - name: ugflags
+      type: keyword
+      description: |
+        Displays whether the user group that was found during user group mapping. Supported values are:
+        User Group Found—Indicates whether the user could be mapped to a group.
+        Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
+    - name: priority
+      type: keyword
+      description: |
+        The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
+    - name: attempted_gateways
+      type: keyword
+      description: |
+        The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority
+    - name: selection_type
+      type: keyword
+      description: |
+        The connection method that is selected to connect to the gateway.
+    - name: auth_method
+      type: keyword
+      description: |
+        A string showing the authentication type.
+    - name: error_code
+      type: integer
+      description: |
+        An integer associated with any errors that occurred.
+    - name: description
+      type: keyword
+      description: |
+        Additional information for any event that has occurred.
+    - name: client_ver
+      type: keyword
+      description: |
+        The client’s GlobalProtect app version.
+    - name: stage
+      type: keyword
+      description: |
+        A string showing the stage of the connection.
+    - name: connect_method
+      type: keyword
+      description: |
+        A string showing the how the GlobalProtect app connects to Gateway.
+- name: labels.pcap_included
+  type: boolean
+- name: labels.ipv6_session
+  type: boolean
+- name: labels.ssl_decrypted
+  type: boolean
+- name: labels.url_filter_denied
+  type: boolean
+- name: labels.nat_translated
+  type: boolean
+- name: labels.captive_portal
+  type: boolean
+- name: labels.x_forwarded_for
+  type: boolean
+- name: labels.http_proxy
+  type: boolean
+- name: labels.container_page
+  type: boolean
+- name: labels.temporary_match
+  type: boolean
+- name: labels.symmetric_return
+  type: boolean
diff --git a/packages/panw/1.5.3/data_stream/panos/manifest.yml b/packages/panw/1.5.3/data_stream/panos/manifest.yml
new file mode 100755
index 0000000000..b34587a9af
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/manifest.yml
@@ -0,0 +1,115 @@
+type: logs
+title: Palo Alto Networks PAN-OS firewall logs
+streams:
+  - input: syslog
+    vars:
+      - name: tz_offset
+        type: text
+        title: Timezone Offset
+        multi: false
+        required: true
+        show_user: true
+        default: local
+        description: >-
+          By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - panw-panos
+          - forwarded
+      - name: internal_zones
+        type: text
+        title: Internal Zones
+        multi: true
+        required: false
+        show_user: false
+        default:
+          - trust
+      - name: external_zones
+        type: text
+        title: External Zones
+        multi: true
+        required: false
+        show_user: false
+        default:
+          - untrust
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: syslog.yml.hbs
+    title: Syslog logs
+    description: Collect logs via syslog
+  - input: logfile
+    vars:
+      - name: tz_offset
+        type: text
+        title: Timezone Offset
+        multi: false
+        required: true
+        show_user: true
+        default: local
+        description: >-
+          By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - panw-panos
+          - forwarded
+      - name: internal_zones
+        type: text
+        title: Internal Zones
+        multi: true
+        required: false
+        show_user: false
+        default:
+          - trust
+      - name: external_zones
+        type: text
+        title: External Zones
+        multi: true
+        required: false
+        show_user: false
+        default:
+          - untrust
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: logfile.yml.hbs
+    title: Log files
+    description: Collect logs via log file
diff --git a/packages/panw/1.5.3/data_stream/panos/sample_event.json b/packages/panw/1.5.3/data_stream/panos/sample_event.json
new file mode 100755
index 0000000000..c23b6d9dc4
--- /dev/null
+++ b/packages/panw/1.5.3/data_stream/panos/sample_event.json
@@ -0,0 +1,193 @@
+{
+    "@timestamp": "2018-11-30T16:09:07.000Z",
+    "agent": {
+        "ephemeral_id": "e4811856-bfcd-4b56-a3b8-e72433fa3caf",
+        "id": "654bb145-fd80-41c9-8a5d-307abd101e5a",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "panw.panos",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "bytes": 5976,
+        "geo": {
+            "city_name": "Changchun",
+            "continent_name": "Asia",
+            "country_iso_code": "CN",
+            "country_name": "China",
+            "location": {
+                "lat": 43.88,
+                "lon": 125.3228
+            },
+            "name": "United States",
+            "region_iso_code": "CN-22",
+            "region_name": "Jilin Sheng"
+        },
+        "ip": "175.16.199.1",
+        "nat": {
+            "ip": "175.16.199.1",
+            "port": 443
+        },
+        "packets": 20,
+        "port": 443
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "654bb145-fd80-41c9-8a5d-307abd101e5a",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "flow_terminated",
+        "agent_id_status": "verified",
+        "category": [
+            "network_traffic",
+            "network"
+        ],
+        "created": "2018-11-30T16:09:07.000Z",
+        "dataset": "panw.panos",
+        "duration": 586000000000,
+        "end": "2018-11-30T16:08:50.000Z",
+        "ingested": "2022-03-01T06:53:34Z",
+        "kind": "event",
+        "outcome": "success",
+        "start": "2018-11-30T15:59:04.000Z",
+        "timezone": "+00:00",
+        "type": [
+            "allowed",
+            "end",
+            "connection"
+        ]
+    },
+    "hostname": "PA-220",
+    "input": {
+        "type": "syslog"
+    },
+    "labels": {
+        "nat_translated": true
+    },
+    "log": {
+        "source": {
+            "address": "172.29.0.4:50949"
+        }
+    },
+    "message": "192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+    "network": {
+        "application": "apple-maps",
+        "bytes": 7734,
+        "community_id": [
+            "1:La5Jgm/PJBlaHF8BtgJSyZEmW9E=",
+            "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM="
+        ],
+        "packets": 36,
+        "transport": "tcp",
+        "type": "ipv4"
+    },
+    "observer": {
+        "egress": {
+            "interface": {
+                "name": "ethernet1/1"
+            },
+            "zone": "untrust"
+        },
+        "hostname": "PA-220",
+        "ingress": {
+            "interface": {
+                "name": "ethernet1/2"
+            },
+            "zone": "trust"
+        },
+        "product": "PAN-OS",
+        "serial_number": "012801096514",
+        "type": "firewall",
+        "vendor": "Palo Alto Networks"
+    },
+    "panw": {
+        "panos": {
+            "action": "allow",
+            "action_flags": "0x0",
+            "action_source": "from-policy",
+            "destination": {
+                "nat": {
+                    "ip": "175.16.199.1",
+                    "port": 443
+                }
+            },
+            "device_group_hierarchy1": "0",
+            "device_group_hierarchy2": "0",
+            "device_group_hierarchy3": "0",
+            "device_group_hierarchy4": "0",
+            "endreason": "tcp-fin",
+            "flow_id": "22751",
+            "imsi": "0",
+            "log_profile": "send_to_mac",
+            "network": {
+                "nat": {
+                    "community_id": "1:sKYRL+yp3SWr5aT5SC1cvyWNnnM="
+                }
+            },
+            "parent_session": {
+                "id": "0"
+            },
+            "related_vsys": "vsys1",
+            "repeat_count": 1,
+            "ruleset": "new_outbound_from_trust",
+            "scp": {
+                "assoc_id": "0",
+                "chunks": 0,
+                "chunks_received": 0,
+                "chunks_sent": 0
+            },
+            "sequence_number": 32091112,
+            "source": {
+                "nat": {
+                    "ip": "192.168.1.63",
+                    "port": 16418
+                }
+            },
+            "sub_type": "end",
+            "tunnel_type": "N/A",
+            "type": "TRAFFIC",
+            "url": {
+                "category": "computer-and-internet-info"
+            }
+        }
+    },
+    "related": {
+        "hosts": [
+            "PA-220"
+        ],
+        "ip": [
+            "192.168.15.207",
+            "175.16.199.1",
+            "192.168.1.63"
+        ]
+    },
+    "rule": {
+        "name": "new_outbound_from_trust"
+    },
+    "source": {
+        "bytes": 1758,
+        "geo": {
+            "name": "192.168.0.0-192.168.255.255"
+        },
+        "ip": "192.168.15.207",
+        "nat": {
+            "ip": "192.168.1.63",
+            "port": 16418
+        },
+        "packets": 16,
+        "port": 55113
+    },
+    "syslog": {},
+    "tags": [
+        "panw-panos",
+        "forwarded"
+    ]
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/docs/README.md b/packages/panw/1.5.3/docs/README.md
new file mode 100755
index 0000000000..873410c3a7
--- /dev/null
+++ b/packages/panw/1.5.3/docs/README.md
@@ -0,0 +1,254 @@
+# Palo Alto Network Integration
+
+This integration is for Palo Alto Networks PAN-OS firewall monitoring logs received over Syslog or read from a file. It currently supports messages of [GlobalProtect](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html), [HIP Match](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields.html), [Threat](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html), [Traffic](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html) and [User-ID](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields.html) types.
+
+## Compatibility
+
+This module has been tested with logs generated by devices running PAN-OS versions 7.1 to 9.0 but limited compatibility is expected for earlier versions.
+
+The ingest-geoip Elasticsearch plugin is required to run this module.
+
+## Logs
+
+### PAN-OS
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip |
+| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long |
+| client.packets | Packets sent from the client to the server. | long |
+| client.port | Port of the client. | long |
+| client.user.name | Short name or login of the user. | keyword |
+| client.user.name.text | Multi-field of `client.user.name`. | match_only_text |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.user.email | User email address. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.type | File type (file, dir, or symlink). | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| hostname | Name of host parsed from syslog message. | keyword |
+| http.request.referer | Referrer for this HTTP request. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object |
+| labels.captive_portal |  | boolean |
+| labels.container_page |  | boolean |
+| labels.http_proxy |  | boolean |
+| labels.ipv6_session |  | boolean |
+| labels.nat_translated |  | boolean |
+| labels.pcap_included |  | boolean |
+| labels.ssl_decrypted |  | boolean |
+| labels.symmetric_return |  | boolean |
+| labels.temporary_match |  | boolean |
+| labels.url_filter_denied |  | boolean |
+| labels.x_forwarded_for |  | boolean |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.serial_number | Observer serial number. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| panw.panos.action | Action taken for the session. | keyword |
+| panw.panos.action_flags | 32-bit field that provides details on session, details about specific values is found in the Palo Alto Traffic Field documentation. | keyword |
+| panw.panos.action_source | Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session. | keyword |
+| panw.panos.attempted_gateways | The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority | keyword |
+| panw.panos.auth_method | A string showing the authentication type. | keyword |
+| panw.panos.client_ver | The client’s GlobalProtect app version. | keyword |
+| panw.panos.connect_method | A string showing the how the GlobalProtect app connects to Gateway. | keyword |
+| panw.panos.content_version | Applications and Threats version on your firewall when the log was generated. | keyword |
+| panw.panos.datasource | Source from which mapping information is collected. | keyword |
+| panw.panos.datasourcename | User-ID source that sends the IP (Port)-User Mapping. | keyword |
+| panw.panos.datasourcetype | Mechanism used to identify the IP/User mappings within a data source. | keyword |
+| panw.panos.description | Additional information for any event that has occurred. | keyword |
+| panw.panos.destination.interface | Destination interface for this session. | keyword |
+| panw.panos.destination.nat.ip | Post-NAT destination IP. | ip |
+| panw.panos.destination.nat.port | Post-NAT destination port. | long |
+| panw.panos.destination.zone | Destination zone for this session. | keyword |
+| panw.panos.destination_vm_uuid | Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. | keyword |
+| panw.panos.device_group_hierarchy1 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword |
+| panw.panos.device_group_hierarchy2 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword |
+| panw.panos.device_group_hierarchy3 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword |
+| panw.panos.device_group_hierarchy4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. | keyword |
+| panw.panos.endreason | The reason a session terminated. | keyword |
+| panw.panos.error_code | An integer associated with any errors that occurred. | integer |
+| panw.panos.factorcompletiontime | Time the authentication was completed. | date |
+| panw.panos.factorno | Indicates the use of primary authentication (1) or additional factors (2, 3). | integer |
+| panw.panos.factortype | Vendor used to authenticate a user when Multi Factor authentication is present. | keyword |
+| panw.panos.file.hash | Binary hash for a threat file sent to be analyzed by the WildFire service. | keyword |
+| panw.panos.flow_id | Internal numeric identifier for each session. | keyword |
+| panw.panos.http_content_type | Content type of the HTTP response data | keyword |
+| panw.panos.http_headers | Indicates the inserted HTTP header in the URL log entries on the firewall. | keyword |
+| panw.panos.imei | International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment. | keyword |
+| panw.panos.imsi | International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system | keyword |
+| panw.panos.log_profile | Log Forwarding Profile that was applied to the session. | keyword |
+| panw.panos.matchname | Name of the HIP object or profile. | keyword |
+| panw.panos.matchtype | Whether the document represents a HIP object or a HIP profile. | keyword |
+| panw.panos.network.nat.community_id | Community ID flow-hash for the NAT 5-tuple. | keyword |
+| panw.panos.network.pcap_id | Packet capture ID for a threat. | keyword |
+| panw.panos.parent_session.id | ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only. | keyword |
+| panw.panos.parent_session.start_time | Date that the parent tunnel session began. | date |
+| panw.panos.payload_protocol_id | ID of the protocol for the payload in the data portion of the data chunk. | keyword |
+| panw.panos.priority | The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect. | keyword |
+| panw.panos.related_vsys | Virtual System associated with the session. | keyword |
+| panw.panos.repeat_count | Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. | long |
+| panw.panos.ruleset | Name of the rule that matched this session. | keyword |
+| panw.panos.scp.assoc_id | Number that identifies all connections for an association between two SCTP endpoints. | keyword |
+| panw.panos.scp.chunks | Sum of SCTP chunks sent and received for an association. | long |
+| panw.panos.scp.chunks_received | Number of SCTP chunks received for an association. | long |
+| panw.panos.scp.chunks_sent | Number of SCTP chunks sent for an association. | long |
+| panw.panos.selection_type | The connection method that is selected to connect to the gateway. | keyword |
+| panw.panos.sequence_number | Log entry identifier that is incremented sequentially. Unique for each log type. | long |
+| panw.panos.serial_number | The serial number of the user’s machine or device. | keyword |
+| panw.panos.source.interface | Source interface for this session. | keyword |
+| panw.panos.source.nat.ip | Post-NAT source IP. | ip |
+| panw.panos.source.nat.port | Post-NAT source port. | long |
+| panw.panos.source.zone | Source zone for this session. | keyword |
+| panw.panos.source_vm_uuid | Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. | keyword |
+| panw.panos.stage | A string showing the stage of the connection. | keyword |
+| panw.panos.sub_type | Specifies the sub type of the log. | keyword |
+| panw.panos.threat.id | Palo Alto Networks identifier for the threat. | keyword |
+| panw.panos.threat.name | Palo Alto Networks name for the threat. | keyword |
+| panw.panos.threat.resource | URL or file name for a threat. | keyword |
+| panw.panos.threat_category | Describes threat categories used to classify different types of threat signatures. | keyword |
+| panw.panos.timeout | Timeout after which the IP/User Mappings are cleared. | integer |
+| panw.panos.tunnel_type | Type of tunnel, such as GRE or IPSec. | keyword |
+| panw.panos.type | Specifies the type of the log. | keyword |
+| panw.panos.ugflags | Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. | keyword |
+| panw.panos.url.category | For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. | keyword |
+| panw.panos.url_idx | When an application uses TCP keepalives to keep a connection open for a length of time, all the log entries for that session have a single session ID. In such cases, when you have a single threat log (and session ID) that includes multiple URL entries, the url_idx is a counter that allows you to correlate the order of each log entry within the single session. | keyword |
+| panw.panos.virtual_sys | Virtual System associated with the HIP match log. | keyword |
+| panw.panos.vsys_id | A unique identifier for a virtual system on a Palo Alto Networks firewall. | keyword |
+| panw.panos.vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | keyword |
+| panw.panos.wildfire.name | Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis. | keyword |
+| panw.panos.wildfire.report_id | Identifies the analysis request on the WildFire cloud or the WildFire appliance. | keyword |
+| panw.panos.wildfire_name | Displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis. | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.bytes | Bytes sent from the server to the client. | long |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long |
+| server.packets | Packets sent from the server to the client. | long |
+| server.port | Port of the server. | long |
+| server.user.name | Short name or login of the user. | keyword |
+| server.user.name.text | Multi-field of `server.user.name`. | match_only_text |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.email | User email address. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| syslog.facility | Syslog numeric facility of the event. | long |
+| syslog.facility_label | Syslog text-based facility of the event. | keyword |
+| syslog.priority | Syslog priority of the event. | long |
+| syslog.severity_label | Syslog text-based severity of the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+
diff --git a/packages/panw/1.5.3/img/filebeat-panw-threat.png b/packages/panw/1.5.3/img/filebeat-panw-threat.png
new file mode 100755
index 0000000000..46959b21a7
Binary files /dev/null and b/packages/panw/1.5.3/img/filebeat-panw-threat.png differ
diff --git a/packages/panw/1.5.3/img/filebeat-panw-traffic.png b/packages/panw/1.5.3/img/filebeat-panw-traffic.png
new file mode 100755
index 0000000000..ef9d5f706e
Binary files /dev/null and b/packages/panw/1.5.3/img/filebeat-panw-traffic.png differ
diff --git a/packages/panw/1.5.3/img/logo-integrations-paloalto-networks.svg b/packages/panw/1.5.3/img/logo-integrations-paloalto-networks.svg
new file mode 100755
index 0000000000..8c8e71ae0d
--- /dev/null
+++ b/packages/panw/1.5.3/img/logo-integrations-paloalto-networks.svg
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="236px" height="54px" viewBox="0 0 236 54" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <title>logo-integrations-Desktop HD</title>
+    <g id="Desktop-HD" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="logo-palo-alto-networks" transform="translate(35.000000, 12.000000)" fill-rule="nonzero">
+            <path d="M70.256295,5.53712389 C68.1242891,5.53712389 65.9094395,6.11824779 63.1682891,7.58628614 L64.6911504,11.3520177 C67.0716873,10.0228643 69.0380059,9.44174041 70.4780236,9.44174041 C72.1117493,9.44174041 72.8317581,10.050885 72.8317581,10.8537375 L72.8317581,10.9085605 C72.8317581,11.462882 72.3883009,11.7674543 71.3088968,11.8783186 L69.4266401,12.0720265 C64.7191711,12.5703068 62.7808732,14.619469 62.7808732,17.4434631 L62.7808732,17.6371711 C62.7808732,20.3234985 64.9957227,22.4274838 68.1242891,22.4274838 C70.1844159,22.4274838 71.9740826,21.5576254 73.0620147,20.0225811 L73.412882,22.1509322 L77.6768938,22.1509322 L77.6768938,12.4874631 C77.6768938,7.91887906 75.0466077,5.53712389 70.256295,5.53712389 M69.8408584,18.7445959 C68.263174,18.7445959 67.5151445,18.1354513 67.5151445,17.1937139 L67.5151445,17.1388909 C67.5151445,16.3080177 67.9854041,15.6988732 69.7019735,15.4503422 L70.4500029,15.3394779 C71.5428083,15.1871917 72.2140855,14.986174 72.8317581,14.6121593 L72.8317581,15.8377581 C72.8317581,17.6932124 71.668292,18.7445959 69.8408584,18.7445959" id="Shape" fill="#000000"/>
+            <polygon id="Path" fill="#F04E23" points="30.1636195 5.6479882 24.7093392 0.193707965 19.255059 5.6479882 21.9681888 8.36233628 8.29045723 22.0400678 13.7447375 27.4943481 19.1990177 22.0400678 16.4858879 19.3269381"/>
+            <polygon id="Rectangle" fill="#F04E23" transform="translate(9.687503, 9.759859) rotate(-45.000000) translate(-9.687503, -9.759859) " points="0.0155982856 5.90279246 19.3594069 5.90279246 19.3594069 13.616925 0.0155982856 13.616925"/>
+            <polygon id="Rectangle" fill="#F04E23" transform="translate(28.765038, 17.929031) rotate(-45.000000) translate(-28.765038, -17.929031) " points="19.0931336 14.0719649 38.4369421 14.0719649 38.4369421 21.7860974 19.0931336 21.7860974"/>
+            <rect id="Rectangle" fill="#000000" x="80.4460649" y="0" width="4.84513569" height="22.1509322"/>
+            <path d="M54.6402655,5.53712389 C52.4375988,5.53712389 50.6686431,6.51175516 49.6952301,8.03827139 L49.3248702,5.81367552 L45.0608584,5.81367552 L45.0608584,27.6868378 L49.9059941,27.6868378 L49.9059941,20.1054248 C50.8282389,21.5271681 52.5728289,22.4262655 54.6402655,22.4262655 C58.5168614,22.4262655 61.6734484,18.9931268 61.6734484,14.2576372 L61.6734484,13.7033156 C61.6734484,8.97148083 58.5168614,5.53712389 54.6402655,5.53712389 M56.6894277,14.1211888 C56.6894277,16.61259 55.388295,18.4132212 53.2282684,18.4132212 C51.0682419,18.4132212 49.7671091,16.6138083 49.7671091,14.1211888 L49.7671091,13.8446372 C49.7671091,11.3520177 51.0682419,9.55260472 53.2282684,9.55260472 C55.388295,9.55260472 56.6894277,11.3520177 56.6894277,13.8446372 L56.6894277,14.1211888 Z" id="Shape" fill="#000000"/>
+            <path d="M150.663375,5.53712389 C145.707375,5.53712389 142.218195,8.97026254 142.218195,13.7057522 L142.218195,14.2600737 C142.218195,18.9943451 145.707375,22.4287021 150.663375,22.4287021 C155.619375,22.4287021 159.108555,18.9955634 159.108555,14.2600737 L159.108555,13.7057522 C159.108555,8.97148083 155.619375,5.53712389 150.663375,5.53712389 M154.124534,14.1211888 C154.124534,16.61259 152.823401,18.4132212 150.663375,18.4132212 C148.503348,18.4132212 147.202215,16.6138083 147.202215,14.1211888 L147.202215,13.8446372 C147.202215,11.3520177 148.503348,9.55260472 150.663375,9.55260472 C152.823401,9.55260472 154.124534,11.3520177 154.124534,13.8446372 L154.124534,14.1211888 Z" id="Shape" fill="#000000"/>
+            <path d="M163.677139,6.53490265 L163.677139,6.452059 C163.677139,5.98179941 163.317743,5.64920649 162.680578,5.64920649 L161.573153,5.64920649 L161.573153,8.19664897 L162.099454,8.19664897 L162.099454,7.33775516 L162.684233,7.33775516 L163.124035,8.19664897 L163.705159,8.19664897 L163.164239,7.18912389 C163.493177,7.0880059 163.677139,6.8419115 163.677139,6.53490265 M162.098236,6.11946608 L162.67936,6.11946608 C163.011953,6.11946608 163.149619,6.23033038 163.149619,6.48007965 L163.149619,6.50810029 C163.149619,6.72982891 163.010735,6.86749558 162.67936,6.86749558 L162.098236,6.86749558 L162.098236,6.11946608 Z" id="Shape" fill="#000000"/>
+            <path d="M162.569714,4.29203245 C161.074873,4.29203245 159.939428,5.42747788 159.939428,6.92231858 C159.939428,8.41715929 161.074873,9.55260472 162.569714,9.55260472 C164.064555,9.55260472 165.2,8.41715929 165.2,6.92231858 C165.2,5.42747788 164.064555,4.29203245 162.569714,4.29203245 M162.569714,9.19199115 C161.268581,9.19199115 160.326844,8.25025369 160.326844,6.92110029 C160.326844,5.5919469 161.268581,4.65020944 162.569714,4.65020944 C163.870847,4.65020944 164.812584,5.5919469 164.812584,6.92110029 C164.812584,8.25025369 163.870847,9.19199115 162.569714,9.19199115" id="Shape" fill="#000000"/>
+            <rect id="Rectangle" fill="#000000" x="123.112985" y="0" width="4.84513569" height="22.1509322"/>
+            <path d="M137.511944,18.4132212 C136.099947,18.4132212 135.573646,17.721233 135.573646,16.2263923 L135.573646,9.55260472 L141.277676,9.55260472 L141.277676,5.81489381 L135.573646,5.81489381 L135.573646,2.0759646 L130.72851,2.79597345 L130.72851,16.6954336 C130.72851,20.4891858 132.666808,22.4274838 136.543404,22.4274838 C138.259973,22.4274838 140.281115,21.9011829 141.942861,20.9594454 L140.558885,17.5263068 C139.587909,18.0526077 138.231953,18.4132212 137.511944,18.4132212" id="Path" fill="#000000"/>
+            <path d="M112.924434,5.53712389 C110.792428,5.53712389 108.577578,6.11824779 105.836428,7.58628614 L107.359289,11.3520177 C109.739826,10.0228643 111.706145,9.44174041 113.146162,9.44174041 C114.779888,9.44174041 115.499897,10.050885 115.499897,10.8537375 L115.499897,10.9085605 C115.499897,11.462882 115.05644,11.7674543 113.977035,11.8783186 L112.094779,12.0720265 C107.38731,12.5703068 105.449012,14.619469 105.449012,17.4434631 L105.449012,17.6371711 C105.449012,20.3234985 107.663861,22.4274838 110.792428,22.4274838 C112.851336,22.4274838 114.642221,21.5576254 115.730153,20.0225811 L116.081021,22.1509322 L120.345032,22.1509322 L120.345032,12.4874631 C120.345032,7.91887906 117.714746,5.53712389 112.924434,5.53712389 M112.508997,18.7445959 C110.930094,18.7445959 110.183283,18.1354513 110.183283,17.1937139 L110.183283,17.1388909 C110.183283,16.3080177 110.653543,15.6988732 112.370112,15.4503422 L113.118142,15.3394779 C114.210947,15.1871917 114.882224,14.986174 115.498678,14.6121593 L115.498678,15.8377581 C115.498678,17.6932124 114.336431,18.7445959 112.508997,18.7445959" id="Shape" fill="#000000"/>
+            <path d="M95.8964071,5.53712389 C90.9404071,5.53712389 87.4512271,8.97026254 87.4512271,13.7057522 L87.4512271,14.2600737 C87.4512271,18.9943451 90.9404071,22.4287021 95.8964071,22.4287021 C100.852407,22.4287021 104.341587,18.9955634 104.341587,14.2600737 L104.341587,13.7057522 C104.340369,8.97148083 100.852407,5.53712389 95.8964071,5.53712389 M99.3563481,14.1211888 C99.3563481,16.61259 98.0552153,18.4132212 95.8951888,18.4132212 C93.7351622,18.4132212 92.4340295,16.6138083 92.4340295,14.1211888 L92.4340295,13.8446372 C92.4340295,11.3520177 93.7351622,9.55260472 95.8951888,9.55260472 C98.0552153,9.55260472 99.3563481,11.3520177 99.3563481,13.8446372 L99.3563481,14.1211888 Z" id="Shape" fill="#000000"/>
+            <polygon id="Path" fill="#000000" points="115.728935 26.0786962 116.970372 26.0786962 118.684504 28.3386224 118.70156 28.3386224 118.70156 26.0786962 119.840661 26.0786962 119.840661 30.0637198 118.639428 30.0637198 116.885091 27.7465339 116.868035 27.7465339 116.868035 30.0637198 115.728935 30.0637198"/>
+            <polygon id="Path" fill="#000000" points="121.354994 26.0786962 124.839301 26.0786962 124.885596 27.0460177 122.545263 27.0460177 122.545263 27.5930295 124.383661 27.5930295 124.383661 28.4750708 122.545263 28.4750708 122.545263 29.0963982 124.95382 29.0963982 124.907525 30.0637198 121.354994 30.0637198"/>
+            <polygon id="Path" fill="#000000" points="127.379434 27.1032773 125.984493 27.1032773 126.029569 26.0786962 129.929313 26.0786962 129.975608 27.1032773 128.580667 27.1032773 128.580667 30.0637198 127.379434 30.0637198"/>
+            <polygon id="Path" fill="#000000" points="130.938056 26.0786962 132.212386 26.0786962 132.861735 28.8454307 132.925086 28.8454307 133.766923 26.0786962 134.935263 26.0786962 135.760044 28.8454307 135.823395 28.8454307 136.46056 26.0786962 137.67885 26.0786962 136.631121 30.0637198 135.065619 30.0637198 134.337083 27.6612537 134.302971 27.6612537 133.562251 30.0637198 131.990658 30.0637198"/>
+            <path d="M138.556018,28.0718171 C138.556018,26.7731209 139.438059,25.9593038 140.833,25.9593038 C142.227941,25.9593038 143.111201,26.7731209 143.111201,28.0718171 C143.111201,29.3705133 142.229159,30.1843304 140.833,30.1843304 C139.438059,30.1843304 138.556018,29.369295 138.556018,28.0718171 M141.920932,28.0718171 C141.920932,27.3834838 141.522552,26.9729204 140.833,26.9729204 C140.143448,26.9729204 139.745068,27.3834838 139.745068,28.0718171 C139.745068,28.7613687 140.143448,29.1707139 140.826909,29.1707139 C141.51646,29.1707139 141.920932,28.7601504 141.920932,28.0718171" id="Shape" fill="#000000"/>
+            <path d="M144.403805,26.0786962 L146.727083,26.0786962 C147.785776,26.0786962 148.304767,26.579413 148.304767,27.5077493 C148.304767,28.1449145 148.042835,28.5786254 147.529935,28.7832979 L148.475327,30.0649381 L147.12059,30.0649381 L146.385962,29.0172094 L145.600165,29.0172094 L145.600165,30.0649381 L144.403805,30.0649381 L144.403805,26.0786962 L144.403805,26.0786962 Z M146.57236,28.0827817 C146.97074,28.0827817 147.11328,27.8610531 147.11328,27.5589174 C147.11328,27.2567817 146.97074,27.0411445 146.57236,27.0411445 L145.598947,27.0411445 L145.598947,28.0827817 L146.57236,28.0827817 Z" id="Shape" fill="#000000"/>
+            <polygon id="Path" fill="#000000" points="149.858086 26.0786962 151.053227 26.0786962 151.053227 27.5479528 151.542979 27.5479528 152.7101 26.0786962 154.053873 26.0786962 154.059965 26.0835693 152.534667 27.99141 154.145245 30.0588466 154.139153 30.0637198 152.744212 30.0637198 151.538106 28.5323304 151.053227 28.5323304 151.053227 30.0637198 149.858086 30.0637198"/>
+            <path d="M155.061398,29.8017876 L155.061398,28.7089823 L155.06749,28.7089823 C155.733894,29.0452301 156.383242,29.2096991 156.946091,29.2096991 C157.373711,29.2096991 157.589348,29.1073628 157.589348,28.9075634 C157.589348,28.707764 157.446808,28.6565959 156.592788,28.5201475 C155.659578,28.3727345 155.038251,28.092528 155.038251,27.2896755 C155.038251,26.5440826 155.69369,25.9690501 156.974112,25.9690501 C157.487012,25.9690501 158.021841,26.0774779 158.517684,26.2882419 L158.517684,27.3700826 L158.511593,27.376174 C158.038897,27.1032773 157.401732,26.9314985 156.888832,26.9314985 C156.433192,26.9314985 156.251667,27.0399263 156.251667,27.2214513 C156.251667,27.4553628 156.530655,27.477292 157.231171,27.5979027 C158.164381,27.7574985 158.785708,28.0194307 158.785708,28.8624867 C158.785708,29.516708 158.295956,30.1721475 156.89005,30.1721475 C156.195625,30.1721475 155.642522,30.0296077 155.061398,29.8017876" id="Path" fill="#000000"/>
+        </g>
+    </g>
+</svg>
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/dashboard/panw-772964e0-7591-11e9-aacf-79a3704914a0.json b/packages/panw/1.5.3/kibana/dashboard/panw-772964e0-7591-11e9-aacf-79a3704914a0.json
new file mode 100755
index 0000000000..c81edc25e1
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/dashboard/panw-772964e0-7591-11e9-aacf-79a3704914a0.json
@@ -0,0 +1,54 @@
+{
+  "attributes": {
+    "description": "Palo Alto Networks PAN-OS Threats Overview",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":31,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Threat outcome histogram\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Top threats by name\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Top threats by resource\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Top attackers (clients)\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Top attackers (servers)\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Outcome by threat type\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs PANW] Threats Overview",
+    "version": 1
+  },
+  "id": "panw-772964e0-7591-11e9-aacf-79a3704914a0",
+  "migrationVersion": {
+    "dashboard": "7.3.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-3eca1070-7589-11e9-aacf-79a3704914a0",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-90ce3300-758a-11e9-aacf-79a3704914a0",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-a95aaf20-758a-11e9-aacf-79a3704914a0",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-6dce7930-758c-11e9-aacf-79a3704914a0",
+      "name": "panel_5",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/dashboard/panw-e40ba240-7572-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/dashboard/panw-e40ba240-7572-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..a32d7389da
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/dashboard/panw-e40ba240-7572-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,59 @@
+{
+  "attributes": {
+    "description": "Palo Alto Networks PAN-OS Networks Overview",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "[Logs PANW] Network Flows",
+    "version": 1
+  },
+  "id": "panw-e40ba240-7572-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "dashboard": "7.3.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-091fe860-756a-11e9-976e-65a8f47cc4c1",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-87f30f60-7569-11e9-976e-65a8f47cc4c1",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-78e7e820-756d-11e9-976e-65a8f47cc4c1",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-d9cab170-756f-11e9-976e-65a8f47cc4c1",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-135930b0-7570-11e9-976e-65a8f47cc4c1",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-e46331c0-756a-11e9-976e-65a8f47cc4c1",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1",
+      "name": "panel_6",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..d7fb6ab477
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/search/panw-290685e0-7569-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "columns": [
+      "_source"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"panw.panos\\\" and event.category: \\\"network_traffic\\\"\"},\"version\":true}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "PAN-OS Flows [Logs PANW]",
+    "version": 1
+  },
+  "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "search": "7.4.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..a31af33629
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/search/panw-3cea1360-7569-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "columns": [
+      "_source"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"panw.panos\\\" and event.category: \\\"security_threat\\\"\"},\"version\":true}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "PAN-OS Threats [Logs PANW]",
+    "version": 1
+  },
+  "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "search": "7.4.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..c2b9065cc7
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Network Application breakout [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.application\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Network Application breakout [Logs PANW]\",\"type\":\"pie\"}"
+  },
+  "id": "panw-0407a3e0-756f-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-091fe860-756a-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-091fe860-756a-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..a7f340853b
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-091fe860-756a-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Destination Flows Map [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"title\":\"Destination Flows Map [Logs PANW]\",\"type\":\"tile_map\"}"
+  },
+  "id": "panw-091fe860-756a-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..5dc2b7b64b
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Threat outcome histogram [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2018-04-10T04:36:19.586Z\",\"to\":\"2018-04-10T04:39:56.264Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Threat outcome histogram [Logs PANW]\",\"type\":\"histogram\"}"
+  },
+  "id": "panw-0bd2a0c0-7574-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-135930b0-7570-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-135930b0-7570-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..6c2bd5de22
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-135930b0-7570-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,33 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":true,\"params\":{\"query\":\"flow_started\"},\"type\":\"phrase\",\"value\":\"flow_started\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"flow_started\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Destination Zone breakout [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"panw.panos.destination.zone\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Zone breakout [Logs PANW]\",\"type\":\"horizontal_bar\"}"
+  },
+  "id": "panw-135930b0-7570-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-3eca1070-7589-11e9-aacf-79a3704914a0.json b/packages/panw/1.5.3/kibana/visualization/panw-3eca1070-7589-11e9-aacf-79a3704914a0.json
new file mode 100755
index 0000000000..1a927eb50f
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-3eca1070-7589-11e9-aacf-79a3704914a0.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Threat ID Cloud [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"panw.panos.threat.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Threat ID Cloud [Logs PANW]\",\"type\":\"tagcloud\"}"
+  },
+  "id": "panw-3eca1070-7589-11e9-aacf-79a3704914a0",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..25c62db7b9
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Threat Resource Cloud [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Threat Resource Cloud [Logs PANW]\",\"type\":\"tagcloud\"}"
+  },
+  "id": "panw-5bd32b20-7575-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-6dce7930-758c-11e9-aacf-79a3704914a0.json b/packages/panw/1.5.3/kibana/visualization/panw-6dce7930-758c-11e9-aacf-79a3704914a0.json
new file mode 100755
index 0000000000..ae6119a545
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-6dce7930-758c-11e9-aacf-79a3704914a0.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Outcome by Threat Type [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Outcome by Threat Type [Logs PANW]\",\"type\":\"pie\"}"
+  },
+  "id": "panw-6dce7930-758c-11e9-aacf-79a3704914a0",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-78e7e820-756d-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-78e7e820-756d-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..7345df9581
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-78e7e820-756d-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,33 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":true,\"params\":{\"query\":\"flow_terminated\"},\"type\":\"phrase\",\"value\":\"flow_terminated\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"flow_terminated\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Flow Creation Histogram [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"2018-04-10T04:36:19.586Z\",\"to\":\"2018-04-10T04:39:56.264Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Flow Creation Histogram [Logs PANW]\",\"type\":\"histogram\"}"
+  },
+  "id": "panw-78e7e820-756d-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-87f30f60-7569-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-87f30f60-7569-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..5949ed514b
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-87f30f60-7569-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Source Flows Map [Logs PANW]",
+    "uiStateJSON": "{\"mapCenter\":[-0.17578097424708533,0.17578125],\"mapZoom\":1}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"title\":\"Source Flows Map [Logs PANW]\",\"type\":\"tile_map\"}"
+  },
+  "id": "panw-87f30f60-7569-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-90ce3300-758a-11e9-aacf-79a3704914a0.json b/packages/panw/1.5.3/kibana/visualization/panw-90ce3300-758a-11e9-aacf-79a3704914a0.json
new file mode 100755
index 0000000000..de6cb29412
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-90ce3300-758a-11e9-aacf-79a3704914a0.json
@@ -0,0 +1,33 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.direction\",\"negate\":false,\"params\":{\"query\":\"inbound\"},\"type\":\"phrase\",\"value\":\"inbound\"},\"query\":{\"match\":{\"network.direction\":{\"query\":\"inbound\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top attackers (clients) [Logs PANW]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top attackers (clients) [Logs PANW]\",\"type\":\"table\"}"
+  },
+  "id": "panw-90ce3300-758a-11e9-aacf-79a3704914a0",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-a95aaf20-758a-11e9-aacf-79a3704914a0.json b/packages/panw/1.5.3/kibana/visualization/panw-a95aaf20-758a-11e9-aacf-79a3704914a0.json
new file mode 100755
index 0000000000..4435add506
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-a95aaf20-758a-11e9-aacf-79a3704914a0.json
@@ -0,0 +1,33 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.direction\",\"negate\":false,\"params\":{\"query\":\"outbound\"},\"type\":\"phrase\",\"value\":\"outbound\"},\"query\":{\"match\":{\"network.direction\":{\"query\":\"outbound\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top attackers (servers) [Logs PANW]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"server.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top attackers (servers) [Logs PANW]\",\"type\":\"table\"}"
+  },
+  "id": "panw-a95aaf20-758a-11e9-aacf-79a3704914a0",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "panw-3cea1360-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-d9cab170-756f-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-d9cab170-756f-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..accf3b0b02
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-d9cab170-756f-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,33 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":true,\"params\":{\"query\":\"flow_started\"},\"type\":\"phrase\",\"value\":\"flow_started\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"flow_started\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Source Zone breakout [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"panw.panos.source.zone\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Source Zone breakout [Logs PANW]\",\"type\":\"horizontal_bar\"}"
+  },
+  "id": "panw-d9cab170-756f-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/kibana/visualization/panw-e46331c0-756a-11e9-976e-65a8f47cc4c1.json b/packages/panw/1.5.3/kibana/visualization/panw-e46331c0-756a-11e9-976e-65a8f47cc4c1.json
new file mode 100755
index 0000000000..581437c4e0
--- /dev/null
+++ b/packages/panw/1.5.3/kibana/visualization/panw-e46331c0-756a-11e9-976e-65a8f47cc4c1.json
@@ -0,0 +1,28 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Event Outcome by Transport and Destination Port [Logs PANW]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Outcome by Transport and Destination Port [Logs PANW]\",\"type\":\"pie\"}"
+  },
+  "id": "panw-e46331c0-756a-11e9-976e-65a8f47cc4c1",
+  "migrationVersion": {
+    "visualization": "7.8.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "panw-290685e0-7569-11e9-976e-65a8f47cc4c1",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/panw/1.5.3/manifest.yml b/packages/panw/1.5.3/manifest.yml
new file mode 100755
index 0000000000..6c6ee9d7b9
--- /dev/null
+++ b/packages/panw/1.5.3/manifest.yml
@@ -0,0 +1,62 @@
+name: panw
+title: Palo Alto Networks Logs
+version: 1.5.3
+release: ga
+description: Collect PAN-OS firewall monitoring logs from Palo Alto Networks devices with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+  kibana.version: ^7.16.0 || ^8.0.0
+icons:
+  - src: /img/logo-integrations-paloalto-networks.svg
+    title: Palo Alto Networks
+    size: 216x216
+    type: image/svg+xml
+screenshots:
+  - src: /img/filebeat-panw-traffic.png
+    title: Traffic Dashboard
+    size: 2546x2888
+    type: image/png
+  - src: /img/filebeat-panw-threat.png
+    title: Threat Dashboard
+    size: 2546x2496
+    type: image/png
+policy_templates:
+  - name: panw
+    title: Palo Alto Networks PAN-OS firewall logs
+    description: Collect logs from Palo Alto Networks PAN-OS firewall
+    inputs:
+      - type: syslog
+        title: "Collect logs via syslog"
+        description: "Collecting logs via syslog"
+        vars:
+          - name: syslog_host
+            type: text
+            title: Syslog Host
+            multi: false
+            required: true
+            show_user: true
+            default: localhost
+          - name: syslog_port
+            type: integer
+            title: Syslog Port
+            multi: false
+            required: true
+            show_user: true
+            default: 9001
+      - type: logfile
+        title: "Collect logs via log file"
+        description: "Collecting logs via log file"
+        vars:
+          - name: paths
+            type: text
+            title: Paths
+            multi: true
+            required: true
+            show_user: true
+            default:
+              - /var/log/pan-os.log
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/snyk/1.1.2/changelog.yml b/packages/snyk/1.1.2/changelog.yml
new file mode 100755
index 0000000000..dc35476d60
--- /dev/null
+++ b/packages/snyk/1.1.2/changelog.yml
@@ -0,0 +1,21 @@
+# newer versions go on top
+- version: "1.1.2"
+  changes:
+    - description: Fix typo in config template for ignoring host enrichment
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3092
+- version: "1.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2439
+- version: "1.0.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2162
diff --git a/packages/snyk/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/snyk/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..c54c15ed13
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,63 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/{{audit_type}}/{{audit_id}}/audit?page=1&sortOrder=ASC
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+    target: header.Authorization
+    value: token {{ api_token }}
+- set:
+    target: url.params.to
+    value: '[[ formatDate (now) "2006-01-02" ]]'
+- set:
+    target: url.params.from
+    value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]'
+    default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "2006-01-02" ]]'
+cursor:
+  interval:
+    value: "-24h"
+
+request.body:
+  filters:
+{{#if userId }}
+    userId: {{ userId }}
+{{/if}}
+{{#if email_address }}
+    email: {{ email_address }}
+{{/if}}
+{{#if event }}
+    event: {{ event }}
+{{/if}}
+{{#if project_id }}
+    project_id: {{ project_id }}
+{{/if}}
+
+response.request_body_on_pagination: true
+response.pagination:
+- set:
+    target: url.params.page
+    value: '[[add .last_response.page 1]]'
+    fail_on_template_error: true
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/snyk/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..6d270f919b
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,90 @@
+---
+description: Pipeline for Snyk Audit logs
+processors:
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: ecs.version
+    value: 8.0.0
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- fingerprint:
+    fields: 
+      - json.orgId
+      - json.created
+      - json.event
+    target_field: _id
+- rename:
+    field: json
+    target_field: snyk.audit
+    ignore_missing: true
+- rename:
+    field: snyk.audit.groupId
+    target_field: user.group.id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.orgId
+    target_field: snyk.audit.org_id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.projectId
+    target_field: snyk.audit.project_id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.userId
+    target_field: user.id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.event
+    target_field: event.action
+    ignore_missing: true
+- date:
+    field: snyk.audit.created
+    target_field: "@timestamp"
+    formats:
+      - "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- remove:
+    field:
+    - snyk.audit.created
+    - message
+    - json
+    ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/snyk/1.1.2/data_stream/audit/fields/agent.yml b/packages/snyk/1.1.2/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/snyk/1.1.2/data_stream/audit/fields/base-fields.yml b/packages/snyk/1.1.2/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..66c5548b5d
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: snyk
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: snyk.audit
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/snyk/1.1.2/data_stream/audit/fields/beats.yml b/packages/snyk/1.1.2/data_stream/audit/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/snyk/1.1.2/data_stream/audit/fields/ecs.yml b/packages/snyk/1.1.2/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..8ce59eaff0
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,27 @@
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.group.id
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
diff --git a/packages/snyk/1.1.2/data_stream/audit/fields/fields.yml b/packages/snyk/1.1.2/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..8af2e4fe1e
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/fields/fields.yml
@@ -0,0 +1,21 @@
+- name: snyk.audit
+  type: group
+  description: >
+    Snyk audit logs.
+
+  fields:
+    - name: org_id
+      type: keyword
+      description: >
+        ID of the related Organization related to the event.
+
+    - name: project_id
+      type: keyword
+      description: >
+        ID of the project related to the event.
+
+    - name: content
+      type: flattened
+      description: >
+        Overview of the content that was changed, both old and new values.
+
diff --git a/packages/snyk/1.1.2/data_stream/audit/fields/package-fields.yml b/packages/snyk/1.1.2/data_stream/audit/fields/package-fields.yml
new file mode 100755
index 0000000000..a6f1fda959
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/fields/package-fields.yml
@@ -0,0 +1,17 @@
+- name: snyk
+  type: group
+  release: beta
+  description: >
+    Module for parsing Snyk project vulnerabilities.
+
+  fields:
+    - name: projects
+      type: flattened
+      description: >
+        Array with all related projects objects.
+
+    - name: related.projects
+      type: keyword
+      description: >
+        Array of all the related project ID's.
+
diff --git a/packages/snyk/1.1.2/data_stream/audit/manifest.yml b/packages/snyk/1.1.2/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..c6a1c5241a
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/manifest.yml
@@ -0,0 +1,97 @@
+title: "Collect Snyk Audit Logs"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect Snyk Audit Logs"
+    description: "Collect Snyk Audit Logs via the Snyk API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: audit_type
+        type: text
+        title: Audit Log Type
+        description: Type of Audit logs; "org" or "group"
+        multi: false
+        show_user: true
+        required: true
+        default: org
+      - name: audit_id
+        type: text
+        title: Group/Org ID
+        description: The ID of the Snyk group or organization
+        multi: false
+        show_user: true
+        required: true
+        default: ""
+      - name: userId
+        type: text
+        title: User ID Filter
+        description: User ID on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: email_address
+        type: text
+        title: Email Address Filter
+        description: Email Address on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: event
+        type: text
+        title: Event ID Filter
+        description: Event ID on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: project_id
+        type: text
+        title: Project ID Filter
+        description: Project ID on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: interval
+        type: text
+        title: Interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 10s
+      - name: first_interval
+        type: text
+        title: Initial interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 720h
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - snyk-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/snyk/1.1.2/data_stream/audit/sample_event.json b/packages/snyk/1.1.2/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..619144daf7
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/audit/sample_event.json
@@ -0,0 +1,57 @@
+{
+    "@timestamp": "2020-11-11T21:00:00.000Z",
+    "agent": {
+        "ephemeral_id": "d625d71f-f6c0-4b21-a59c-8e6c6ca1cfa1",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "org.user.invite",
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:09.808Z",
+        "dataset": "snyk.audit",
+        "ingested": "2022-01-02T10:21:10Z",
+        "original": "{\"content\":{\"email\":\"someone@snyk.io\",\"isAdmin\":false},\"created\":\"2020-11-11T21:00:00.000Z\",\"event\":\"org.user.invite\",\"groupId\":\"groupid123test-543123-54312sadf-123ad\",\"orgId\":\"orgid123test-5643asd234-asdfasdf\",\"projectId\":null,\"userId\":\"userid123test-234sdfa2-423sdfa-2134\"}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "audit": {
+            "content": {
+                "email": "someone@snyk.io",
+                "isAdmin": false
+            },
+            "org_id": "orgid123test-5643asd234-asdfasdf"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-audit"
+    ],
+    "user": {
+        "group": {
+            "id": "groupid123test-543123-54312sadf-123ad"
+        },
+        "id": "userid123test-234sdfa2-423sdfa-2134"
+    }
+}
\ No newline at end of file
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs b/packages/snyk/1.1.2/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..3a97ccd1d0
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,92 @@
+config_version: 2
+interval: {{ interval }}
+request.url: {{ url }}/reporting/issues/?page=1&perPage=10&sortBy=issueTitle&order=asc&groupBy=issue
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+    target: header.Authorization
+    value: token {{ api_token }}
+- set:
+    target: url.params.to
+    value: '[[ formatDate (now) "2006-01-02" ]]'
+- set:
+    target: url.params.from
+    value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]'
+    default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "2006-01-02" ]]'
+cursor:
+  interval:
+    value: "-24h"
+request.timeout: 120s
+
+request.body:
+  filters:
+    orgs:
+{{#each orgs as |org i|}}
+    - {{org}}
+{{/each}}
+    severity:
+{{#each severity as |sev i|}}
+    - {{sev}}
+{{/each}}
+    exploitMaturity:
+{{#each exploit_maturity as |mat i|}}
+    - {{mat}}
+{{/each}}
+    types:
+{{#each types as |type i|}}
+    - {{type}}
+{{/each}}
+    languages:
+{{#each languages as |lang i|}}
+    - {{lang}}
+{{/each}}
+    projects:
+{{#each projects as |proj i|}}
+    - {{proj}}
+{{/each}}
+    identifier: {{ identifier }}
+    ignored: {{ ignored }}
+    patched: {{ patched }}
+    fixable: {{ fixable }}
+    isFixed: {{ is_fixed }}
+    isUpgradable: {{ is_upgradeable }}
+    isPatchable: {{ is_patchable }}
+    isPinnable: {{ is_pinnable }}
+    priorityScore:
+      min: {{ min_priority_score }}
+      max: {{ max_priority_score }}
+
+response.request_body_on_pagination: true
+response.pagination:
+- set:
+    target: url.params.page
+    value: '[[add .last_response.page 1]]'
+    fail_on_template_error: true
+
+response.split:
+  target: body.results
+
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..6e74a8330d
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,203 @@
+---
+description: Pipeline for Snyk vulnerability logs
+processors:
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: ecs.version
+    value: 8.0.0
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- fingerprint:
+    fields: 
+      - json.issue.id
+    target_field: _id
+- set:
+    field: vulnerability.classification
+    value: CVSS
+- set:
+    field: vulnerability.category
+    value: Github
+- set:
+    field: vulnerability.scanner.vendor
+    value: Snyk
+- rename:
+    field: json
+    target_field: snyk
+    ignore_missing: true
+- rename:
+    field: snyk.issue
+    target_field: snyk.vulnerabilities
+    ignore_missing: true
+- set:
+    field: vulnerability.score.version
+    value: "3.0"
+- set:
+    field: vulnerability.enumeration
+    value: CVE
+    if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE != null
+- set:
+    field: vulnerability.enumeration
+    value: SNYK
+    if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE == null && ctx?.snyk?.vulnerabilities?.identifiers?.ALTERNATIVE != null
+- rename:
+    field: snyk.vulnerabilities.description
+    target_field: vulnerability.description
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.identifiers.CVE
+    target_field: vulnerability.id
+    ignore_missing: true
+    if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE != null
+- rename:
+    field: snyk.vulnerabilities.identifiers.ALTERNATIVE
+    target_field: vulnerability.id
+    ignore_missing: true
+    if: ctx?.vulnerability?.id == null && ctx?.snyk?.vulnerabilities?.identifiers?.ALTERNATIVE != null
+- convert:
+    field: snyk.vulnerabilities.cvssScore
+    target_field: vulnerability.score.base
+    type: float
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.severity
+    target_field: vulnerability.severity
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.CVSSv3
+    target_field: snyk.vulnerabilities.cvss3
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.disclosureTime
+    target_field: snyk.vulnerabilities.disclosure_time
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.exploitMaturity
+    target_field: snyk.vulnerabilities.exploit_maturity
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.identifiers.ALTERNATIVE
+    target_field: snyk.vulnerabilities.identifiers.alternative
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.identifiers.CWE
+    target_field: snyk.vulnerabilities.identifiers.cwe
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isIgnored
+    target_field: snyk.vulnerabilities.is_ignored
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isPatchable
+    target_field: snyk.vulnerabilities.is_patchable
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isPatched
+    target_field: snyk.vulnerabilities.is_patched
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isPinnable
+    target_field: snyk.vulnerabilities.is_pinnable
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isUpgradable
+    target_field: snyk.vulnerabilities.is_upgradable
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.priorityScore
+    target_field: snyk.vulnerabilities.priority_score
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.publicationTime
+    target_field: snyk.vulnerabilities.publication_time
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.uniqueSeveritiesList
+    target_field: snyk.vulnerabilities.unique_severities_list
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.packageManager
+    target_field: snyk.vulnerabilities.package_manager
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.jiraIssueUrl
+    target_field: snyk.vulnerabilities.jira_issue_url
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.originalSeverity
+    target_field: snyk.vulnerabilities.original_severity
+    ignore_missing: true
+- rename:
+    field: snyk.isFixed
+    target_field: snyk.vulnerabilities.is_fixed
+    ignore_missing: true
+- rename:
+    field: snyk.introducedDate
+    target_field: snyk.vulnerabilities.introduced_date
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.url
+    target_field: vulnerability.reference
+    ignore_missing: true
+- foreach:
+    field: snyk.vulnerabilities.patches
+    processor:
+      rename:
+        field: "{{ _ingest._value.modificationTime }}"
+        target_field: "{{ _ingest._value.modification_time }}"
+        ignore_missing: true
+    ignore_failure: true
+    if: ctx?.snyk?.vulnerabilities?.patches != null
+- foreach:
+    field: snyk.projects
+    processor:
+      append:
+        field: snyk.related.projects
+        value: "{{_ingest._value.name }}"
+        ignore_failure: true
+    ignore_failure: true
+    if: ctx?.snyk?.projects != null
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- remove:
+    field:
+    - message
+    - snyk.vulnerabilities.cvssScore
+    ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/agent.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/base-fields.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/base-fields.yml
new file mode 100755
index 0000000000..d3c9c6490e
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: snyk
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: snyk.vulnerabilities
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/beats.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/ecs.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/ecs.yml
new file mode 100755
index 0000000000..4e8baa44e0
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/ecs.yml
@@ -0,0 +1,60 @@
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.group.id
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: |-
+    The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
+    This field must be an array.
+  name: vulnerability.category
+  type: keyword
+- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
+  name: vulnerability.classification
+  type: keyword
+- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
+  name: vulnerability.enumeration
+  type: keyword
+- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+  name: vulnerability.id
+  type: keyword
+- description: A resource that provides additional information, context, and mitigations for the identified vulnerability.
+  name: vulnerability.reference
+  type: keyword
+- description: The name of the vulnerability scanner vendor.
+  name: vulnerability.scanner.vendor
+  type: keyword
+- description: |-
+    Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+    Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
+  name: vulnerability.score.base
+  type: float
+- description: |-
+    The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
+    CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+  name: vulnerability.score.version
+  type: keyword
+- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+  name: vulnerability.severity
+  type: keyword
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/fields.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/fields.yml
new file mode 100755
index 0000000000..98b7a315e2
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/fields.yml
@@ -0,0 +1,146 @@
+- name: snyk.vulnerabilities
+  type: group
+  description: >
+    Module for parsing Snyk project vulnerabilities.
+
+  fields:
+    - name: cvss3
+      type: keyword
+      description: >
+        CSSv3 scores.
+
+    - name: disclosure_time
+      type: date
+      description: >
+        The time this vulnerability was originally disclosed to the package maintainers.
+
+    - name: exploit_maturity
+      type: keyword
+      description: >
+        The Snyk exploit maturity level.
+
+    - name: id
+      type: keyword
+      description: >
+        The vulnerability reference ID.
+
+    - name: is_ignored
+      type: boolean
+      description: >
+        If the vulnerability report has been ignored.
+
+    - name: is_patchable
+      type: boolean
+      description: >
+        If vulnerability is fixable by using a Snyk supplied patch.
+
+    - name: is_patched
+      type: boolean
+      description: >
+        If the vulnerability has been patched.
+
+    - name: is_pinnable
+      type: boolean
+      description: >
+        If the vulnerability is fixable by pinning a transitive dependency.
+
+    - name: is_upgradable
+      type: boolean
+      description: >
+        If the vulnerability fixable by upgrading a dependency.
+
+    - name: language
+      type: keyword
+      description: >
+        The package's programming language.
+
+    - name: package
+      type: keyword
+      description: >
+        The package identifier according to its package manager.
+
+    - name: package_manager
+      type: keyword
+      description: >
+        The package manager.
+
+    - name: patches
+      type: flattened
+      description: >
+        Patches required to resolve the issue created by Snyk.
+
+    - name: priority_score
+      type: long
+      description: >
+        The CVS priority score.
+
+    - name: publication_time
+      type: date
+      description: >
+        The vulnerability publication time.
+
+    - name: jira_issue_url
+      type: keyword
+      description: >
+        Link to the related Jira issue.
+
+    - name: original_severity
+      type: long
+      description: >
+        The original severity of the vulnerability.
+
+    - name: reachability
+      type: keyword
+      description: >
+        If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable.
+
+    - name: title
+      type: keyword
+      description: >
+        The issue title.
+
+    - name: type
+      type: keyword
+      description: >
+        The issue type. Can be either "license" or "vulnerability".
+
+    - name: unique_severities_list
+      type: keyword
+      description: >
+        A list of related unique severities.
+
+    - name: version
+      type: keyword
+      description: >
+        The package version this issue is applicable to.
+
+    - name: introduced_date
+      type: date
+      description: >
+        The date the vulnerability was initially found.
+
+    - name: is_fixed
+      type: boolean
+      description: >
+        If the related vulnerability has been resolved.
+
+    - name: credit
+      type: keyword
+      description: >
+        Reference to the person that original found the vulnerability.
+
+    - name: semver
+      type: flattened
+      description: >
+        One or more semver ranges this issue is applicable to. The format varies according to package manager.
+
+    - name: identifiers.alternative
+      type: keyword
+      description: >
+        Additional vulnerability identifiers.
+
+    - name: identifiers.cwe
+      type: keyword
+      description: >
+        CWE vulnerability identifiers.
+
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/package-fields.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/package-fields.yml
new file mode 100755
index 0000000000..a6f1fda959
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/fields/package-fields.yml
@@ -0,0 +1,17 @@
+- name: snyk
+  type: group
+  release: beta
+  description: >
+    Module for parsing Snyk project vulnerabilities.
+
+  fields:
+    - name: projects
+      type: flattened
+      description: >
+        Array with all related projects objects.
+
+    - name: related.projects
+      type: keyword
+      description: >
+        Array of all the related project ID's.
+
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/manifest.yml b/packages/snyk/1.1.2/data_stream/vulnerabilities/manifest.yml
new file mode 100755
index 0000000000..f64689d6d2
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/manifest.yml
@@ -0,0 +1,200 @@
+title: "Collect Snyk Vulnerability Data"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect Snyk Vulnerability Data"
+    description: "Collect Snyk Vulnerability data via the Snyk API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: orgs
+        type: text
+        title: Orgs
+        multi: true
+        show_user: true
+        required: true
+        description: The list of org IDs to filter the results by
+      - name: severity
+        type: text
+        title: Severity
+        multi: true
+        show_user: true
+        required: false
+        description: The severity levels of issues to filter the results by
+        default:
+          - critical
+          - high
+          - medium
+          - low
+      - name: exploit_maturity
+        type: text
+        title: Exploit Maturity
+        multi: true
+        show_user: true
+        required: false
+        description: The exploit maturity levels of issues to filter the results by
+        default:
+          - mature
+          - proof-of-concept
+          - no-known-exploit
+          - no-data
+      - name: types
+        type: text
+        title: Types
+        multi: true
+        show_user: true
+        required: false
+        description: The type of issues to filter the results by
+        default:
+          - vuln
+          - license
+          - configuration
+      - name: languages
+        type: text
+        title: Languages
+        multi: true
+        show_user: true
+        required: false
+        description: The type of languages to filter the results by
+        default:
+          - javascript
+          - ruby
+          - java
+          - scala
+          - python
+          - golang
+          - php
+          - dotnet
+          - swift-objective-c
+          - elixir
+          - docker
+          - terraform
+          - kubernetes
+          - helm
+          - cloudformation
+      - name: projects
+        type: text
+        title: Projects
+        multi: true
+        show_user: true
+        required: false
+        description: The list of project IDs to filter issues by, max projects allowed is 1000
+      - name: identifier
+        type: text
+        title: Identifier
+        multi: false
+        show_user: true
+        required: false
+        description: Search term to filter issue name by, or an exact CVE or CWE
+      - name: ignored
+        type: bool
+        title: Ignored
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored
+      - name: patched
+        type: bool
+        title: Patched
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are patched, if set to false, only include issues which are not patched
+      - name: fixable
+        type: bool
+        title: Fixable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are fixable, if set to false, only include issues which are not fixable. An issue is fixable if it is either upgradable, patchable or pinnable. Also see isUpgradable, isPatchable and isPinnable filters.
+      - name: is_fixed
+        type: bool
+        title: Is Fixed
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are fixed, if set to false, only include issues which are not fixed
+      - name: is_upgradeable
+        type: bool
+        title: Is Upgradeable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are upgradable, if set to false, only include issues which are not upgradable
+      - name: is_patchable
+        type: bool
+        title: Is Patchable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are patchable, if set to false, only include issues which are not patchable
+      - name: is_pinnable
+        type: bool
+        title: Is Pinnable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are pinnable, if set to false, only include issues which are not pinnable
+      - name: min_priority_score
+        type: text
+        title: Min Priority Score
+        multi: false
+        show_user: true
+        required: false
+        description: The priority score ranging between 0-1000
+        default: 0
+      - name: max_priority_score
+        type: text
+        title: Max Priority Score
+        multi: false
+        show_user: true
+        required: false
+        description: The priority score ranging between 0-1000
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 24h
+      - name: first_interval
+        type: text
+        title: Initial interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 24h
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - snyk-vulnerabilities
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/snyk/1.1.2/data_stream/vulnerabilities/sample_event.json b/packages/snyk/1.1.2/data_stream/vulnerabilities/sample_event.json
new file mode 100755
index 0000000000..cf692f936b
--- /dev/null
+++ b/packages/snyk/1.1.2/data_stream/vulnerabilities/sample_event.json
@@ -0,0 +1,141 @@
+{
+    "@timestamp": "2022-01-02T10:21:46.407Z",
+    "agent": {
+        "ephemeral_id": "b6ade099-0307-4079-b700-1b29dfb838ff",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.vulnerabilities",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:46.407Z",
+        "dataset": "snyk.vulnerabilities",
+        "ingested": "2022-01-02T10:21:47Z",
+        "original": "{\"introducedDate\":\"2020-04-07\",\"isFixed\":false,\"issue\":{\"CVSSv3\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"credit\":[\"Snyk Security Research Team\"],\"cvssScore\":\"8.1\",\"disclosureTime\":\"2016-11-27T22:00:00.000Z\",\"exploitMaturity\":\"no-known-exploit\",\"id\":\"npm:ejs:20161128\",\"identifiers\":{\"ALTERNATIVE\":[\"SNYK-JS-EJS-10218\"],\"CVE\":[],\"CWE\":[\"CWE-94\"]},\"isIgnored\":false,\"isPatchable\":false,\"isPatched\":false,\"isPinnable\":false,\"isUpgradable\":false,\"jiraIssueUrl\":null,\"language\":\"js\",\"originalSeverity\":null,\"package\":\"ejs\",\"packageManager\":\"npm\",\"patches\":[{\"comments\":[],\"id\":\"patch:npm:ejs:20161128:0\",\"modificationTime\":\"2019-12-03T11:40:45.851976Z\",\"urls\":[\"https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch\"],\"version\":\"\\u003c2.5.3 \\u003e=2.2.4\"}],\"priorityScore\":4.05,\"publicationTime\":\"2016-11-28T18:44:12.000Z\",\"reachability\":\"No Info\",\"semver\":{\"vulnerable\":[\"\\u003c2.5.3\"]},\"severity\":\"high\",\"title\":\"Arbitrary Code Execution\",\"type\":\"vuln\",\"uniqueSeveritiesList\":[\"high\"],\"url\":\"https://snyk.io/vuln/npm:ejs:20161128\",\"version\":\"0.8.8\"},\"projects\":[{\"id\":\"projectid\",\"name\":\"username/reponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"someotheruser/someotherreponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"folder1/package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"projectname\",\"packageManager\":\"npm\",\"source\":\"cli\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"}]}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "projects": [
+            {
+                "id": "projectid",
+                "name": "username/reponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "someotheruser/someotherreponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "folder1/package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "projectname",
+                "packageManager": "npm",
+                "source": "cli",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            }
+        ],
+        "related": {
+            "projects": [
+                "username/reponame",
+                "someotheruser/someotherreponame",
+                "projectname"
+            ]
+        },
+        "vulnerabilities": {
+            "credit": [
+                "Snyk Security Research Team"
+            ],
+            "cvss3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+            "disclosure_time": "2016-11-27T22:00:00.000Z",
+            "exploit_maturity": "no-known-exploit",
+            "id": "npm:ejs:20161128",
+            "identifiers": {
+                "alternative": [
+                    "SNYK-JS-EJS-10218"
+                ],
+                "cwe": [
+                    "CWE-94"
+                ]
+            },
+            "introduced_date": "2020-04-07",
+            "is_fixed": false,
+            "is_ignored": false,
+            "is_patchable": false,
+            "is_patched": false,
+            "is_pinnable": false,
+            "is_upgradable": false,
+            "language": "js",
+            "package": "ejs",
+            "package_manager": "npm",
+            "patches": [
+                {
+                    "id": "patch:npm:ejs:20161128:0",
+                    "modificationTime": "2019-12-03T11:40:45.851976Z",
+                    "urls": [
+                        "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch"
+                    ],
+                    "version": "\u003c2.5.3 \u003e=2.2.4"
+                }
+            ],
+            "priority_score": 4.05,
+            "publication_time": "2016-11-28T18:44:12.000Z",
+            "reachability": "No Info",
+            "semver": {
+                "vulnerable": [
+                    "\u003c2.5.3"
+                ]
+            },
+            "title": "Arbitrary Code Execution",
+            "type": "vuln",
+            "unique_severities_list": [
+                "high"
+            ],
+            "version": "0.8.8"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-vulnerabilities"
+    ],
+    "vulnerability": {
+        "category": "Github",
+        "classification": "CVSS",
+        "enumeration": "CVE",
+        "reference": "https://snyk.io/vuln/npm:ejs:20161128",
+        "scanner": {
+            "vendor": "Snyk"
+        },
+        "score": {
+            "base": 8.1,
+            "version": "3.0"
+        },
+        "severity": "high"
+    }
+}
\ No newline at end of file
diff --git a/packages/snyk/1.1.2/docs/README.md b/packages/snyk/1.1.2/docs/README.md
new file mode 100755
index 0000000000..3c2f7d017b
--- /dev/null
+++ b/packages/snyk/1.1.2/docs/README.md
@@ -0,0 +1,344 @@
+# Snyk Integration
+
+This integration is for ingesting data from the [Snyk](https://snyk.io/) API.
+
+- `vulnerabilities`: Collects all found vulnerabilities for the related organizations and projects
+- `audit`: Collects audit logging from Snyk, this can be actions like users, permissions, groups, api access and more.
+
+To configure access to the Snyk Audit Log API you will have to generate an API access token as described in the [Snyk Documentation](https://snyk.docs.apiary.io/#introduction/authorization)
+
+
+## Audit
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2020-11-11T21:00:00.000Z",
+    "agent": {
+        "ephemeral_id": "d625d71f-f6c0-4b21-a59c-8e6c6ca1cfa1",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "org.user.invite",
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:09.808Z",
+        "dataset": "snyk.audit",
+        "ingested": "2022-01-02T10:21:10Z",
+        "original": "{\"content\":{\"email\":\"someone@snyk.io\",\"isAdmin\":false},\"created\":\"2020-11-11T21:00:00.000Z\",\"event\":\"org.user.invite\",\"groupId\":\"groupid123test-543123-54312sadf-123ad\",\"orgId\":\"orgid123test-5643asd234-asdfasdf\",\"projectId\":null,\"userId\":\"userid123test-234sdfa2-423sdfa-2134\"}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "audit": {
+            "content": {
+                "email": "someone@snyk.io",
+                "isAdmin": false
+            },
+            "org_id": "orgid123test-5643asd234-asdfasdf"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-audit"
+    ],
+    "user": {
+        "group": {
+            "id": "groupid123test-543123-54312sadf-123ad"
+        },
+        "id": "userid123test-234sdfa2-423sdfa-2134"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| snyk.audit.content | Overview of the content that was changed, both old and new values. | flattened |
+| snyk.audit.org_id | ID of the related Organization related to the event. | keyword |
+| snyk.audit.project_id | ID of the project related to the event. | keyword |
+| snyk.projects | Array with all related projects objects. | flattened |
+| snyk.related.projects | Array of all the related project ID's. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+
+
+## Vulnerabilities
+
+An example event for `vulnerabilities` looks as following:
+
+```json
+{
+    "@timestamp": "2022-01-02T10:21:46.407Z",
+    "agent": {
+        "ephemeral_id": "b6ade099-0307-4079-b700-1b29dfb838ff",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.vulnerabilities",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:46.407Z",
+        "dataset": "snyk.vulnerabilities",
+        "ingested": "2022-01-02T10:21:47Z",
+        "original": "{\"introducedDate\":\"2020-04-07\",\"isFixed\":false,\"issue\":{\"CVSSv3\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"credit\":[\"Snyk Security Research Team\"],\"cvssScore\":\"8.1\",\"disclosureTime\":\"2016-11-27T22:00:00.000Z\",\"exploitMaturity\":\"no-known-exploit\",\"id\":\"npm:ejs:20161128\",\"identifiers\":{\"ALTERNATIVE\":[\"SNYK-JS-EJS-10218\"],\"CVE\":[],\"CWE\":[\"CWE-94\"]},\"isIgnored\":false,\"isPatchable\":false,\"isPatched\":false,\"isPinnable\":false,\"isUpgradable\":false,\"jiraIssueUrl\":null,\"language\":\"js\",\"originalSeverity\":null,\"package\":\"ejs\",\"packageManager\":\"npm\",\"patches\":[{\"comments\":[],\"id\":\"patch:npm:ejs:20161128:0\",\"modificationTime\":\"2019-12-03T11:40:45.851976Z\",\"urls\":[\"https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch\"],\"version\":\"\\u003c2.5.3 \\u003e=2.2.4\"}],\"priorityScore\":4.05,\"publicationTime\":\"2016-11-28T18:44:12.000Z\",\"reachability\":\"No Info\",\"semver\":{\"vulnerable\":[\"\\u003c2.5.3\"]},\"severity\":\"high\",\"title\":\"Arbitrary Code Execution\",\"type\":\"vuln\",\"uniqueSeveritiesList\":[\"high\"],\"url\":\"https://snyk.io/vuln/npm:ejs:20161128\",\"version\":\"0.8.8\"},\"projects\":[{\"id\":\"projectid\",\"name\":\"username/reponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"someotheruser/someotherreponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"folder1/package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"projectname\",\"packageManager\":\"npm\",\"source\":\"cli\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"}]}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "projects": [
+            {
+                "id": "projectid",
+                "name": "username/reponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "someotheruser/someotherreponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "folder1/package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "projectname",
+                "packageManager": "npm",
+                "source": "cli",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            }
+        ],
+        "related": {
+            "projects": [
+                "username/reponame",
+                "someotheruser/someotherreponame",
+                "projectname"
+            ]
+        },
+        "vulnerabilities": {
+            "credit": [
+                "Snyk Security Research Team"
+            ],
+            "cvss3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+            "disclosure_time": "2016-11-27T22:00:00.000Z",
+            "exploit_maturity": "no-known-exploit",
+            "id": "npm:ejs:20161128",
+            "identifiers": {
+                "alternative": [
+                    "SNYK-JS-EJS-10218"
+                ],
+                "cwe": [
+                    "CWE-94"
+                ]
+            },
+            "introduced_date": "2020-04-07",
+            "is_fixed": false,
+            "is_ignored": false,
+            "is_patchable": false,
+            "is_patched": false,
+            "is_pinnable": false,
+            "is_upgradable": false,
+            "language": "js",
+            "package": "ejs",
+            "package_manager": "npm",
+            "patches": [
+                {
+                    "id": "patch:npm:ejs:20161128:0",
+                    "modificationTime": "2019-12-03T11:40:45.851976Z",
+                    "urls": [
+                        "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch"
+                    ],
+                    "version": "\u003c2.5.3 \u003e=2.2.4"
+                }
+            ],
+            "priority_score": 4.05,
+            "publication_time": "2016-11-28T18:44:12.000Z",
+            "reachability": "No Info",
+            "semver": {
+                "vulnerable": [
+                    "\u003c2.5.3"
+                ]
+            },
+            "title": "Arbitrary Code Execution",
+            "type": "vuln",
+            "unique_severities_list": [
+                "high"
+            ],
+            "version": "0.8.8"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-vulnerabilities"
+    ],
+    "vulnerability": {
+        "category": "Github",
+        "classification": "CVSS",
+        "enumeration": "CVE",
+        "reference": "https://snyk.io/vuln/npm:ejs:20161128",
+        "scanner": {
+            "vendor": "Snyk"
+        },
+        "score": {
+            "base": 8.1,
+            "version": "3.0"
+        },
+        "severity": "high"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| snyk.projects | Array with all related projects objects. | flattened |
+| snyk.related.projects | Array of all the related project ID's. | keyword |
+| snyk.vulnerabilities.credit | Reference to the person that original found the vulnerability. | keyword |
+| snyk.vulnerabilities.cvss3 | CSSv3 scores. | keyword |
+| snyk.vulnerabilities.disclosure_time | The time this vulnerability was originally disclosed to the package maintainers. | date |
+| snyk.vulnerabilities.exploit_maturity | The Snyk exploit maturity level. | keyword |
+| snyk.vulnerabilities.id | The vulnerability reference ID. | keyword |
+| snyk.vulnerabilities.identifiers.alternative | Additional vulnerability identifiers. | keyword |
+| snyk.vulnerabilities.identifiers.cwe | CWE vulnerability identifiers. | keyword |
+| snyk.vulnerabilities.introduced_date | The date the vulnerability was initially found. | date |
+| snyk.vulnerabilities.is_fixed | If the related vulnerability has been resolved. | boolean |
+| snyk.vulnerabilities.is_ignored | If the vulnerability report has been ignored. | boolean |
+| snyk.vulnerabilities.is_patchable | If vulnerability is fixable by using a Snyk supplied patch. | boolean |
+| snyk.vulnerabilities.is_patched | If the vulnerability has been patched. | boolean |
+| snyk.vulnerabilities.is_pinnable | If the vulnerability is fixable by pinning a transitive dependency. | boolean |
+| snyk.vulnerabilities.is_upgradable | If the vulnerability fixable by upgrading a dependency. | boolean |
+| snyk.vulnerabilities.jira_issue_url | Link to the related Jira issue. | keyword |
+| snyk.vulnerabilities.language | The package's programming language. | keyword |
+| snyk.vulnerabilities.original_severity | The original severity of the vulnerability. | long |
+| snyk.vulnerabilities.package | The package identifier according to its package manager. | keyword |
+| snyk.vulnerabilities.package_manager | The package manager. | keyword |
+| snyk.vulnerabilities.patches | Patches required to resolve the issue created by Snyk. | flattened |
+| snyk.vulnerabilities.priority_score | The CVS priority score. | long |
+| snyk.vulnerabilities.publication_time | The vulnerability publication time. | date |
+| snyk.vulnerabilities.reachability | If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable. | keyword |
+| snyk.vulnerabilities.semver | One or more semver ranges this issue is applicable to. The format varies according to package manager. | flattened |
+| snyk.vulnerabilities.title | The issue title. | keyword |
+| snyk.vulnerabilities.type | The issue type. Can be either "license" or "vulnerability". | keyword |
+| snyk.vulnerabilities.unique_severities_list | A list of related unique severities. | keyword |
+| snyk.vulnerabilities.version | The package version this issue is applicable to. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword |
+| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword |
+| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword |
+| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword |
+| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword |
+| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword |
+| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
+| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
+
+
diff --git a/packages/snyk/1.1.2/img/snyk-logo.svg b/packages/snyk/1.1.2/img/snyk-logo.svg
new file mode 100755
index 0000000000..039ceba032
--- /dev/null
+++ b/packages/snyk/1.1.2/img/snyk-logo.svg
@@ -0,0 +1 @@
+<svg width="1527" height="2500" viewBox="0 0 256 419" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M217.619 99.409c-8.529-26.456-27.921-63.632-30.684-68.865l-2.406-4.574a533.076 533.076 0 0 0-4.806-9.363L170.985 0l-12.517 88.948-.436 3.235a525.09 525.09 0 0 0-29.859-.84c-10.598 0-20.62.31-30.034.85l-.386-3.247-4.393-31.179C93.366 57.715 85.217 0 85.217 0l-8.922 16.607a603.446 603.446 0 0 0-6.412 12.505l-.77 1.432c-2.77 5.238-22.347 42.48-30.93 68.94C13.423 104.267 0 109.383 0 109.383v216.216l127.999 92.72L256 325.6V109.383s-13.465-5.17-38.381-9.974z" fill="#FFF"/><path fill="#3B3B63" d="M183.073 267.277H127.9v-94.47l-55.983 91.708-8.703 94.172 63.825 46.618.861.631 65.273-47.585z"/><path d="M126.954 404.967L8.18 318.858V118.061s43.918-16.753 118.936-16.753c75.02 0 118.616 16.753 118.616 16.753v200.797l-118.777 86.11z" fill="#DBDBDB"/><path d="M128.675 101.308l-.163.002v303.652h.002l118.777-86.109V118.061s-43.598-16.753-118.616-16.753" fill="#C6C6C6"/><path fill="#3B3B63" d="M192.847 358.157l-10.08-90.88h-55.176v138.448z"/><path fill="#53537A" d="M63.213 358.687l64.687 47.249V172.807l-55.983 91.708z"/><path d="M155.74 331.842c0 15.582-14.315 23.306-27.447 23.306s-27.736-7.724-27.736-23.306" fill="#BC9375"/><path d="M147.692 323.012c0 18.274-9.677 23.173-19.544 23.173-9.866 0-19.546-4.9-19.546-23.173" fill="#073251"/><path d="M128.147 339.9c-10.543 0-15.669-7.864-15.669-24.03h5.027c0 18.926 7.186 18.926 10.642 18.926 3.455 0 10.642 0 10.642-18.926h5.026c0 16.166-5.127 24.03-15.668 24.03" fill="#FFF"/><path d="M211.832 129.623c0-19.714-32.77-81.74-32.77-81.74l-11.085 78.663-9.949 16.607-29.819 1.233-.118.244v-.244l-29.823-1.233-9.946-16.607-11.085-78.664s-32.773 62.027-32.773 81.741l13.845 37.88s-6.987 63.626-3.797 71.956c3.18 8.332 25.27 36.195 25.27 36.195s-.066 23.424 5.982 40.264c4.315 12.026 13.822 16.904 22.925 16.904 13.944 0 19.4-13.006 19.4-13.006s5.585 13.006 19.53 13.006c9.1 0 18.598-4.87 22.923-16.904 6.041-16.833 5.98-40.264 5.98-40.264s22.085-27.863 25.271-36.195c3.188-8.332-3.8-71.957-3.8-71.957l13.84-37.879z" fill="#C49A7E"/><path d="M128.147 144.512l-.057.118v-.243l-29.824-1.232-9.945-16.608-11.089-78.663s-32.77 62.027-32.77 81.741l13.842 37.879s-6.985 63.626-3.8 71.957c3.187 8.332 25.268 36.195 25.268 36.195s-.057 23.424 5.984 40.264c4.321 12.026 13.83 16.904 22.924 16.904 13.951 0 19.406-13.006 19.406-13.006s.025.046.063.131V144.512h-.002z" fill="#D8B7A0"/><path d="M198.291 171.23c-2.54-5.403 1.071-18.19 1.071-18.19-20.694-21.565-25.869-66.534-25.869-66.534-3.864 14.17-12.262 55.949-12.262 55.949s-15.445-5.848-33.015-5.876h-.131c-.965.005-1.916.03-2.866.06v176.292l1.312 1.953v-.965h.811v.965l.008-.965h1.602v.965-.965h.82v.965l14.304-21.236 3.11-59.633 17.81 20.654 22.944 6.814s8.584-6.221 8.584-6.198c3.645-5.188 4.854-9.608 5.735-11.901 3.187-8.344-3.968-72.153-3.968-72.153" fill="#3B3B63"/><path d="M128.308 136.577l-.061-.002v.002c-17.577.03-33.024 5.874-33.024 5.874s-8.4-41.777-12.261-55.948c0 0-5.172 44.969-25.87 66.534 0 0 3.611 12.788 1.072 18.19 0 0-7.156 63.813-3.968 72.144.88 2.295 2.098 6.712 5.738 11.9 0-.023 8.588 6.2 8.588 6.2l22.94-6.815 17.806-20.651 3.118 59.633 14.297 21.236v-.965h.82v.965-.965h.802V136.577h.002z" fill="#53537A"/><path d="M169.78 211.144h-26.805v.287c0 9.507 8.095 17.208 17.589 17.208 9.496 0 17.59-7.703 17.59-17.208v-.287h-8.374z" fill="#333152"/><path d="M149.676 211.144v.287c0 5.655 4.482 10.237 10.054 10.237 5.57 0 10.05-4.582 10.05-10.237v-.287h-20.104z" fill="#FFF"/><path d="M162.83 211.144h-4.71c-.046 0-.085.023-.126.032.584.124.908 1.47.782 2.365a2.707 2.707 0 0 1-2.652 2.341c.383 1.79 1.819 3.227 3.727 3.5 2.437.35 4.689-1.347 5.035-3.82.248-1.82-.614-4.418-2.055-4.418M105.076 211.144H78.274v.287c0 9.507 8.095 17.208 17.588 17.208 9.497 0 17.592-7.703 17.592-17.208v-.287h-8.378z" fill="#333152"/><path d="M84.976 211.144v.287c0 5.655 4.485 10.237 10.049 10.237 5.573 0 10.053-4.582 10.053-10.237v-.287H84.976z" fill="#FFF"/><path d="M98.13 211.144h-4.715c-.041 0-.085.023-.123.032.583.124.905 1.47.782 2.365-.19 1.368-1.331 2.318-2.655 2.341.388 1.79 1.824 3.227 3.728 3.5 2.436.35 4.693-1.347 5.034-3.82.252-1.82-.61-4.418-2.05-4.418" fill="#333152"/><path d="M167.758 203.03c1.125-1.252 10.68-12.26-2.1-12.26-11.546 0-19.854 9.46-22.056 12.26h24.156z" fill="#C49A7E"/><path d="M112.638 203.03c-2.2-2.8-10.508-12.26-22.059-12.26-12.772 0-3.217 11.008-2.098 12.26h24.157z" fill="#D8B7A0"/><path fill="#53537A" d="M72.109 211.043h48.882v-4.667H72.109z"/><path d="M199.176 144.864c-14.213-20.288-18.672-53.27-19.059-56.284l2.593-18.385c10.554 21.806 21.627 47.685 22.386 58.485l-5.92 16.184zm-3.63 92.293c-1.94 5.064-15.345 23.157-24.249 34.39l-1.485 1.883.007 2.404c0 .217-.007 22.394-5.577 37.914-4.027 11.217-12.972 12.43-16.626 12.43-9.252 0-13.245-8.612-13.385-8.923l-.529-8.066h-11.247l-.508 8.02c-.16.365-4.055 8.946-13.26 8.946-3.663 0-12.605-1.199-16.635-12.416-5.552-15.465-5.578-37.688-5.578-37.914l.008-2.403-1.485-1.875c-8.899-11.225-22.304-29.318-24.197-34.259-1.513-5.344.985-39.905 4.165-68.866l.175-1.607-2.509-6.858c8.62-9.176 14.67-21.804 18.842-33.825l.406 2.926 13.691 22.843 5.35-2.332c.134-.058 13.851-5.984 27.171-5.984 13.236 0 27.18 5.931 27.31 5.99l5.341 2.311 13.675-22.833.536-3.813c4.13 12.14 10.172 24.993 18.833 34.373l-2.627 7.197.175 1.606c3.178 28.967 5.676 63.528 4.212 68.741zm-75.74 100.245a26.17 26.17 0 0 0 4.831-2.83c1.302.387 2.551.387 3.51.387.954 0 2.19.01 3.483-.38a26.763 26.763 0 0 0 4.837 2.823c-2.245 1.704-5.009 2.662-8.313 2.662-3.323 0-6.1-.95-8.348-2.662zm8.487 14.51c-7.356 0-17.816-3.33-20.418-12.158.266.008.528.031.8.031 1.421 0 2.754-.132 4.042-.318 3.731 5.274 9.543 6.892 15.432 6.892 5.898 0 11.722-1.603 15.46-6.886 1.28.178 2.597.312 4.007.312.277 0 .543-.023.82-.03-2.577 8.826-12.897 12.156-20.143 12.156zM51.206 128.677c.76-10.8 11.825-36.677 22.381-58.485l2.814 19.94c-1.073 7.455-5.977 36.693-19.132 55.123l-6.063-16.578zm167.158 1.108c0-20.822-30.05-78.45-33.483-84.954l-9.607-18.259-13.762 97.794-6.352 10.622c-6.132-2.09-16.568-5.009-27.077-5.009-10.497 0-20.863 2.908-26.969 5.002l-6.355-10.617-4.83-34.28c.006-.057.014-.133.014-.168l-.037-.005-8.93-63.339-9.81 18.26c-3.438 6.502-33.728 64.131-33.728 84.953v1.222l13.87 37.511c-2.218 20.452-6.452 64.878-3.126 73.561 2.072 5.43 10.048 16.64 16.794 25.624l-9.086 85.987 12.51 8.962 6.612-62.55c.95 6.083 2.352 12.507 4.433 18.31 2.87 7.997 7.94 14.05 14.431 17.642.386 19.144 17.908 29.468 34.417 29.468 16.372 0 33.75-10.332 34.13-29.483 6.476-3.585 11.541-9.639 14.407-17.627 2.167-6.035 3.588-12.757 4.534-19.05l6.651 62.775 12.511-9.28-9.064-85.413c6.693-8.945 14.52-19.99 16.572-25.36 3.325-8.68-1.08-53.114-3.295-73.563l13.623-37.516v-1.22h.002z" fill="#333152"/><path d="M143.921 285.822h-31.443s-4.229 7.483-4.229 9.912c0 7.21 19.353 18.692 19.353 18.692s20.443-11.823 20.443-18.692c0-3.277-4.124-9.912-4.124-9.912" fill="#333152"/><path d="M137.86 307.804c-1.754-3.157-4.017-3.733-5.056-1.3-1.036 2.438-.444 6.972 1.31 10.122 1.755 3.159 4.02 3.735 5.053 1.299 1.04-2.435.45-6.971-1.306-10.121" fill="#C49A7E"/><path d="M118.434 307.804c-1.757 3.15-2.341 7.686-1.307 10.12 1.035 2.437 3.296 1.86 5.058-1.298 1.753-3.15 2.34-7.684 1.302-10.121-1.034-2.434-3.296-1.858-5.053 1.299" fill="#D8B7A0"/></svg>
\ No newline at end of file
diff --git a/packages/snyk/1.1.2/manifest.yml b/packages/snyk/1.1.2/manifest.yml
new file mode 100755
index 0000000000..3a0571c9cd
--- /dev/null
+++ b/packages/snyk/1.1.2/manifest.yml
@@ -0,0 +1,62 @@
+format_version: 1.0.0
+name: snyk
+title: "Snyk"
+version: 1.1.2
+license: basic
+description: "Collect logs from Snyk API with Elastic Agent."
+type: integration
+categories:
+  - security
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/snyk-logo.svg
+    title: Snyk logo
+    size: 382x625
+    type: image/svg+xml
+policy_templates:
+  - name: snyk
+    title: Snyk Events
+    description: Collect data from Snyk API
+    inputs:
+      - type: httpjson
+        title: Collect data from Snyk API
+        description: Collect Audit and Vulnerabilty data from the Snyk API
+        vars:
+          - name: url
+            type: text
+            title: Base URL of Snyk API Server
+            multi: false
+            show_user: false
+            required: true
+            default: https://snyk.io/api/v1
+            description: The base URL as found [here](https://snyk.docs.apiary.io/#introduction/api-url).  No trailing /.
+          - name: api_token
+            type: password
+            title: Snyk API Token
+            multi: false
+            show_user: true
+            required: true
+          - name: http_client_timeout
+            type: text
+            title: HTTP Client Timeout
+            multi: false
+            required: false
+            show_user: true
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+            multi: false
+            required: false
+            show_user: false
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            multi: false
+            required: false
+            show_user: false
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/zscaler_zia/0.1.3/changelog.yml b/packages/zscaler_zia/0.1.3/changelog.yml
new file mode 100755
index 0000000000..77542ffe37
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/changelog.yml
@@ -0,0 +1,21 @@
+# newer versions go on top
+- version: "0.1.3"
+  changes:
+    - description: Updated the image file reference in README file
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3038
+- version: "0.1.2"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.1.1"
+  changes:
+    - description: Updated the README to describe the Zscaler ZIA setup process in detail.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2773
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2459
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/0.1.3/data_stream/alerts/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..49e3770cb1
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/agent/stream/tcp.yml.hbs
@@ -0,0 +1,23 @@
+tcp:
+host: "{{listen_address}}:{{listen_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+processors:
+- drop_event:
+    when:
+      equals:
+        message: ""
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/0.1.3/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..8f9acf997c
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,52 @@
+---
+description: Pipeline for Zscaler alert logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - grok:
+      field: event.original
+      patterns:
+        - <%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} \[%{IPORHOST:destination.address}\] %{GREEDYDATA:message}
+  - grok:
+      field: message
+      patterns:
+        - 'ZscalerNSS: Zscaler cloud configuration connection to  %{IPORHOST:destination.address}:%{NUMBER:destination.port:long} lost and unavailable for the past %{NUMBER:zscaler_zia.alerts.connection_lost_minutes:double} minutes'
+        - 'ZscalerNSS: SIEM Feed connection "%{GREEDYDATA:zscaler_zia.alerts.log_feed_name}" to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long} lost and unavailable for the past %{NUMBER:zscaler_zia.alerts.connection_lost_minutes:double} minutes'
+      ignore_failure: true
+  - convert:
+      field: destination.address
+      target_field: destination.ip
+      type: ip
+      ignore_failure: true
+  - append: 
+      field: related.ip
+      value: "{{{destination.ip}}}"
+      if: ctx?.destination?.ip != null
+      ignore_failure: true
+  - date: 
+      field: _tmp.timestamp
+      target_field: '@timestamp'
+      ignore_failure: true
+      formats:
+        - MMM  d HH:mm:ss
+        - MMM dd HH:mm:ss
+        - MMM d HH:mm:ss
+        - ISO8601
+  - remove: 
+      field: 
+        - _tmp
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/agent.yml b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/base-fields.yml b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/base-fields.yml
new file mode 100755
index 0000000000..bddad62cfe
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: zscaler_zia
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: zscaler_zia.alerts
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/ecs.yml b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/ecs.yml
new file mode 100755
index 0000000000..94ad86350f
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/ecs.yml
@@ -0,0 +1,33 @@
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    Syslog numeric priority of the event, if available.
+    According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+  name: log.syslog.priority
+  type: long
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/fields.yml b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/fields.yml
new file mode 100755
index 0000000000..38608a7891
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/fields/fields.yml
@@ -0,0 +1,14 @@
+- name: zscaler_zia.alerts
+  type: group
+  fields:
+    - name: connection_lost_minutes
+      type: double
+      description: |
+        Amount of time after loosing connection to a server in Minutes.
+    - name: log_feed_name
+      type: keyword
+      description: |
+        Name of the NSS log feed.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/manifest.yml b/packages/zscaler_zia/0.1.3/data_stream/alerts/manifest.yml
new file mode 100755
index 0000000000..1bd14b8c53
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/manifest.yml
@@ -0,0 +1,41 @@
+title: Alerts
+type: logs
+streams:
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: Zscaler Internet Access Alerts
+    description: Collect Zscaler Internet Access Alerts using tcp input
+    vars:
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        description: The TCP port number to listen on.
+        multi: false
+        required: true
+        show_user: true
+        default: 9010
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - zscaler_zia-alerts
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/alerts/sample_event.json b/packages/zscaler_zia/0.1.3/data_stream/alerts/sample_event.json
new file mode 100755
index 0000000000..0749ca369a
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/alerts/sample_event.json
@@ -0,0 +1,61 @@
+{
+    "@timestamp": "2022-12-10T13:40:32.000Z",
+    "agent": {
+        "ephemeral_id": "8c093fcf-fb2f-4baa-b794-40edb011194d",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.alerts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "81.2.69.193",
+        "ip": "81.2.69.193",
+        "port": 9012
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "zscaler_zia.alerts",
+        "ingested": "2022-02-04T06:31:25Z"
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:32902"
+        },
+        "syslog": {
+            "priority": 114
+        }
+    },
+    "message": "ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes",
+    "related": {
+        "ip": [
+            "81.2.69.193"
+        ]
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-alerts"
+    ],
+    "zscaler_zia": {
+        "alerts": {
+            "connection_lost_minutes": 2440,
+            "log_feed_name": "DNS Logs Feed"
+        }
+    }
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/0.1.3/data_stream/dns/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..030459f258
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/agent/stream/tcp.yml.hbs
@@ -0,0 +1,19 @@
+tcp:
+host: "{{listen_address}}:{{listen_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/0.1.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..cbad42a808
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,209 @@
+---
+description: Pipeline for Zscaler dns logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: resp
+  - rename:
+      field: resp.event
+      target_field: json
+  - remove: 
+      field: resp
+      ignore_missing: true
+  - date:
+      field: json.datetime
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - E MMM dd HH:mm:ss yyyy
+        - E MMM  d HH:mm:ss yyyy
+        - E MMM d HH:mm:ss yyyy
+  - remove:
+      field: json.datetime
+      ignore_missing: true
+  - set:
+      field: event.category
+      value: network
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.type
+      value: info
+  - rename: 
+      field: json.clt_sip
+      target_field: client.ip
+      ignore_missing: true
+  - geoip:
+      field: client.ip
+      target_field: client.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: client.ip
+      target_field: client.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{client.ip}}}"
+      if: ctx?.client?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename: 
+      field: json.dns_resp
+      target_field: dns.answers.name
+      ignore_missing: true
+  - rename: 
+      field: json.dns_req
+      target_field: dns.question.name
+      ignore_missing: true
+  - rename: 
+      field: json.dns_reqtype
+      target_field: dns.question.type
+      ignore_missing: true
+  - rename: 
+      field: json.srv_dip
+      target_field: server.ip
+      ignore_missing: true
+  - geoip:
+      field: server.ip
+      target_field: server.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: server.ip
+      target_field: server.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{server.ip}}}"
+      if: ctx?.server?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert: 
+      field: json.srv_dport
+      target_field: server.port
+      type: long
+      ignore_failure: true
+  - remove:
+      field: json.srv_dport
+      ignore_missing: true
+  - urldecode: 
+      field: json.user
+      target_field: user.email
+      ignore_missing: true
+  - remove: 
+      field: json.user
+      ignore_missing: true
+  - rename: 
+      field: json.deviceowner
+      target_field: user.name
+      ignore_missing: true
+  - urldecode:
+      field: json.department
+      target_field: zscaler_zia.dns.department
+      ignore_missing: true
+  - remove: 
+      field: json.department
+      ignore_missing: true
+  - urldecode:
+      field: json.location
+      target_field: zscaler_zia.dns.location
+      ignore_missing: true
+  - remove: 
+      field: json.location
+      ignore_missing: true
+  - rename:
+      field: json.reqaction
+      target_field: zscaler_zia.dns.request.action
+      ignore_missing: true
+  - rename:
+      field: json.resaction
+      target_field: zscaler_zia.dns.response.action
+      ignore_missing: true
+  - urldecode:
+      field: json.reqrulelabel
+      target_field: zscaler_zia.dns.request.rule.label
+      ignore_missing: true
+  - remove: 
+      field: json.reqrulelabel
+      ignore_missing: true
+  - urldecode:
+      field: json.resrulelabel
+      target_field: zscaler_zia.dns.response.rule.label
+      ignore_missing: true
+  - remove: 
+      field: json.resrulelabel
+      ignore_missing: true
+  - convert:
+      field: json.durationms
+      target_field: zscaler_zia.dns.duration.milliseconds
+      type: long
+      ignore_failure: true
+  - remove:
+      field: json.durationms
+      ignore_missing: true
+  - rename:
+      field: json.category
+      target_field: zscaler_zia.dns.dom.category
+      ignore_missing: true
+  - rename:
+      field: json.devicehostname
+      target_field: zscaler_zia.dns.hostname
+      ignore_missing: true
+  - append:
+      field: related.hosts
+      value: "{{{zscaler_zia.dns.hostname}}}"
+      if: ctx?.zscaler_zia?.dns?.hostname != null
+      allow_duplicates: false
+      ignore_failure: true 
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - script:
+      description: Adds all the remaining fields in fields under zscaler_zia.dns
+      lang: painless
+      if: ctx.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.zscaler_zia.dns[m.getKey()] = m.getValue();
+        }
+  - remove: 
+      field: json
+      ignore_failure: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/fields/agent.yml b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/fields/base-fields.yml b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/base-fields.yml
new file mode 100755
index 0000000000..cc2e29669e
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: zscaler_zia
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: zscaler_zia.dns
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/fields/ecs.yml b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/ecs.yml
new file mode 100755
index 0000000000..7462b85bae
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/ecs.yml
@@ -0,0 +1,101 @@
+- description: City name.
+  name: client.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: client.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: client.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: client.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: client.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: client.geo.region_name
+  type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: |-
+    The domain name to which this resource record pertains.
+    If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
+  name: dns.answers.name
+  type: keyword
+- description: |-
+    The name being queried.
+    If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+  name: dns.question.name
+  type: keyword
+- description: The type of record being queried.
+  name: dns.question.type
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: City name.
+  name: server.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: server.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: server.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: server.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: server.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: server.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: server.geo.region_name
+  type: keyword
+- description: IP address of the server (IPv4 or IPv6).
+  name: server.ip
+  type: ip
+- description: Port of the server.
+  name: server.port
+  type: long
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Packets sent from the source to the destination.
+  name: source.packets
+  type: long
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/fields/fields.yml b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/fields.yml
new file mode 100755
index 0000000000..ae183b145c
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/fields/fields.yml
@@ -0,0 +1,48 @@
+- name: zscaler_zia.dns
+  type: group
+  fields:
+    - name: department
+      type: keyword
+      description: |
+        Department of the user.
+    - name: dom.category
+      type: keyword
+      description: |
+        URL Category of the FQDN in the DNS request.
+    - name: duration.milliseconds
+      type: long
+      description: |
+        Duration of the DNS request in milliseconds.
+    - name: hostname
+      type: keyword
+      description: |
+        N/A
+    - name: location
+      type: keyword
+      description: |
+        Gateway location or sub-location of the source.
+    - name: request
+      type: group
+      fields:
+        - name: action
+          type: keyword
+          description: |
+            Name of the action that was applied to the DNS request.
+        - name: rule.label
+          type: keyword
+          description: |
+            Name of the rule that was applied to the DNS request.
+    - name: response
+      type: group
+      fields:
+        - name: action
+          type: keyword
+          description: |
+            Name of the action that was applied to the DNS response.
+        - name: rule.label
+          type: keyword
+          description: |-
+            Name of the rule that was applied to the DNS response.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/manifest.yml b/packages/zscaler_zia/0.1.3/data_stream/dns/manifest.yml
new file mode 100755
index 0000000000..a47e838e8c
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/manifest.yml
@@ -0,0 +1,41 @@
+title: DNS logs
+type: logs
+streams:
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: Zscaler Internet Access DNS Logs
+    description: Collect Zscaler Internet Access DNS logs using tcp input
+    vars:
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        description: The TCP port number to listen on.
+        multi: false
+        required: true
+        show_user: true
+        default: 9011
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - zscaler_zia-dns
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/dns/sample_event.json b/packages/zscaler_zia/0.1.3/data_stream/dns/sample_event.json
new file mode 100755
index 0000000000..86b91a6988
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/dns/sample_event.json
@@ -0,0 +1,124 @@
+{
+    "@timestamp": "2021-12-17T07:27:54.000Z",
+    "agent": {
+        "ephemeral_id": "d288c261-b8db-45af-99c0-a673c3c6d8e1",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "client": {
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.193"
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.dns",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "dns": {
+        "answers": {
+            "name": "Some response string"
+        },
+        "question": {
+            "name": "example.com",
+            "type": "Some type"
+        }
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "dataset": "zscaler_zia.dns",
+        "ingested": "2022-02-04T06:32:56Z",
+        "kind": "event",
+        "type": [
+            "info"
+        ]
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:54202"
+        }
+    },
+    "related": {
+        "hosts": [
+            "Machine9000"
+        ],
+        "ip": [
+            "81.2.69.193",
+            "81.2.69.144"
+        ]
+    },
+    "server": {
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.144",
+        "port": 8080
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-dns"
+    ],
+    "user": {
+        "email": "some_user@example.com",
+        "name": "Owner77"
+    },
+    "zscaler_zia": {
+        "dns": {
+            "department": "Unknown",
+            "dom": {
+                "category": "Professional Services"
+            },
+            "duration": {
+                "milliseconds": 123456
+            },
+            "hostname": "Machine9000",
+            "location": "TestLoc DB",
+            "request": {
+                "action": "REQ_ALLOW",
+                "rule": {
+                    "label": "Access Blocked"
+                }
+            },
+            "response": {
+                "action": "Some Response Action",
+                "rule": {
+                    "label": "None"
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/0.1.3/data_stream/firewall/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..030459f258
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/agent/stream/tcp.yml.hbs
@@ -0,0 +1,19 @@
+tcp:
+host: "{{listen_address}}:{{listen_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/0.1.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f27a8cfea0
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,270 @@
+---
+description: Pipeline for Zscaler firewall logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: resp
+  - rename:
+      field: resp.event
+      target_field: json
+  - remove: 
+      field: resp
+      ignore_missing: true
+  - set:
+      field: event.category
+      value: network
+  - set:
+      field: event.kind
+      value: event
+  - set:
+      field: event.type
+      value: info
+  - date:
+      field: json.datetime
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - E MMM dd HH:mm:ss yyyy
+        - E MMM  d HH:mm:ss yyyy
+        - E MMM d HH:mm:ss yyyy
+  - remove: 
+      field: json.datetime
+      ignore_failure: true
+  - rename: 
+      field: json.outbytes
+      target_field: client.bytes
+      ignore_missing: true
+  - rename: 
+      field: json.devicehostname
+      target_field: host.hostname
+      ignore_missing: true
+  - rename: 
+      field: json.nwapp
+      target_field: network.application
+      ignore_missing: true
+  - rename: 
+      field: json.nwsvc
+      target_field: network.protocol
+      ignore_missing: true
+  - lowercase:
+      field: network.protocol
+      ignore_missing: true
+  - rename: 
+      field: json.proto
+      target_field: network.transport
+      ignore_missing: true
+  - lowercase:
+      field: network.transport
+      ignore_missing: true
+  - append: 
+      field: rule.name
+      value: "{{{json.rulelabel}}}"
+      if: ctx?.json?.rulelabel != null
+      allow_duplicates: false
+  - append: 
+      field: rule.name
+      value: "{{{json.ipsrulelabel}}}"
+      if: ctx?.json?.ipsrulelabel != null
+      allow_duplicates: false
+  - urldecode:
+      field: rule.name
+      ignore_failure: true
+  - remove:
+      field: json.rulelabel
+      ignore_missing: true
+  - remove:
+      field: json.ipsrulelabel
+      ignore_missing: true
+  - rename: 
+      field: json.inbytes
+      target_field: server.bytes
+      ignore_missing: true
+  - rename: 
+      field: json.destcountry
+      target_field: server.geo.country_name
+      ignore_missing: true
+  - urldecode: 
+      field: json.user
+      target_field: user.email
+      ignore_missing: true
+  - remove:
+      field: json.user
+      ignore_missing: true
+  - rename: 
+      field: json.deviceowner
+      target_field: user.name
+      ignore_missing: true
+  - urldecode: 
+      field: json.department
+      target_field: zscaler_zia.firewall.department
+      ignore_missing: true
+  - remove:
+      field: json.department
+      ignore_missing: true
+  - urldecode: 
+      field: json.locationname
+      target_field: zscaler_zia.firewall.location.name
+      ignore_missing: true
+  - remove:
+      field: json.locationname
+      ignore_missing: true
+  - rename: 
+      field: json.cdport
+      target_field: zscaler_zia.firewall.client.destination.port
+      ignore_missing: true
+  - rename: 
+      field: json.csport
+      target_field: zscaler_zia.firewall.client.source.port
+      ignore_missing: true
+  - rename: 
+      field: json.sdport
+      target_field: zscaler_zia.firewall.server.destination.port
+      ignore_missing: true
+  - rename: 
+      field: json.ssport
+      target_field: zscaler_zia.firewall.server.source.port
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{json.csip}}}"
+      if: ctx?.json?.csip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename: 
+      field: json.csip
+      target_field: zscaler_zia.firewall.client.source.ip
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{json.cdip}}}"
+      if: ctx?.json?.cdip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename: 
+      field: json.cdip
+      target_field: zscaler_zia.firewall.client.destination.ip
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{json.ssip}}}"
+      if: ctx?.json?.ssip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename: 
+      field: json.ssip
+      target_field: zscaler_zia.firewall.server.source.ip
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{json.sdip}}}"
+      if: ctx?.json?.sdip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename: 
+      field: json.sdip
+      target_field: zscaler_zia.firewall.server.destination.ip
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{json.tsip}}}"
+      if: ctx?.json?.tsip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename: 
+      field: json.tsip
+      target_field: zscaler_zia.firewall.tunnel.ip
+      ignore_missing: true
+  - rename: 
+      field: json.tunsport
+      target_field: zscaler_zia.firewall.tunnel.port
+      ignore_missing: true
+  - rename: 
+      field: json.tuntype
+      target_field: zscaler_zia.firewall.tunnel.type
+      ignore_missing: true
+  - rename: 
+      field: json.action
+      target_field: event.action
+      ignore_missing: true
+  - lowercase: 
+      field: event.action
+      ignore_missing: true
+  - rename: 
+      field: json.dnat
+      target_field: zscaler_zia.firewall.nat
+      ignore_missing: true
+  - rename: 
+      field: json.stateful
+      target_field: zscaler_zia.firewall.stateful
+      ignore_missing: true
+  - rename: 
+      field: json.aggregate
+      target_field: zscaler_zia.firewall.aggregate
+      ignore_missing: true
+  - rename: 
+      field: json.ipcat
+      target_field: zscaler_zia.firewall.ip_category
+      ignore_missing: true
+  - rename: 
+      field: json.avgduration
+      target_field: zscaler_zia.firewall.duration.avg
+      ignore_missing: true
+  - rename: 
+      field: json.duration
+      target_field: zscaler_zia.firewall.duration.seconds
+      ignore_missing: true
+  - rename: 
+      field: json.durationms
+      target_field: zscaler_zia.firewall.duration.milliseconds
+      ignore_missing: true
+  - rename: 
+      field: json.numsessions
+      target_field: zscaler_zia.firewall.session.count
+      ignore_missing: true
+  - rename: 
+      field: json.threatcat
+      target_field: zscaler_zia.firewall.threat.category
+      ignore_missing: true
+  - rename: 
+      field: json.threatname
+      target_field: zscaler_zia.firewall.threat.name
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - script:
+      description: Adds all the remaining fields in fields under zscaler_zia.firewall
+      lang: painless
+      if: ctx?.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.zscaler_zia.firewall[m.getKey()] = m.getValue();
+        }
+  - remove: 
+      field: json
+      ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/agent.yml b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/base-fields.yml b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/base-fields.yml
new file mode 100755
index 0000000000..b5aac8833c
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: zscaler_zia
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: zscaler_zia.firewall
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/ecs.yml b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/ecs.yml
new file mode 100755
index 0000000000..7ce1ec4034
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/ecs.yml
@@ -0,0 +1,58 @@
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+    For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+    The field value must be normalized to lowercase for querying.
+  name: network.application
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: Bytes sent from the server to the client.
+  name: server.bytes
+  type: long
+- description: Country name.
+  name: server.geo.country_name
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/fields.yml b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/fields.yml
new file mode 100755
index 0000000000..c8b4137da0
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/fields/fields.yml
@@ -0,0 +1,127 @@
+- name: zscaler_zia.firewall
+  type: group
+  fields:
+    - name: department
+      type: keyword
+      description: |
+        Department of the user.
+    - name: location
+      type: group
+      fields:
+        - name: name
+          type: keyword
+          description: |
+            Name of the location from which the session was initiated.
+    - name: client
+      type: group
+      fields:
+        - name: destination
+          type: group
+          fields:
+            - name: port
+              type: double
+              description: |
+                Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate.
+            - name: ip
+              type: keyword
+              description: |
+                Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate.
+        - name: source
+          type: group
+          fields:
+            - name: port
+              type: double
+              description: |
+                Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate.
+            - name: ip
+              type: keyword
+              description: |
+                Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate.
+    - name: server
+      type: group
+      fields:
+        - name: destination
+          type: group
+          fields:
+            - name: port
+              type: double
+              description: |
+                Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate.
+            - name: ip
+              type: keyword
+              description: |
+                Server Destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate.
+        - name: source
+          type: group
+          fields:
+            - name: port
+              type: double
+              description: |
+                Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate.
+            - name: ip
+              type: keyword
+              description: |
+                Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate.
+    - name: tunnel
+      type: group
+      fields:
+        - name: ip
+          type: keyword
+          description: |
+            Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate.
+        - name: port
+          type: double
+          description: |
+            Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate.
+        - name: type
+          type: keyword
+          description: |
+            Traffic forwarding method used to send the traffic to the firewall.
+    - name: nat
+      type: keyword
+      description: |
+        Indicates if the destination NAT policy was applied.
+    - name: stateful
+      type: keyword
+    - name: aggregate
+      type: keyword
+    - name: ip_category
+      type: keyword
+      description: |
+        URL category that corresponds to the server IP address.
+    - name: duration
+      type: group
+      fields:
+        - name: avg
+          type: double
+          description: |
+            Average session duration, in milliseconds, if the sessions were aggregated.
+        - name: seconds
+          type: double
+          description: |
+            Session or request duration in seconds.
+        - name: milliseconds
+          type: double
+          description: |
+            Session or request duration in milliseconds.
+    - name: session
+      type: group
+      fields:
+        - name: count
+          type: double
+          description: |
+            Number of sessions that were aggregated.
+    - name: threat
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            Category of the threat in the Firewall session by the IPS engine.
+        - name: name
+          type: keyword
+          description: |
+            Name of the threat detected in the Firewall session by the IPS engine.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/manifest.yml b/packages/zscaler_zia/0.1.3/data_stream/firewall/manifest.yml
new file mode 100755
index 0000000000..6da5481a66
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/manifest.yml
@@ -0,0 +1,41 @@
+title: Firewall Logs
+type: logs
+streams:
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: Zscaler Internet Access Firewall Logs
+    description: Collect Zscaler Internet Access Firewall Logs using tcp input
+    vars:
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        description: The TCP port number to listen on.
+        multi: false
+        required: true
+        show_user: true
+        default: 9012
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - zscaler_zia-firewall
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/firewall/sample_event.json b/packages/zscaler_zia/0.1.3/data_stream/firewall/sample_event.json
new file mode 100755
index 0000000000..d5914ddf13
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/firewall/sample_event.json
@@ -0,0 +1,127 @@
+{
+    "@timestamp": "2021-12-17T07:27:54.000Z",
+    "agent": {
+        "ephemeral_id": "41987f90-74dc-4b4b-9936-4347028cf558",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "client": {
+        "bytes": 1734
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.firewall",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "action": "drop",
+        "agent_id_status": "verified",
+        "category": "network",
+        "dataset": "zscaler_zia.firewall",
+        "ingested": "2022-02-04T06:34:17Z",
+        "kind": "event",
+        "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}",
+        "type": "info"
+    },
+    "host": {
+        "hostname": "Machine9000"
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:58194"
+        }
+    },
+    "network": {
+        "application": "http",
+        "protocol": "https",
+        "transport": "tcp"
+    },
+    "related": {
+        "ip": [
+            "0.0.0.0"
+        ]
+    },
+    "rule": {
+        "name": [
+            "Access Blocked",
+            "None"
+        ]
+    },
+    "server": {
+        "bytes": 19052,
+        "geo": {
+            "country_name": "Ireland"
+        }
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-firewall"
+    ],
+    "user": {
+        "email": "some_user@example.com",
+        "name": "admin77"
+    },
+    "zscaler_zia": {
+        "firewall": {
+            "aggregate": "No",
+            "client": {
+                "destination": {
+                    "ip": "0.0.0.0",
+                    "port": 443
+                },
+                "source": {
+                    "ip": "0.0.0.0",
+                    "port": 55018
+                }
+            },
+            "department": "Unknown",
+            "duration": {
+                "avg": 486,
+                "milliseconds": 486,
+                "seconds": 0
+            },
+            "ip_category": "Test Name",
+            "location": {
+                "name": "TestLoc DB"
+            },
+            "nat": "No",
+            "server": {
+                "destination": {
+                    "ip": "0.0.0.0",
+                    "port": 443
+                },
+                "source": {
+                    "ip": "0.0.0.0",
+                    "port": 0
+                }
+            },
+            "session": {
+                "count": 1
+            },
+            "stateful": "Yes",
+            "threat": {
+                "category": "None",
+                "name": "None"
+            },
+            "tunnel": {
+                "ip": "0.0.0.0",
+                "port": 0,
+                "type": "ZscalerClientConnector"
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/0.1.3/data_stream/tunnel/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..030459f258
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/agent/stream/tcp.yml.hbs
@@ -0,0 +1,19 @@
+tcp:
+host: "{{listen_address}}:{{listen_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/0.1.3/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..a62b7ab78e
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,292 @@
+---
+description: Pipeline for Zscaler tunnel logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: resp
+  - rename:
+      field: resp.event
+      target_field: json
+  - remove: 
+      field: resp
+      ignore_missing: true
+  - date:
+      field: json.datetime
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - E MMM dd HH:mm:ss yyyy
+        - E MMM  d HH:mm:ss yyyy
+        - E MMM d HH:mm:ss yyyy
+  - remove:
+      field: json.datetime
+      ignore_missing: true
+  - set:
+      field: event.category
+      value: network
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.type
+      value: info
+  - rename:
+      field: json.recordid
+      target_field: event.id
+      ignore_missing: true
+  - rename:
+      field: json.event
+      target_field: event.action
+      ignore_missing: true
+  - rename:
+      field: json.eventreason
+      target_field: event.reason
+      ignore_missing: true
+  - rename:
+      field: json.destinationip
+      target_field: destination.ip
+      ignore_missing: true
+  - append: 
+      field: related.ip
+      value: "{{{destination.ip}}}"
+      if: ctx?.destination?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      field: json.destinationport
+      target_field: destination.port
+      type: long
+      ignore_missing: true
+  - remove:
+      field: json.destinationport
+      ignore_missing: true
+  - rename:
+      field: json.sourceip
+      target_field: source.ip
+      ignore_missing: true
+  - append: 
+      field: related.ip
+      value: "{{{source.ip}}}"
+      if: ctx?.source?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - convert:
+      field: json.sourceport
+      target_field: source.port
+      type: long
+      ignore_missing: true
+  - remove:
+      field: json.sourceport
+      ignore_missing: true
+  - urldecode:
+      field: json.user
+      target_field: user.name
+      ignore_missing: true
+  - remove: 
+      field: json.user
+      ignore_missing: true
+  - append: 
+      field: related.user
+      value: "{{{user.name}}}"
+      if: ctx?.user?.name != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.rxbytes
+      target_field: destination.bytes
+      ignore_missing: true
+  - rename:
+      field: json.rxpackets
+      target_field: destination.packets
+      ignore_missing: true
+  - rename:
+      field: json.txbytes
+      target_field: source.bytes
+      ignore_missing: true
+  - rename:
+      field: json.txpackets
+      target_field: source.packets
+      ignore_missing: true
+  - rename:
+      field: json.Recordtype
+      target_field: zscaler_zia.tunnel.action.type
+      ignore_missing: true
+  - urldecode:
+      field: json.location
+      target_field: zscaler_zia.tunnel.location.name
+      ignore_missing: true
+  - remove: 
+      field: json.location
+      ignore_missing: true
+  - convert:
+      field: json.lifetime
+      target_field: zscaler_zia.tunnel.life.time
+      type: long
+      ignore_missing: true
+  - remove: 
+      field: json.lifetime
+      ignore_missing: true
+  - convert:
+      field: json.ikeversion
+      target_field: zscaler_zia.tunnel.ike.version
+      type: integer
+      ignore_missing: true
+  - remove: 
+      field: json.ikeversion
+      ignore_missing: true
+  - rename:
+      field: json.spi_in
+      target_field: zscaler_zia.tunnel.spi_in
+      ignore_missing: true
+  - rename:
+      field: json.spi_out
+      target_field: zscaler_zia.tunnel.spi_out
+      ignore_missing: true
+  - rename:
+      field: json.algo
+      target_field: zscaler_zia.tunnel.encryption.algorithm
+      ignore_missing: true
+  - rename:
+      field: json.authentication
+      target_field: zscaler_zia.tunnel.authentication.algorithm
+      ignore_missing: true
+  - rename:
+      field: json.authtype
+      target_field: zscaler_zia.tunnel.authentication.type
+      ignore_missing: true
+  - rename:
+      field: json.tunneltype
+      target_field: zscaler_zia.tunnel.type
+      ignore_missing: true
+  - rename:
+      field: json.vendorname
+      target_field: zscaler_zia.tunnel.vendor.name
+      ignore_missing: true
+  - convert:
+      field: json.sourceportstart
+      target_field: zscaler_zia.tunnel.source.start.port
+      type: long
+      ignore_missing: true
+  - remove: 
+      field: json.sourceportstart
+      ignore_missing: true
+  - convert:
+      field: json.destinationportstart
+      target_field: zscaler_zia.tunnel.destination.start.port
+      type: long
+      ignore_missing: true
+  - remove: 
+      field: json.destinationportstart
+      ignore_missing: true
+  - rename:
+      field: json.srcipstart
+      target_field: zscaler_zia.tunnel.source.start.ip
+      ignore_missing: true
+  - append: 
+      field: related.ip
+      value: "{{{zscaler_zia.tunnel.source.start.ip}}}"
+      if: ctx?.zscaler_zia?.tunnel?.source?.start?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.srcipend
+      target_field: zscaler_zia.tunnel.source.end.ip
+      ignore_missing: true
+  - append: 
+      field: related.ip
+      value: "{{{zscaler_zia.tunnel.source.end.ip}}}"
+      if: ctx?.zscaler_zia?.tunnel?.source?.end?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.destinationipstart
+      target_field: zscaler_zia.tunnel.destination.start.ip
+      ignore_missing: true
+  - append: 
+      field: related.ip
+      value: "{{{zscaler_zia.tunnel.destination.start.ip}}}"
+      if: ctx?.zscaler_zia?.tunnel?.destination?.start?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.destinationipend
+      target_field: zscaler_zia.tunnel.destination.end.ip
+      ignore_missing: true
+  - append: 
+      field: related.ip
+      value: "{{{zscaler_zia.tunnel.destination.end.ip}}}"
+      if: ctx?.zscaler_zia?.tunnel?.destination?.end?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.spi
+      target_field: zscaler_zia.tunnel.spi
+      ignore_missing: true
+  - rename:
+      field: json.protocol
+      target_field: zscaler_zia.tunnel.policy.protocol
+      ignore_missing: true
+  - rename:
+      field: json.tunnelprotocol
+      target_field: zscaler_zia.tunnel.protocol
+      ignore_missing: true
+  - rename:
+      field: json.policydirection
+      target_field: zscaler_zia.tunnel.policy.direction
+      ignore_missing: true
+  - convert:
+      field: json.lifebytes
+      target_field: zscaler_zia.tunnel.life.bytes
+      type: long
+      ignore_missing: true
+  - remove:
+      field: json.lifebytes
+      ignore_missing: true
+  - rename:
+      field: json.dpdrec
+      target_field: zscaler_zia.tunnel.dpd_packets
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - script:
+      description: Adds all the remaining fields in fields under zscaler_zia.tunnel
+      lang: painless
+      if: ctx.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.zscaler_zia.tunnel[m.getKey()] = m.getValue();
+        }
+  - remove: 
+      field: json
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/agent.yml b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/base-fields.yml b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/base-fields.yml
new file mode 100755
index 0000000000..14fc7f2ee9
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: zscaler_zia
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: zscaler_zia.tunnel
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/ecs.yml b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/ecs.yml
new file mode 100755
index 0000000000..dd5fc52981
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/ecs.yml
@@ -0,0 +1,57 @@
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Packets sent from the destination to the source.
+  name: destination.packets
+  type: long
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Packets sent from the source to the destination.
+  name: source.packets
+  type: long
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/fields.yml b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/fields.yml
new file mode 100755
index 0000000000..a0a7e50774
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/fields/fields.yml
@@ -0,0 +1,113 @@
+- name: zscaler_zia.tunnel
+  type: group
+  fields:
+    - name: action.type
+      type: keyword
+      description: |
+        Type of the record. Possible values [ WL_TUNNEL_IPSECPHASE1, WL_TUNNEL_IPSECPHASE2, WL_TUNNEL_EVENT, WL_TUNNEL_SAMPLES ].
+    - name: authentication
+      type: group
+      fields:
+        - name: algorithm
+          type: keyword
+          description: |
+            Authentication algorithm.
+        - name: type
+          type: keyword
+          description: |
+            Authentication type.
+    - name: destination.end.ip
+      type: keyword
+      description: |
+        Phase 2 policy proposal - Destination IP end.
+    - name: destination.start
+      type: group
+      fields:
+        - name: ip
+          type: keyword
+          description: |
+            Phase 2 policy proposal - Destination IP start.
+        - name: port
+          type: long
+          description: |
+            Phase 2 policy proposal - Destination port end.
+    - name: dpd_packets
+      type: keyword
+      description: |
+        Number of DPD packets received in 60-second sample window.
+    - name: encryption.algorithm
+      type: keyword
+      description: |
+        Encryption algorithm.
+    - name: ike.version
+      type: long
+      description: |
+        IKE version (1 or 2).
+    - name: life
+      type: group
+      fields:
+        - name: bytes
+          type: long
+          description: |
+            Life bytes (number of traffic to be transacted through tunnel before renegotiation).
+        - name: time
+          type: long
+          description: |
+            Lifetime of IKE Phase 1/2 in seconds.
+    - name: location.name
+      type: keyword
+      description: |
+        Location name.
+    - name: policy
+      type: group
+      fields:
+        - name: direction
+          type: keyword
+          description: |
+            N/A
+        - name: protocol
+          type: keyword
+          description: |
+            Phase 2 policy proposal - Protocol.
+    - name: protocol
+      type: keyword
+      description: |
+        IPSec tunnel protocol type (Zscaler only supports ESP).
+    - name: source.end.ip
+      type: keyword
+      description: |
+        Phase 2 policy proposal - Source IP end.
+    - name: source.start
+      type: group
+      fields:
+        - name: ip
+          type: keyword
+          description: |
+            Phase 2 policy proposal - Source IP start.
+        - name: port
+          type: long
+          description: |
+            Phase 2 policy proposal - Source port start.
+    - name: spi
+      type: keyword
+      description: |
+        Security Parameter Index.
+    - name: spi_in
+      type: keyword
+      description: |
+        Initiator cookie.
+    - name: spi_out
+      type: keyword
+      description: |
+        Responder cookie.
+    - name: type
+      type: keyword
+      description: |
+        Tunnel type.
+    - name: vendor.name
+      type: keyword
+      description: |-
+        Vendor name of the edge device.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/manifest.yml b/packages/zscaler_zia/0.1.3/data_stream/tunnel/manifest.yml
new file mode 100755
index 0000000000..477b606f29
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/manifest.yml
@@ -0,0 +1,41 @@
+title: Tunnel Logs
+type: logs
+streams:
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: Zscaler Internet Access Tunnel Logs
+    description: Collect Zscaler Internet Access Tunnel Logs using tcp input
+    vars:
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        description: The TCP port number to listen on.
+        multi: false
+        required: true
+        show_user: true
+        default: 9013
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - zscaler_zia-tunnel
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/tunnel/sample_event.json b/packages/zscaler_zia/0.1.3/data_stream/tunnel/sample_event.json
new file mode 100755
index 0000000000..eebfed78d8
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/tunnel/sample_event.json
@@ -0,0 +1,115 @@
+{
+    "@timestamp": "2021-12-30T11:20:12.000Z",
+    "agent": {
+        "ephemeral_id": "63ac98b6-0ff6-4943-820e-8505eff15937",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.tunnel",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "ip": "81.2.69.143"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "dataset": "zscaler_zia.tunnel",
+        "id": "1111111111111111111",
+        "ingested": "2022-02-04T06:36:16Z",
+        "kind": "event",
+        "type": [
+            "info"
+        ]
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:44374"
+        }
+    },
+    "related": {
+        "ip": [
+            "81.2.69.143",
+            "81.2.69.145"
+        ],
+        "user": [
+            "81.2.69.145"
+        ]
+    },
+    "source": {
+        "ip": "81.2.69.145",
+        "port": 0
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-tunnel"
+    ],
+    "user": {
+        "name": "81.2.69.145"
+    },
+    "zscaler_zia": {
+        "tunnel": {
+            "action": {
+                "type": "IPSec Phase2"
+            },
+            "authentication": {
+                "algorithm": "HMAC-SHA-1",
+                "type": "None"
+            },
+            "destination": {
+                "end": {
+                    "ip": "81.2.69.143"
+                },
+                "start": {
+                    "ip": "81.2.69.143",
+                    "port": 0
+                }
+            },
+            "encryption": {
+                "algorithm": "AES"
+            },
+            "ike": {
+                "version": 1
+            },
+            "life": {
+                "bytes": 0,
+                "time": 3600
+            },
+            "location": {
+                "name": "some-location"
+            },
+            "policy": {
+                "direction": "Inbound SA Policy",
+                "protocol": "Any"
+            },
+            "protocol": "ESP",
+            "source": {
+                "end": {
+                    "ip": "81.2.69.145"
+                },
+                "start": {
+                    "ip": "81.2.69.145",
+                    "port": 0
+                }
+            },
+            "spi": "123456789",
+            "type": "IPSEC IKEV 1"
+        }
+    }
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/0.1.3/data_stream/web/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..030459f258
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/agent/stream/tcp.yml.hbs
@@ -0,0 +1,19 @@
+tcp:
+host: "{{listen_address}}:{{listen_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/0.1.3/data_stream/web/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..035e7682c1
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,311 @@
+---
+description: Pipeline for Zscaler web logs
+processors:
+  - set:
+      field: ecs.version
+      value: '8.0.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+  - json:
+      field: event.original
+      target_field: resp
+  - rename:
+      field: resp.event
+      target_field: json
+  - remove: 
+      field: resp
+      ignore_missing: true
+  - date:
+      field: json.time
+      target_field: "@timestamp"
+      ignore_failure: true
+      formats:
+        - E MMM dd HH:mm:ss yyyy
+        - E MMM  d HH:mm:ss yyyy
+        - E MMM d HH:mm:ss yyyy
+  - remove: 
+      field: json.time
+      ignore_missing: true
+  - set:
+      field: event.category
+      value: web
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.type
+      value: info
+  - rename:
+      field: json.cip
+      target_field: client.ip
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{client.ip}}}"
+      if: ctx?.client?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.sip
+      target_field: client.nat.ip
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{client.nat.ip}}}"
+      if: ctx?.client?.nat?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.deviceowner
+      target_field: client.user.name
+      ignore_missing: true
+  - convert:
+      field: json.reqsize
+      target_field: http.request.bytes
+      type: long
+      ignore_failure: true
+  - remove: 
+      field: json.reqsize
+      ignore_missing: true
+  - rename:
+      field: json.reqmethod
+      target_field: http.request.method
+      ignore_missing: true
+  - rename:
+      field: json.contenttype
+      target_field: http.request.mime_type
+      ignore_missing: true
+  - rename:
+      field: json.ereferer
+      target_field: http.request.referrer
+      ignore_missing: true
+  - convert:
+      field: json.respsize
+      target_field: http.response.bytes
+      type: long
+      ignore_failure: true
+  - remove: 
+      field: json.respsize
+      ignore_missing: true
+  - convert:
+      field: json.respcode
+      target_field: http.response.status_code
+      type: long
+      ignore_failure: true
+  - remove: 
+      field: json.respcode
+      ignore_missing: true
+  - rename:
+      field: json.proto
+      target_field: network.protocol
+      ignore_missing: true
+  - lowercase:
+      field: network.protocol
+      ignore_missing: true      
+  - rename:
+      field: json.rulelabel
+      target_field: rule.name
+      ignore_missing: true
+  - rename:
+      field: json.ruletype
+      target_field: rule.ruleset
+      ignore_missing: true
+  - uri_parts:
+      field: json.eurl
+      remove_if_successful: true
+      on_failure:
+      - set: 
+          field: url.original
+          value: "{{{json.eurl}}}"
+          if: ctx?.json?.eurl != null
+          ignore_failure: true
+      - remove:
+          field: json.eurl
+          ignore_missing: true
+  - urldecode:
+      field: url.original
+      ignore_missing: true
+  - user_agent:
+      field: json.ua
+      ignore_failure: true
+  - remove: 
+      field: json.ua
+      ignore_missing: true
+  - rename:
+      field: json.login
+      target_field: user.email
+      ignore_missing: true
+  - rename:
+      field: json.action
+      target_field: event.action
+      ignore_missing: true
+  - lowercase: 
+      field: event.action
+      ignore_missing: true
+  - rename:
+      field: json.appname
+      target_field: zscaler_zia.web.app.name
+      ignore_missing: true
+  - rename:
+      field: json.appclass
+      target_field: zscaler_zia.web.app.class
+      ignore_missing: true
+  - convert:
+      field: json.stime
+      target_field: zscaler_zia.web.stime
+      type: long
+      ignore_failure: true
+  - remove:
+      field: json.stime
+      ignore_missing: true
+  - convert:
+      field: json.ctime
+      target_field: zscaler_zia.web.ctime
+      type: long
+      ignore_failure: true
+  - remove:
+      field: json.ctime
+      ignore_missing: true
+  - rename:
+      field: json.urlclass
+      target_field: zscaler_zia.web.url.class
+      ignore_missing: true
+  - rename:
+      field: json.urlsupercat
+      target_field: zscaler_zia.web.url.category.super
+      ignore_missing: true
+  - rename:
+      field: json.urlcat
+      target_field: zscaler_zia.web.url.category.sub
+      ignore_missing: true
+  - rename:
+      field: json.malwarecat
+      target_field: zscaler_zia.web.malware.category
+      ignore_missing: true
+  - rename:
+      field: json.threatname
+      target_field: zscaler_zia.web.threat.name
+      ignore_missing: true
+  - convert:
+      field: json.riskscore
+      target_field: event.risk_score
+      type: long
+      ignore_failure: true
+  - remove:
+      field: json.riskscore
+      ignore_missing: true
+  - rename:
+      field: json.dlpeng
+      target_field: zscaler_zia.web.dpl.engine
+      ignore_missing: true
+  - rename:
+      field: json.dlpdict
+      target_field: zscaler_zia.web.dpl.dictionaries
+      ignore_missing: true
+  - rename:
+      field: json.location
+      target_field: zscaler_zia.web.location
+      ignore_missing: true
+  - rename:
+      field: json.dept
+      target_field: zscaler_zia.web.department
+      ignore_missing: true
+  - rename:
+      field: json.unscannabletype
+      target_field: zscaler_zia.web.unscannable.type
+      ignore_missing: true
+  - rename:
+      field: json.devicehostname
+      target_field: zscaler_zia.web.device.hostname
+      ignore_missing: true
+  - append: 
+      field: related.hosts
+      value: "{{{zscaler_zia.web.device.hostname}}}"
+      if: ctx?.zscaler_zia?.web?.device?.hostname != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.bwthrottle
+      target_field: zscaler_zia.web.bandwidth_throttle
+      ignore_missing: true
+  - rename:
+      field: json.cintip
+      target_field: zscaler_zia.web.client.internet.ip
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{{zscaler_zia.web.client.internet.ip}}}"
+      if: ctx?.zscaler_zia?.web?.client?.internet?.ip != null
+      allow_duplicates: false
+      ignore_failure: true
+  - rename:
+      field: json.ehost
+      target_field: zscaler_zia.web.encoded_host
+      ignore_missing: true
+  - rename:
+      field: json.fileclass
+      target_field: zscaler_zia.web.file.class
+      ignore_missing: true
+  - rename:
+      field: json.filetype
+      target_field: zscaler_zia.web.file.type
+      ignore_missing: true
+  - rename:
+      field: json.malwareclass
+      target_field: zscaler_zia.web.malware.class
+      ignore_missing: true
+  - rename:
+      field: json.reason
+      target_field: event.reason
+      ignore_missing: true
+  - rename:
+      field: json.recordid
+      target_field: zscaler_zia.web.record.id
+      ignore_missing: true
+  - convert:
+      field: json.totalsize
+      target_field: zscaler_zia.web.total.size
+      type: long
+      ignore_failure: true
+  - remove:
+      field: json.totalsize
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean dropEmptyFields(Object object) {
+          if (object == null || object == "") {
+            return true;
+          } else if (object instanceof Map) {
+            ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+            return (((Map) object).size() == 0);
+          } else if (object instanceof List) {
+            ((List) object).removeIf(value -> dropEmptyFields(value));
+            return (((List) object).length == 0);
+          }
+          return false;
+        }
+        dropEmptyFields(ctx);
+  - script:
+      description: Adds all the remaining fields in fields under zscaler_zia.web
+      lang: painless
+      if: ctx.json != null
+      source: |
+        for (Map.Entry m : ctx.json.entrySet()) {
+          ctx.zscaler_zia.web[m.getKey()] = m.getValue();
+        }
+  - remove: 
+      field: json
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/fields/agent.yml b/packages/zscaler_zia/0.1.3/data_stream/web/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/fields/base-fields.yml b/packages/zscaler_zia/0.1.3/data_stream/web/fields/base-fields.yml
new file mode 100755
index 0000000000..9a074d3470
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: zscaler_zia
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: zscaler_zia.web
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/fields/ecs.yml b/packages/zscaler_zia/0.1.3/data_stream/web/fields/ecs.yml
new file mode 100755
index 0000000000..d68abd8ab9
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/fields/ecs.yml
@@ -0,0 +1,151 @@
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: |-
+    Translated IP of source based NAT sessions (e.g. internal client to internet).
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: client.nat.ip
+  type: ip
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.user.name
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+  name: event.risk_score
+  type: float
+- description: Total size in bytes of the request (body and headers).
+  name: http.request.bytes
+  type: long
+- description: |-
+    HTTP request method.
+    The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+  name: http.request.method
+  type: keyword
+- description: |-
+    Mime type of the body of the request.
+    This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.
+  name: http.request.mime_type
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: Total size in bytes of the response (body and headers).
+  name: http.response.bytes
+  type: long
+- description: HTTP response status code.
+  name: http.response.status_code
+  type: long
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+  name: rule.ruleset
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    The field contains the file extension from the original request url, excluding the leading dot.
+    The file extension is only set if it exists, as not every url has a file extension.
+    The leading period must not be included. For example, the value must be "png", not ".png".
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: url.extension
+  type: keyword
+- description: |-
+    Portion of the url after the `#`, such as "top".
+    The `#` is not part of the fragment.
+  name: url.fragment
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Password of the request.
+  name: url.password
+  type: keyword
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: Port of the request, such as 443.
+  name: url.port
+  type: long
+- description: |-
+    The query field describes the query string of the request, such as "q=elasticsearch".
+    The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+  name: url.query
+  type: keyword
+- description: |-
+    Scheme of the request, such as "https".
+    Note: The `:` is not part of the scheme.
+  name: url.scheme
+  type: keyword
+- description: Username of the request.
+  name: url.username
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/fields/fields.yml b/packages/zscaler_zia/0.1.3/data_stream/web/fields/fields.yml
new file mode 100755
index 0000000000..fcfdd76d8d
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/fields/fields.yml
@@ -0,0 +1,116 @@
+- name: zscaler_zia.web
+  type: group
+  fields:
+    - name: app
+      type: group
+      fields:
+        - name: class
+          type: keyword
+          description: |
+            The web application class of the application that was accessed. Equivalent to module.
+        - name: name
+          type: keyword
+          description: |
+            Cloud application name.
+    - name: bandwidth_throttle
+      type: keyword
+      description: |
+        Indicates whether the transaction was throttled due to a configured bandwidth policy.
+    - name: client.internet.ip
+      type: keyword
+      description: |
+        The client Internet (NATted Public) IP address. This is different from the cip value if the internal IP address is visible. Otherwise, same as cip.
+    - name: ctime
+      type: long
+      description: |
+        The time from when the first byte of the request hits the ZEN to the time in which the last byte of the response is sent from the ZEN back to the browser.
+    - name: department
+      type: keyword
+      description: |
+        Department of the user.
+    - name: device.hostname
+      type: keyword
+      description: |
+        The obfuscated version of the device owner. This field must be changed manually.
+    - name: dpl
+      type: group
+      fields:
+        - name: dictionaries
+          type: keyword
+          description: |
+            The DLP dictionaries that were matched, if any.
+        - name: engine
+          type: keyword
+          description: |
+            The DLP engine that was matched, if any.
+    - name: encoded_host
+      type: keyword
+      description: |
+        Encoded version of the destination host name.
+    - name: file
+      type: group
+      fields:
+        - name: class
+          type: keyword
+          description: |
+            Type of file associated with the transaction.
+        - name: type
+          type: keyword
+          description: |
+            Type of file associated with the transaction.
+    - name: location
+      type: keyword
+      description: |
+        Gateway location or sub-location of the source.
+    - name: malware
+      type: group
+      fields:
+        - name: category
+          type: keyword
+          description: |
+            The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis.
+        - name: class
+          type: keyword
+          description: |
+            The class of malware that was detected in the transaction, if any.
+    - name: record.id
+      type: keyword
+      description: |
+        N/A
+    - name: stime
+      type: long
+      description: |
+        The round trip time between the ZEN request and the server.
+    - name: threat.name
+      type: keyword
+      description: |
+        The name of the threat that was detected in the transaction, if any.
+    - name: total.size
+      type: long
+      description: |
+        Total size, in bytes, of the HTTP transaction; sum of the total request size and total response size.
+    - name: unscannable.type
+      type: keyword
+      description: |
+        Unscannable file type.
+    - name: url
+      type: group
+      fields:
+        - name: category
+          type: group
+          fields:
+            - name: sub
+              type: keyword
+              description: |
+                Category of the destination URL.
+            - name: super
+              type: keyword
+              description: |
+                Super category of the destination URL.
+        - name: class
+          type: keyword
+          description: |-
+            Class of the destination URL.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/manifest.yml b/packages/zscaler_zia/0.1.3/data_stream/web/manifest.yml
new file mode 100755
index 0000000000..c7ec897dbb
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/manifest.yml
@@ -0,0 +1,41 @@
+title: Web Logs
+type: logs
+streams:
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: Zscaler Internet Access Web Logs
+    description: Collect Zscaler Internet Access Web Logs using tcp input
+    vars:
+      - name: listen_port
+        type: integer
+        title: Listen Port
+        description: The TCP port number to listen on.
+        multi: false
+        required: true
+        show_user: true
+        default: 9014
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - zscaler_zia-web
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/zscaler_zia/0.1.3/data_stream/web/sample_event.json b/packages/zscaler_zia/0.1.3/data_stream/web/sample_event.json
new file mode 100755
index 0000000000..7d38b9cbfe
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/data_stream/web/sample_event.json
@@ -0,0 +1,140 @@
+{
+    "@timestamp": "2021-12-17T07:04:57.000Z",
+    "agent": {
+        "ephemeral_id": "ced1fd2e-2f17-4f67-b8b1-d38a1920abbb",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "client": {
+        "ip": "81.2.69.193",
+        "nat": {
+            "ip": "81.2.69.145"
+        },
+        "user": {
+            "name": "administrator1"
+        }
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.web",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "action": "blocked",
+        "agent_id_status": "verified",
+        "category": "web",
+        "dataset": "zscaler_zia.web",
+        "ingested": "2022-02-04T08:48:57Z",
+        "kind": "event",
+        "risk_score": 0,
+        "type": [
+            "info"
+        ]
+    },
+    "http": {
+        "request": {
+            "bytes": 600,
+            "method": "CONNECT",
+            "mime_type": "Other",
+            "referrer": "None"
+        },
+        "response": {
+            "bytes": 65,
+            "status_code": 200
+        }
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:48722"
+        }
+    },
+    "network": {
+        "protocol": "http_proxy"
+    },
+    "related": {
+        "hosts": [
+            "TestMachine35"
+        ],
+        "ip": [
+            "81.2.69.193",
+            "81.2.69.145"
+        ]
+    },
+    "rule": {
+        "name": "Zscaler Proxy Traffic",
+        "ruleset": "FwFilter"
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-web"
+    ],
+    "url": {
+        "extension": "com",
+        "original": "www.example.com",
+        "path": "www.example.com"
+    },
+    "user": {
+        "email": "test@example.com"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Other"
+        },
+        "name": "Other",
+        "original": "Windows Microsoft Windows 10 Pro ZTunnel/1.0",
+        "os": {
+            "full": "Windows 10",
+            "name": "Windows",
+            "version": "10"
+        }
+    },
+    "zscaler_zia": {
+        "web": {
+            "app": {
+                "class": "General Browsing",
+                "name": "General Browsing"
+            },
+            "ctime": 0,
+            "department": "Unknown",
+            "device": {
+                "hostname": "TestMachine35"
+            },
+            "dpl": {
+                "dictionaries": "None",
+                "engine": "None"
+            },
+            "location": "Test DB",
+            "malware": {
+                "category": "None"
+            },
+            "stime": 0,
+            "threat": {
+                "name": "None"
+            },
+            "unscannable": {
+                "type": "None"
+            },
+            "url": {
+                "category": {
+                    "sub": "Web Search",
+                    "super": "Information Technology"
+                },
+                "class": "Business Use"
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/docs/README.md b/packages/zscaler_zia/0.1.3/docs/README.md
new file mode 100755
index 0000000000..c0373934ff
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/docs/README.md
@@ -0,0 +1,1154 @@
+# Zscaler ZIA
+
+This integration is for Zscaler Internet Access logs. It can be used
+to receive logs sent by NSS log server on respective TCP ports.
+
+The log message is expected to be in JSON format. The data is mapped to
+ECS fields where applicable and the remaining fields are written under
+`zscaler_zia.<data-stream-name>.*`.
+
+## Setup steps
+
+1. Enable the integration with the TCP input.
+2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscalar NSS Server and NSS Feeds follow the following steps.
+    - In the ZIA Admin Portal, add an NSS Server.
+        - Log in to the ZIA Admin Portal using your admin account. If you're unable to log in, contact Support.
+        - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall.
+        - Verify that the state of the NSS Server is healthy.
+            - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers.
+            - In the State column, confirm that the state of the NSS server is healthy.
+            ![NSS server setup image](../img/nss_server.png?raw=true)
+    - In the ZIA Admin Portal, add an NSS Feed.
+        - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs:
+            - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to.
+            - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type.
+                - **Alerts**: 9010
+                - **DNS**: 9011
+                - **Firewall**: 9012
+                - **Tunnel**: 9013
+                - **Web**: 9014
+            - **Feed Output Type**: Select Custom paste the appropriate response format as follows:
+            ![NSS feeds setup image](../img/nss_feeds.png?raw=true)  
+
+3. *Please make sure to use the given response formats.*
+
+## Compatibility
+
+This package has been tested against `Zscaler Internet Access version 6.1`
+
+## Documentation and configuration
+
+### Alerts
+
+Default port: _9010_
+
+Vendor documentation: https://help.zscaler.com/zia/about-alerts
+
+Zscaler response format:  
+```
+<%d{syslogid}>%s{Monthname} %2d{Dayofmonth} %02d{Hour}:%02d{Minutes}:%02d{Seconds} [%s{Deviceip}] ZscalerNSS: %s{Eventinfo}\n
+```
+
+Sample Response: 
+```
+<114>Dec 10 14:04:28 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to  175.16.199.1:443 lost and unavailable for the past 2325.00 minutes
+```
+
+### DNS Log
+
+Default port: _9011_
+
+Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-dns-logs
+
+Zscaler response format:  
+```
+\{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
+```
+
+Sample Response: 
+```json
+{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"81.2.69.193","srv_dip":"81.2.69.144","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}}
+```
+
+### Firewall Log
+
+Default port: _9012_
+
+Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs
+
+Zscaler response format:  
+```
+\{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
+```
+
+Sample Response: 
+```json
+{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":0,"durationms":486,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"admin77","devicehostname":"Machine9000"}}
+```
+
+### Tunnel Log
+
+Default port: _9013_
+
+Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-tunnel-logs
+
+Zscaler response format:
+- Tunnel Event:
+    ```
+    \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","event":"%s{event}","eventreason":"%s{eventreason}","recordid":"%d{recordid}"\}\}
+    ```
+- Sample Event:
+    ```
+    \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","txbytes":"%lu{txbytes}","rxbytes":"%lu{rxbytes}","dpdrec":"%d{dpdrec}","recordid":"%d{recordid}"\}\}
+    ```
+- IKE Phase 1
+    ```
+    \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","destinationport":"%d{dstport}","lifetime":"%d{lifetime}","ikeversion":"%d{ikeversion}","spi_in":"%lu{spi_in}","spi_out":"%lu{spi_out}","algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","recordid":"%d{recordid}"\}\}
+    ```
+- IKE Phase 2
+    ```
+    \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","sourceportstart":"%d{srcportstart}","destinationportstart":"%d{destportstart}","srcipstart":"%s{srcipstart}","srcipend":"%s{srcipend}","destinationipstart":"%s{destipstart}","destinationipend":"%s{destipend}","lifetime":"%d{lifetime}","ikeversion":"%d{ikeversion}","lifebytes":"%d{lifebytes}","spi":"%d{spi}","algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","protocol":"%s{protocol}","tunnelprotocol":"%s{tunnelprotocol}","policydirection":"%s{policydirection}","recordid":"%d{recordid}"\}\}
+    ```
+
+Sample Response: 
+```json
+{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 30 11:40:27 2021","Recordtype":"IPSec Phase1","tunneltype":"IPSEC IKEV 2","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","destinationport":"500","lifetime":"0","ikeversion":"2","spi_in":"00000000000000000000","spi_out":"11111111111111111111","algo":"AES-CBS","authentication":"HMAC-SHA1-96","authtype":"PSK","recordid":"1111111111111111111"}}
+```
+
+### Web Log
+
+Default port: _9014_  
+Add characters **"** and **\\** in **feed escape character** while configuring Web Log.  
+
+![Escape feed setup image](../img/escape_feed.png?raw=true)  
+Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-web-logs
+
+Zscaler response format:  
+```
+\{ "sourcetype" : "zscalernss-web", "event" :\{"time":"%s{time}","login":"%s{login}","proto":"%s{proto}","eurl":"%s{eurl}","action":"%s{action}","appname":"%s{appname}","appclass":"%s{appclass}","reqsize":"%d{reqsize}","respsize":"%d{respsize}","stime":"%d{stime}","ctime":"%d{ctime}","urlclass":"%s{urlclass}","urlsupercat":"%s{urlsupercat}","urlcat":"%s{urlcat}","malwarecat":"%s{malwarecat}","threatname":"%s{threatname}","riskscore":"%d{riskscore}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","location":"%s{location}","dept":"%s{dept}","cip":"%s{cip}","sip":"%s{sip}","reqmethod":"%s{reqmethod}","respcode":"%s{respcode}","ua":"%s{ua}","ereferer":"%s{ereferer}","ruletype":"%s{ruletype}","rulelabel":"%s{rulelabel}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
+```
+
+Sample Response: 
+```json
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:04:57 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"browser.events.data.msn.com:443","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+```
+
+## Fields and Sample event
+
+### Alerts
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| related.ip | All of the IPs seen on your event. | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| zscaler_zia.alerts.connection_lost_minutes | Amount of time after loosing connection to a server in Minutes. | double |
+| zscaler_zia.alerts.log_feed_name | Name of the NSS log feed. | keyword |
+
+
+An example event for `alerts` looks as following:
+
+```json
+{
+    "@timestamp": "2022-12-10T13:40:32.000Z",
+    "agent": {
+        "ephemeral_id": "8c093fcf-fb2f-4baa-b794-40edb011194d",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.alerts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "81.2.69.193",
+        "ip": "81.2.69.193",
+        "port": 9012
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "zscaler_zia.alerts",
+        "ingested": "2022-02-04T06:31:25Z"
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:32902"
+        },
+        "syslog": {
+            "priority": 114
+        }
+    },
+    "message": "ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes",
+    "related": {
+        "ip": [
+            "81.2.69.193"
+        ]
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-alerts"
+    ],
+    "zscaler_zia": {
+        "alerts": {
+            "connection_lost_minutes": 2440,
+            "log_feed_name": "DNS Logs Feed"
+        }
+    }
+}
+```
+
+## DNS Logs
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.geo.city_name | City name. | keyword |
+| client.geo.continent_name | Name of the continent. | keyword |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.region_iso_code | Region ISO code. | keyword |
+| client.geo.region_name | Region name. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| server.geo.city_name | City name. | keyword |
+| server.geo.continent_name | Name of the continent. | keyword |
+| server.geo.country_iso_code | Country ISO code. | keyword |
+| server.geo.country_name | Country name. | keyword |
+| server.geo.location | Longitude and latitude. | geo_point |
+| server.geo.region_iso_code | Region ISO code. | keyword |
+| server.geo.region_name | Region name. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.port | Port of the server. | long |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| zscaler_zia.dns.department | Department of the user. | keyword |
+| zscaler_zia.dns.dom.category | URL Category of the FQDN in the DNS request. | keyword |
+| zscaler_zia.dns.duration.milliseconds | Duration of the DNS request in milliseconds. | long |
+| zscaler_zia.dns.hostname | N/A | keyword |
+| zscaler_zia.dns.location | Gateway location or sub-location of the source. | keyword |
+| zscaler_zia.dns.request.action | Name of the action that was applied to the DNS request. | keyword |
+| zscaler_zia.dns.request.rule.label | Name of the rule that was applied to the DNS request. | keyword |
+| zscaler_zia.dns.response.action | Name of the action that was applied to the DNS response. | keyword |
+| zscaler_zia.dns.response.rule.label | Name of the rule that was applied to the DNS response. | keyword |
+
+
+An example event for `dns` looks as following:
+
+```json
+{
+    "@timestamp": "2021-12-17T07:27:54.000Z",
+    "agent": {
+        "ephemeral_id": "d288c261-b8db-45af-99c0-a673c3c6d8e1",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "client": {
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.193"
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.dns",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "dns": {
+        "answers": {
+            "name": "Some response string"
+        },
+        "question": {
+            "name": "example.com",
+            "type": "Some type"
+        }
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "dataset": "zscaler_zia.dns",
+        "ingested": "2022-02-04T06:32:56Z",
+        "kind": "event",
+        "type": [
+            "info"
+        ]
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:54202"
+        }
+    },
+    "related": {
+        "hosts": [
+            "Machine9000"
+        ],
+        "ip": [
+            "81.2.69.193",
+            "81.2.69.144"
+        ]
+    },
+    "server": {
+        "geo": {
+            "city_name": "London",
+            "continent_name": "Europe",
+            "country_iso_code": "GB",
+            "country_name": "United Kingdom",
+            "location": {
+                "lat": 51.5142,
+                "lon": -0.0931
+            },
+            "region_iso_code": "GB-ENG",
+            "region_name": "England"
+        },
+        "ip": "81.2.69.144",
+        "port": 8080
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-dns"
+    ],
+    "user": {
+        "email": "some_user@example.com",
+        "name": "Owner77"
+    },
+    "zscaler_zia": {
+        "dns": {
+            "department": "Unknown",
+            "dom": {
+                "category": "Professional Services"
+            },
+            "duration": {
+                "milliseconds": 123456
+            },
+            "hostname": "Machine9000",
+            "location": "TestLoc DB",
+            "request": {
+                "action": "REQ_ALLOW",
+                "rule": {
+                    "label": "Access Blocked"
+                }
+            },
+            "response": {
+                "action": "Some Response Action",
+                "rule": {
+                    "label": "None"
+                }
+            }
+        }
+    }
+}
+```
+
+## Firewall Logs
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.bytes | Bytes sent from the client to the server. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.bytes | Bytes sent from the server to the client. | long |
+| server.geo.country_name | Country name. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| zscaler_zia.firewall.aggregate |  | keyword |
+| zscaler_zia.firewall.client.destination.ip | Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. | keyword |
+| zscaler_zia.firewall.client.destination.port | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. | double |
+| zscaler_zia.firewall.client.source.ip | Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate. | keyword |
+| zscaler_zia.firewall.client.source.port | Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. | double |
+| zscaler_zia.firewall.department | Department of the user. | keyword |
+| zscaler_zia.firewall.duration.avg | Average session duration, in milliseconds, if the sessions were aggregated. | double |
+| zscaler_zia.firewall.duration.milliseconds | Session or request duration in milliseconds. | double |
+| zscaler_zia.firewall.duration.seconds | Session or request duration in seconds. | double |
+| zscaler_zia.firewall.ip_category | URL category that corresponds to the server IP address. | keyword |
+| zscaler_zia.firewall.location.name | Name of the location from which the session was initiated. | keyword |
+| zscaler_zia.firewall.nat | Indicates if the destination NAT policy was applied. | keyword |
+| zscaler_zia.firewall.server.destination.ip | Server Destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. | keyword |
+| zscaler_zia.firewall.server.destination.port | Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate. | double |
+| zscaler_zia.firewall.server.source.ip | Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate. | keyword |
+| zscaler_zia.firewall.server.source.port | Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. | double |
+| zscaler_zia.firewall.session.count | Number of sessions that were aggregated. | double |
+| zscaler_zia.firewall.stateful |  | keyword |
+| zscaler_zia.firewall.threat.category | Category of the threat in the Firewall session by the IPS engine. | keyword |
+| zscaler_zia.firewall.threat.name | Name of the threat detected in the Firewall session by the IPS engine. | keyword |
+| zscaler_zia.firewall.tunnel.ip | Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate. | keyword |
+| zscaler_zia.firewall.tunnel.port | Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate. | double |
+| zscaler_zia.firewall.tunnel.type | Traffic forwarding method used to send the traffic to the firewall. | keyword |
+
+
+An example event for `firewall` looks as following:
+
+```json
+{
+    "@timestamp": "2021-12-17T07:27:54.000Z",
+    "agent": {
+        "ephemeral_id": "41987f90-74dc-4b4b-9936-4347028cf558",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "client": {
+        "bytes": 1734
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.firewall",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "action": "drop",
+        "agent_id_status": "verified",
+        "category": "network",
+        "dataset": "zscaler_zia.firewall",
+        "ingested": "2022-02-04T06:34:17Z",
+        "kind": "event",
+        "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 17 07:27:54 2021\",\"user\":\"some_user@example.com\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":0,\"durationms\":486,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"deviceowner\":\"admin77\",\"devicehostname\":\"Machine9000\"}}",
+        "type": "info"
+    },
+    "host": {
+        "hostname": "Machine9000"
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:58194"
+        }
+    },
+    "network": {
+        "application": "http",
+        "protocol": "https",
+        "transport": "tcp"
+    },
+    "related": {
+        "ip": [
+            "0.0.0.0"
+        ]
+    },
+    "rule": {
+        "name": [
+            "Access Blocked",
+            "None"
+        ]
+    },
+    "server": {
+        "bytes": 19052,
+        "geo": {
+            "country_name": "Ireland"
+        }
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-firewall"
+    ],
+    "user": {
+        "email": "some_user@example.com",
+        "name": "admin77"
+    },
+    "zscaler_zia": {
+        "firewall": {
+            "aggregate": "No",
+            "client": {
+                "destination": {
+                    "ip": "0.0.0.0",
+                    "port": 443
+                },
+                "source": {
+                    "ip": "0.0.0.0",
+                    "port": 55018
+                }
+            },
+            "department": "Unknown",
+            "duration": {
+                "avg": 486,
+                "milliseconds": 486,
+                "seconds": 0
+            },
+            "ip_category": "Test Name",
+            "location": {
+                "name": "TestLoc DB"
+            },
+            "nat": "No",
+            "server": {
+                "destination": {
+                    "ip": "0.0.0.0",
+                    "port": 443
+                },
+                "source": {
+                    "ip": "0.0.0.0",
+                    "port": 0
+                }
+            },
+            "session": {
+                "count": 1
+            },
+            "stateful": "Yes",
+            "threat": {
+                "category": "None",
+                "name": "None"
+            },
+            "tunnel": {
+                "ip": "0.0.0.0",
+                "port": 0,
+                "type": "ZscalerClientConnector"
+            }
+        }
+    }
+}
+```
+
+## Tunnel Logs
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module | constant_keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| zscaler_zia.tunnel.action.type | Type of the record. Possible values [ WL_TUNNEL_IPSECPHASE1, WL_TUNNEL_IPSECPHASE2, WL_TUNNEL_EVENT, WL_TUNNEL_SAMPLES ]. | keyword |
+| zscaler_zia.tunnel.authentication.algorithm | Authentication algorithm. | keyword |
+| zscaler_zia.tunnel.authentication.type | Authentication type. | keyword |
+| zscaler_zia.tunnel.destination.end.ip | Phase 2 policy proposal - Destination IP end. | keyword |
+| zscaler_zia.tunnel.destination.start.ip | Phase 2 policy proposal - Destination IP start. | keyword |
+| zscaler_zia.tunnel.destination.start.port | Phase 2 policy proposal - Destination port end. | long |
+| zscaler_zia.tunnel.dpd_packets | Number of DPD packets received in 60-second sample window. | keyword |
+| zscaler_zia.tunnel.encryption.algorithm | Encryption algorithm. | keyword |
+| zscaler_zia.tunnel.ike.version | IKE version (1 or 2). | long |
+| zscaler_zia.tunnel.life.bytes | Life bytes (number of traffic to be transacted through tunnel before renegotiation). | long |
+| zscaler_zia.tunnel.life.time | Lifetime of IKE Phase 1/2 in seconds. | long |
+| zscaler_zia.tunnel.location.name | Location name. | keyword |
+| zscaler_zia.tunnel.policy.direction | N/A | keyword |
+| zscaler_zia.tunnel.policy.protocol | Phase 2 policy proposal - Protocol. | keyword |
+| zscaler_zia.tunnel.protocol | IPSec tunnel protocol type (Zscaler only supports ESP). | keyword |
+| zscaler_zia.tunnel.source.end.ip | Phase 2 policy proposal - Source IP end. | keyword |
+| zscaler_zia.tunnel.source.start.ip | Phase 2 policy proposal - Source IP start. | keyword |
+| zscaler_zia.tunnel.source.start.port | Phase 2 policy proposal - Source port start. | long |
+| zscaler_zia.tunnel.spi | Security Parameter Index. | keyword |
+| zscaler_zia.tunnel.spi_in | Initiator cookie. | keyword |
+| zscaler_zia.tunnel.spi_out | Responder cookie. | keyword |
+| zscaler_zia.tunnel.type | Tunnel type. | keyword |
+| zscaler_zia.tunnel.vendor.name | Vendor name of the edge device. | keyword |
+
+
+An example event for `tunnel` looks as following:
+
+```json
+{
+    "@timestamp": "2021-12-30T11:20:12.000Z",
+    "agent": {
+        "ephemeral_id": "63ac98b6-0ff6-4943-820e-8505eff15937",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.tunnel",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "ip": "81.2.69.143"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "dataset": "zscaler_zia.tunnel",
+        "id": "1111111111111111111",
+        "ingested": "2022-02-04T06:36:16Z",
+        "kind": "event",
+        "type": [
+            "info"
+        ]
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:44374"
+        }
+    },
+    "related": {
+        "ip": [
+            "81.2.69.143",
+            "81.2.69.145"
+        ],
+        "user": [
+            "81.2.69.145"
+        ]
+    },
+    "source": {
+        "ip": "81.2.69.145",
+        "port": 0
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-tunnel"
+    ],
+    "user": {
+        "name": "81.2.69.145"
+    },
+    "zscaler_zia": {
+        "tunnel": {
+            "action": {
+                "type": "IPSec Phase2"
+            },
+            "authentication": {
+                "algorithm": "HMAC-SHA-1",
+                "type": "None"
+            },
+            "destination": {
+                "end": {
+                    "ip": "81.2.69.143"
+                },
+                "start": {
+                    "ip": "81.2.69.143",
+                    "port": 0
+                }
+            },
+            "encryption": {
+                "algorithm": "AES"
+            },
+            "ike": {
+                "version": 1
+            },
+            "life": {
+                "bytes": 0,
+                "time": 3600
+            },
+            "location": {
+                "name": "some-location"
+            },
+            "policy": {
+                "direction": "Inbound SA Policy",
+                "protocol": "Any"
+            },
+            "protocol": "ESP",
+            "source": {
+                "end": {
+                    "ip": "81.2.69.145"
+                },
+                "start": {
+                    "ip": "81.2.69.145",
+                    "port": 0
+                }
+            },
+            "spi": "123456789",
+            "type": "IPSEC IKEV 1"
+        }
+    }
+}
+```
+
+## Web Logs
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip |
+| client.user.name | Short name or login of the user. | keyword |
+| client.user.name.text | Multi-field of `client.user.name`. | match_only_text |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.bytes | Total size in bytes of the request (body and headers). | long |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.bytes | Total size in bytes of the response (body and headers). | long |
+| http.response.status_code | HTTP response status code. | long |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.username | Username of the request. | keyword |
+| user.email | User email address. | keyword |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+| zscaler_zia.web.app.class | The web application class of the application that was accessed. Equivalent to module. | keyword |
+| zscaler_zia.web.app.name | Cloud application name. | keyword |
+| zscaler_zia.web.bandwidth_throttle | Indicates whether the transaction was throttled due to a configured bandwidth policy. | keyword |
+| zscaler_zia.web.client.internet.ip | The client Internet (NATted Public) IP address. This is different from the cip value if the internal IP address is visible. Otherwise, same as cip. | keyword |
+| zscaler_zia.web.ctime | The time from when the first byte of the request hits the ZEN to the time in which the last byte of the response is sent from the ZEN back to the browser. | long |
+| zscaler_zia.web.department | Department of the user. | keyword |
+| zscaler_zia.web.device.hostname | The obfuscated version of the device owner. This field must be changed manually. | keyword |
+| zscaler_zia.web.dpl.dictionaries | The DLP dictionaries that were matched, if any. | keyword |
+| zscaler_zia.web.dpl.engine | The DLP engine that was matched, if any. | keyword |
+| zscaler_zia.web.encoded_host | Encoded version of the destination host name. | keyword |
+| zscaler_zia.web.file.class | Type of file associated with the transaction. | keyword |
+| zscaler_zia.web.file.type | Type of file associated with the transaction. | keyword |
+| zscaler_zia.web.location | Gateway location or sub-location of the source. | keyword |
+| zscaler_zia.web.malware.category | The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis. | keyword |
+| zscaler_zia.web.malware.class | The class of malware that was detected in the transaction, if any. | keyword |
+| zscaler_zia.web.record.id | N/A | keyword |
+| zscaler_zia.web.stime | The round trip time between the ZEN request and the server. | long |
+| zscaler_zia.web.threat.name | The name of the threat that was detected in the transaction, if any. | keyword |
+| zscaler_zia.web.total.size | Total size, in bytes, of the HTTP transaction; sum of the total request size and total response size. | long |
+| zscaler_zia.web.unscannable.type | Unscannable file type. | keyword |
+| zscaler_zia.web.url.category.sub | Category of the destination URL. | keyword |
+| zscaler_zia.web.url.category.super | Super category of the destination URL. | keyword |
+| zscaler_zia.web.url.class | Class of the destination URL. | keyword |
+
+
+An example event for `web` looks as following:
+
+```json
+{
+    "@timestamp": "2021-12-17T07:04:57.000Z",
+    "agent": {
+        "ephemeral_id": "ced1fd2e-2f17-4f67-b8b1-d38a1920abbb",
+        "hostname": "docker-fleet-agent",
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.2"
+    },
+    "client": {
+        "ip": "81.2.69.193",
+        "nat": {
+            "ip": "81.2.69.145"
+        },
+        "user": {
+            "name": "administrator1"
+        }
+    },
+    "data_stream": {
+        "dataset": "zscaler_zia.web",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.0.0"
+    },
+    "elastic_agent": {
+        "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23",
+        "snapshot": false,
+        "version": "7.16.2"
+    },
+    "event": {
+        "action": "blocked",
+        "agent_id_status": "verified",
+        "category": "web",
+        "dataset": "zscaler_zia.web",
+        "ingested": "2022-02-04T08:48:57Z",
+        "kind": "event",
+        "risk_score": 0,
+        "type": [
+            "info"
+        ]
+    },
+    "http": {
+        "request": {
+            "bytes": 600,
+            "method": "CONNECT",
+            "mime_type": "Other",
+            "referrer": "None"
+        },
+        "response": {
+            "bytes": 65,
+            "status_code": 200
+        }
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "172.21.0.7:48722"
+        }
+    },
+    "network": {
+        "protocol": "http_proxy"
+    },
+    "related": {
+        "hosts": [
+            "TestMachine35"
+        ],
+        "ip": [
+            "81.2.69.193",
+            "81.2.69.145"
+        ]
+    },
+    "rule": {
+        "name": "Zscaler Proxy Traffic",
+        "ruleset": "FwFilter"
+    },
+    "tags": [
+        "forwarded",
+        "zscaler_zia-web"
+    ],
+    "url": {
+        "extension": "com",
+        "original": "www.example.com",
+        "path": "www.example.com"
+    },
+    "user": {
+        "email": "test@example.com"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Other"
+        },
+        "name": "Other",
+        "original": "Windows Microsoft Windows 10 Pro ZTunnel/1.0",
+        "os": {
+            "full": "Windows 10",
+            "name": "Windows",
+            "version": "10"
+        }
+    },
+    "zscaler_zia": {
+        "web": {
+            "app": {
+                "class": "General Browsing",
+                "name": "General Browsing"
+            },
+            "ctime": 0,
+            "department": "Unknown",
+            "device": {
+                "hostname": "TestMachine35"
+            },
+            "dpl": {
+                "dictionaries": "None",
+                "engine": "None"
+            },
+            "location": "Test DB",
+            "malware": {
+                "category": "None"
+            },
+            "stime": 0,
+            "threat": {
+                "name": "None"
+            },
+            "unscannable": {
+                "type": "None"
+            },
+            "url": {
+                "category": {
+                    "sub": "Web Search",
+                    "super": "Information Technology"
+                },
+                "class": "Business Use"
+            }
+        }
+    }
+}
+```
diff --git a/packages/zscaler_zia/0.1.3/img/escape_feed.png b/packages/zscaler_zia/0.1.3/img/escape_feed.png
new file mode 100755
index 0000000000..40a8b59ec5
Binary files /dev/null and b/packages/zscaler_zia/0.1.3/img/escape_feed.png differ
diff --git a/packages/zscaler_zia/0.1.3/img/nss_feeds.png b/packages/zscaler_zia/0.1.3/img/nss_feeds.png
new file mode 100755
index 0000000000..26c1c48c50
Binary files /dev/null and b/packages/zscaler_zia/0.1.3/img/nss_feeds.png differ
diff --git a/packages/zscaler_zia/0.1.3/img/nss_server.png b/packages/zscaler_zia/0.1.3/img/nss_server.png
new file mode 100755
index 0000000000..d394408905
Binary files /dev/null and b/packages/zscaler_zia/0.1.3/img/nss_server.png differ
diff --git a/packages/zscaler_zia/0.1.3/img/zscaler-logo.svg b/packages/zscaler_zia/0.1.3/img/zscaler-logo.svg
new file mode 100755
index 0000000000..b8a21a2fa6
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/img/zscaler-logo.svg
@@ -0,0 +1 @@
+<svg id="Layer_1_copy" data-name="Layer 1 copy" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 659.81 136.68"><defs><style>.cls-1{fill:#009cda;}</style></defs><title>Zscaler-Logo-TM-Blue-RGB-May2019</title><path class="cls-1" d="M291.36,142.38c3.58,21.86-15.41,34.17-34.64,35.59-12.24,25.17-55.41,42.16-92.79,23.84-16,2.43-24.77-1.57-31.54-9.21,13.68-17.6,55.09-49.27,105.68-32.92,27,8.72,34-11.78,27.23-19.47-25.48-28.94-83-2.89-85.08-.72C202.82,104.92,283.66,95.22,291.36,142.38Zm-77.47-39.73c.14-.05-18.37-6.59-44.26,4.59a29.64,29.64,0,0,1-3.06-1.32C191.47,89.39,213.3,82.36,232,85.09c-11.3-13-65.6-22.56-96.71,8.6-38.46-7.57-65.36,25-63.83,54.78s34,48.3,52.5,43.28a5.48,5.48,0,0,1,1.34,0C129.39,172.08,146.1,126.32,213.89,102.65Zm154.88,27.2,3.45-15.15H314.31L313,120.57c-1.51,5.19,2.59,8.86,7,8.74h26.83l-47.56,42-3.21,14.08h61.35L360.94,170h-38.8Zm38.64,12.23c-2.72-.69-18-3-17-8.25,1.07-5.9,8.29-6.46,11.8-6.36,7.23.21,9.51,3.39,9.89,4.51,1,3,3.32,4.52,6.69,4.52h11.42c1.25-7.08,1.59-23.38-24.94-23.38-8.52,0-19.87,2.13-27.38,10.79-4,4.64-10.95,16.15-3.86,24.82,3.71,4.37,13.38,7.79,23.76,9.82,6.71,1.31,10.26,4,9.52,7.16-.45,2.13-3.12,6.93-13,6.92-4.42,0-14-.69-12.17-10.62H364.08c-2.12,9-2.9,24.7,24.64,24.7,10.62,0,32.24-1.34,37.87-23.92C430.65,146.54,412.33,143.32,407.41,142.08Zm63.84,25a16.14,16.14,0,0,1-11.6,4.26c-13.64.12-12.1-13.37-10.24-21.52s6.25-21.28,19.22-21.25c9.19,0,10.25,5.95,10.72,7.7h18.59c-.66-19.62-15.7-23.37-26.33-23.11-29.14.72-37.57,25.08-40.18,36.4-7.61,33.06,13.54,37.19,23.66,37.19,8.31,0,26.47-2,37.14-23.11H479C475.13,163.46,473.37,165.17,471.25,167Zm75.91,6.79a34.6,34.6,0,0,1-21,11.81c-16.15,2.67-38.35,2-32.76-21.24,1.79-7.43,4.56-12.28,10.13-15.94,9.33-6.13,21.73-7,25.74-7.44,1.37-.16,11.53-.92,13.27-6.93,1.7-5.84-7.62-6.32-10.23-6.35-8-.1-10.71,3.1-12,5h-17.8c7.19-18.92,27-19.65,32.4-19.65,6,0,30.06,0,25.47,19.94C553.32,163.48,553.06,166.51,547.16,173.83Zm-8-24.05c-2.86,1.57-10,3.11-11.14,3.44-3.71,1.13-10.67,1.56-14.1,4.78-2.91,2.75-8,14.11,4.16,14.35,7.56.15,17-4.1,19.68-16.44C538.4,153.12,539.2,149.78,539.2,149.78ZM585,94H575.4l-20.86,91.39h18.59L592,102.77C592.76,100.16,592.23,94.24,585,94Zm48.19,69.61h13.29c-4.18,8.44-15,23.13-37.16,23.11-28.28,0-26.54-25.22-23.65-37.19,8-33.26,30.28-36.4,40.19-36.4,13.22,0,33.93,5.47,23.42,41.7h-46c-1.12,4.81-2.08,16.62,10.6,16.48,6.67-.08,9.17-2.49,9.77-2.8C625.36,167.62,627,163.71,633.15,163.6ZM606,142.88h27.09c2.32-13-5.72-14.35-10.27-14.35C618.93,128.53,609.67,129.93,606,142.88Zm67-20.46c-12.45,8.49-16.56,22.14-18,28.7-1.14,5.15-7.83,34.26-7.83,34.26h18.61s7.05-32,8.29-36.39c1.47-5.12,6.26-19,24.8-18.43l4.3-15.86C688.17,114.21,678.27,118.82,673,122.42Zm32.46-21.51.47-2.21h10l-.47,2.21h-3.6l-2,9.79h-2.66l2.05-9.79Zm16.46-2.21.92,8.69h0l4.62-8.69h3.68l-2.54,12h-2.47l2.19-9.55h0l-5.07,9.55h-2l-1.16-9.55h0l-1.8,9.55h-2.49l2.52-12Z" transform="translate(-71.36 -72.83)"/></svg>
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/img/zscaler-zia-screenshot.png b/packages/zscaler_zia/0.1.3/img/zscaler-zia-screenshot.png
new file mode 100755
index 0000000000..6e10c51d84
Binary files /dev/null and b/packages/zscaler_zia/0.1.3/img/zscaler-zia-screenshot.png differ
diff --git a/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..50464fc105
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,72 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"06eebe5f-c6d6-4bc3-910c-dfb31b4eed15\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"06eebe5f-c6d6-4bc3-910c-dfb31b4eed15\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bd3fd0c0-bb65-48d3-abe6-00fa3513cfeb\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd3fd0c0-bb65-48d3-abe6-00fa3513cfeb\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3263f825-0d4b-4579-865a-29901566da89\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3263f825-0d4b-4579-865a-29901566da89\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd1d5738-f049-4d39-8a9c-c99f00026abc\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"fd1d5738-f049-4d39-8a9c-c99f00026abc\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"14e74949-6df9-4178-bd6c-fb3f2af4e44f\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"14e74949-6df9-4178-bd6c-fb3f2af4e44f\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"f54d9f84-ff3e-4246-9d53-af54076bacf4\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"f54d9f84-ff3e-4246-9d53-af54076bacf4\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"a2629365-4540-4700-abd5-299070e39233\",\"w\":16,\"x\":32,\"y\":48},\"panelIndex\":\"a2629365-4540-4700-abd5-299070e39233\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"90e1564e-ec66-4a1f-9416-53a3fef9b577\",\"w\":16,\"x\":0,\"y\":48},\"panelIndex\":\"90e1564e-ec66-4a1f-9416-53a3fef9b577\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"ff526e93-a3f7-4155-b493-bb0427f87001\",\"w\":16,\"x\":16,\"y\":48},\"panelIndex\":\"ff526e93-a3f7-4155-b493-bb0427f87001\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":7,\"width\":123.44444444444446},{\"colIndex\":4,\"width\":230.56944444444446},{\"colIndex\":1,\"width\":150.56944444444443},{\"colIndex\":0,\"width\":164.40277777777774},{\"colIndex\":6,\"width\":109.0027777777778},{\"colIndex\":5,\"width\":110.75277777777777},{\"colIndex\":8,\"width\":90.08611111111111},{\"colIndex\":3,\"width\":176.5861111111111},{\"colIndex\":2,\"width\":222.58611111111122}]}}},\"gridData\":{\"h\":15,\"i\":\"89b6c2a3-3ae8-4bfc-9af0-0711f588ce30\",\"w\":48,\"x\":0,\"y\":69},\"panelIndex\":\"89b6c2a3-3ae8-4bfc-9af0-0711f588ce30\",\"panelRefName\":\"panel_9\",\"title\":\"[Zscaler] [ZIA] Distribution of Firewall Events by Threat Category, IP Category, Traffic Forwarding Method, Application, Destination NAT policy applied, Action, Department, Location, Used Protocol\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+    "timeRestore": false,
+    "title": "[Zscaler] [ZIA] Firewall Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407",
+      "name": "panel_9",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..652e1327f1
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,72 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"677982f9-75a5-4420-a0e4-65778e28370f\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"677982f9-75a5-4420-a0e4-65778e28370f\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"329767e7-da25-44aa-ab86-b18b9f6e3a24\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"329767e7-da25-44aa-ab86-b18b9f6e3a24\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"dbf7121d-902c-4979-a56a-aeecb89dc781\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"dbf7121d-902c-4979-a56a-aeecb89dc781\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4421e7b7-c2b0-4463-8646-03616ddfe9cb\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"4421e7b7-c2b0-4463-8646-03616ddfe9cb\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ade94ac6-4269-4d88-9e63-5295cee65475\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"ade94ac6-4269-4d88-9e63-5295cee65475\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"95e9a752-3269-4679-b1a8-3826fc6fd463\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"95e9a752-3269-4679-b1a8-3826fc6fd463\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1c2c054a-b244-4f93-84b2-68e4228a2956\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1c2c054a-b244-4f93-84b2-68e4228a2956\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"35acb8fb-304a-4651-88fa-6f080c7b258b\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"35acb8fb-304a-4651-88fa-6f080c7b258b\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"1f29cb86-55d1-4caa-b012-3d8e674fb401\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"1f29cb86-55d1-4caa-b012-3d8e674fb401\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f2101d90-704b-46e5-b73a-567fb731bcda\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f2101d90-704b-46e5-b73a-567fb731bcda\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "[Zscaler] [ZIA] Web Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53",
+      "name": "panel_9",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..8dbf59dd7a
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,57 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fa228027-f96f-4c6c-8ff2-ba35c24ab5f3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"fa228027-f96f-4c6c-8ff2-ba35c24ab5f3\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"486db5cd-c4a8-4a4f-b794-3811989c9f2a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"486db5cd-c4a8-4a4f-b794-3811989c9f2a\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"dedfb661-d4dc-4748-a286-8af6d668bd05\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"dedfb661-d4dc-4748-a286-8af6d668bd05\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6ab75387-2a14-4d5f-adef-2ab49ed51674\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"6ab75387-2a14-4d5f-adef-2ab49ed51674\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b757507b-409b-4695-b558-daff6d0382db\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"b757507b-409b-4695-b558-daff6d0382db\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"75e785d6-2c8f-4608-b204-4688a66ad14e\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"75e785d6-2c8f-4608-b204-4688a66ad14e\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"b92519fe-1070-4e1f-a38d-8796c26af893\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"b92519fe-1070-4e1f-a38d-8796c26af893\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "[Zscaler] [ZIA] Tunnel Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53",
+      "name": "panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53",
+      "name": "panel_6",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..19dbbfda5b
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,42 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":180,\"minLat\":-66.51326,\"minLon\":-180},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":1.06},\"openTOCDetails\":[]},\"gridData\":{\"h\":17,\"i\":\"8b4eb1df-17aa-4d80-8b26-1920b5150cad\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b4eb1df-17aa-4d80-8b26-1920b5150cad\",\"panelRefName\":\"panel_0\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"db8f6083-5ad4-4a49-84a3-f89318befd32\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"db8f6083-5ad4-4a49-84a3-f89318befd32\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"13fd9028-3dd5-4262-b7bb-3cba5d6c98cd\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"13fd9028-3dd5-4262-b7bb-3cba5d6c98cd\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"47b652f2-0e00-4b5d-9e94-b5ade2b0c6e6\",\"w\":48,\"x\":0,\"y\":34},\"panelIndex\":\"47b652f2-0e00-4b5d-9e94-b5ade2b0c6e6\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "[Zscaler] [ZIA] DNS Logs",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "dashboard": "7.16.0"
+  },
+  "references": [
+    {
+      "id": "zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407",
+      "name": "panel_0",
+      "type": "map"
+    },
+    {
+      "id": "zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407",
+      "name": "panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407",
+      "name": "panel_3",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..6ea14f4ec5
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,22 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"9d6d7cae-7cff-491c-abc8-40d6d4f575b0\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"03c492fe-96d8-48ab-a5b4-3eec4ae2a230\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"},\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"client.geo.location\",\"id\":\"636e2366-af59-41da-a0af-83b10b7a1b47\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]",
+    "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-5y\",\"to\":\"now\"},\"zoom\":1.06}",
+    "title": "[Zscaler] [ZIA] DNS Events by Region",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "coreMigrationVersion": "7.16.2",
+  "id": "zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "map": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..0797594345
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"rule.ruleset\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"rule.ruleset\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Rule type",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rule Type\",\"field\":\"rule.ruleset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Rule type\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..2c1df44f82
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Destination IPs",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Destination IPs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..1aa1da187d
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Users",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Users\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..fb304fb0c9
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Tunnel Type",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"zscaler_zia.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Tunnel Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..838f845a8d
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of Web Events by Action, Malware Category, App Class, Response Code, Department, Username, URL",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":5,\"width\":137.71428571428572},{\"colIndex\":6,\"width\":194.0408163265306}]}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Username\",\"field\":\"client.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Malware Category\",\"field\":\"zscaler_zia.web.malware.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Application Class\",\"field\":\"zscaler_zia.web.app.class\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Department\",\"field\":\"zscaler_zia.web.department\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":true,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Distribution of Web Events by Action, Malware Category, App Class, Response Code, Department, Username, URL\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..ed2afec7c7
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of Firewall Events by Threat Category, IP Category, Traffic Forwarding Method, network application that accessed web, Destination NAT policy applied, Action, Department, Location, Used Protocol",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Category\",\"field\":\"zscaler_zia.firewall.threat.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"IP Category\",\"field\":\"zscaler_zia.firewall.ip_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Traffic Forwarding Method\",\"field\":\"zscaler_zia.firewall.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Application Name\",\"field\":\"network.application\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination NAT policy applied\",\"field\":\"zscaler_zia.firewall.nat\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"10\",\"params\":{\"customLabel\":\"Location\",\"field\":\"zscaler_zia.firewall.location.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Department\",\"field\":\"zscaler_zia.firewall.department\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"Protocol Used\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Distribution of Firewall Events by Threat Category, IP Category, Traffic Forwarding Method, network application that accessed web, Destination NAT policy applied, Action, Department, Location, Used Protocol\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..f1318a9192
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Location",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Location\",\"field\":\"zscaler_zia.tunnel.location.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Location\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..a7e8531244
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Tunnel IPs",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel IPs\",\"field\":\"zscaler_zia.firewall.tunnel.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Tunnel IPs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..394fc4f287
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Encryption Algorithm, Authentication Algorithm, Authentication Type, Tunnel Action name, Protocol, Source IP, Destination IP",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Encryption Algorithm\",\"field\":\"zscaler_zia.tunnel.encryption.algorithm\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Authentication Algorithm\",\"field\":\"zscaler_zia.tunnel.authentication.algorithm\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Authentication Type\",\"field\":\"zscaler_zia.tunnel.authentication.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Tunnel Action Name\",\"field\":\"zscaler_zia.tunnel.action.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"zscaler_zia.tunnel.policy.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Encryption algorithm, Authentication algorithm, Authentication Type, Action name, Protocol, Source IP, Destination IP\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..af8777ca1e
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Protocol of Web Events Over time",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Protocol of Web Events Over time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..a0e7f8d01a
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 rule",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rules\",\"exclude\":\"None\",\"field\":\"rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 rule\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..41943205eb
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\" and not http.response.status_code: \\\"200\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 failed URLs",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 failed URLs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..17ecff711a
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"rule.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"rule.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Rule Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rule Name\",\"field\":\"rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Rule Name\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..67a3b6c917
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of DNS Events by Department",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Department\",\"field\":\"zscaler_zia.dns.department\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of DNS Events by Department\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..00c8458d1a
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Server Source IP",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Source IP\",\"field\":\"zscaler_zia.firewall.server.source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Server Source IP\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..61ec3e5c13
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.web.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.web.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Total Threats",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Threats\",\"field\":\"zscaler_zia.web.threat.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Zscaler] [ZIA] Total Threats\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..13be4500fe
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Vendor Name of Edge Device",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Vendor Name of Edge Device\",\"field\":\"zscaler_zia.tunnel.vendor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Vendor Name of Edge Device\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..7e751c6f8a
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Distribution of DNS Events by Request Action",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Request Action\",\"field\":\"zscaler_zia.dns.request.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of DNS Events by Request Action\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..4f91943c75
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Server Destination IP",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Destination IP\",\"field\":\"zscaler_zia.firewall.server.destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Server Destination IP\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..52fc4d2f3f
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.firewall.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.firewall.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Threats detected by Firewall",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Name\",\"field\":\"zscaler_zia.firewall.threat.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Threats detected by Firewall\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..cfae00dc9b
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.web.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.web.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Threats by name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Name\",\"field\":\"zscaler_zia.web.threat.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Threats by name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..4b396fe262
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Tunnel Action Name",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Action Name\",\"field\":\"zscaler_zia.tunnel.action.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Tunnel Action Name\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..4440e03daa
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 DNS Rules",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rules\",\"field\":\"zscaler_zia.dns.request.rule.label\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 DNS Rules\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..4e533feac7
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 App Name accessing Web",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Name\",\"field\":\"zscaler_zia.web.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 App Name accessing Web\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..2d488981cf
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Client Source IP",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Source IP\",\"field\":\"zscaler_zia.firewall.client.source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Client Source IP\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..9720ff2c44
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Destination Country",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"server.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Destination Country\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..275a6a6d55
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.firewall.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.firewall.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Total Threats detected by Firewall",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Threats\",\"field\":\"zscaler_zia.firewall.threat.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Zscaler] [ZIA] Total Threats detected by Firewall\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json
new file mode 100755
index 0000000000..547c66295b
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Source IPs",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Source IPs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..cf24b5bd13
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 URL Categories",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"zscaler_zia.web.url.category.sub\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 URL Categories\",\"type\":\"horizontal_bar\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json
new file mode 100755
index 0000000000..882d561ac9
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}"
+    },
+    "title": "[Zscaler] [ZIA] Top 10 Client Destination IP",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Destination IP\",\"field\":\"zscaler_zia.firewall.client.destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Client Destination IP\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.16.0",
+  "id": "zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/zscaler_zia/0.1.3/manifest.yml b/packages/zscaler_zia/0.1.3/manifest.yml
new file mode 100755
index 0000000000..333a038579
--- /dev/null
+++ b/packages/zscaler_zia/0.1.3/manifest.yml
@@ -0,0 +1,70 @@
+format_version: 1.0.0
+name: zscaler_zia
+title: "Zscaler Internet Access"
+version: 0.1.3
+license: basic
+description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent.
+type: integration
+categories:
+  - security
+release: beta
+conditions:
+  kibana.version: ^7.16.2 || ^8.0.0
+screenshots:
+  - src: /img/zscaler-zia-screenshot.png
+    title: Zscaler ZIA web log dashboard screenshot
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/zscaler-logo.svg
+    title: Zscaler logo
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: zscaler_zia
+    title: Zscaler Internet Access logs
+    description: Collect Zscaler Internet Access logs
+    inputs:
+      - type: tcp
+        vars:
+          - name: listen_address
+            type: text
+            title: Listen Address
+            description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.
+            multi: false
+            required: true
+            show_user: true
+            default: localhost
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            multi: false
+            required: false
+            show_user: false
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
+        title: Collect Zscaler Internet Access logs via TCP input
+        description: Collecting Zscaler Internet Access logs via TCP input
+owner:
+  github: elastic/security-external-integrations