diff --git a/api_docs/actions.mdx b/api_docs/actions.mdx
index 351f958be5b8..260ca2f35b75 100644
--- a/api_docs/actions.mdx
+++ b/api_docs/actions.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/actions
 title: "actions"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the actions plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'actions']
 ---
 import actionsObj from './actions.devdocs.json';
diff --git a/api_docs/advanced_settings.mdx b/api_docs/advanced_settings.mdx
index c3153bf3feb6..a485f45e8b8f 100644
--- a/api_docs/advanced_settings.mdx
+++ b/api_docs/advanced_settings.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/advancedSettings
 title: "advancedSettings"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the advancedSettings plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'advancedSettings']
 ---
 import advancedSettingsObj from './advanced_settings.devdocs.json';
diff --git a/api_docs/aiops.mdx b/api_docs/aiops.mdx
index b5b58ecef00c..eb3a7a103563 100644
--- a/api_docs/aiops.mdx
+++ b/api_docs/aiops.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/aiops
 title: "aiops"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the aiops plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'aiops']
 ---
 import aiopsObj from './aiops.devdocs.json';
diff --git a/api_docs/alerting.devdocs.json b/api_docs/alerting.devdocs.json
index bf6fff9249dc..6f2d4c90fc3d 100644
--- a/api_docs/alerting.devdocs.json
+++ b/api_docs/alerting.devdocs.json
@@ -2821,7 +2821,7 @@
                 "section": "def-common.DataViewSpec",
                 "text": "DataViewSpec"
               },
-              ", options?: ",
+              ", options?: Omit<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -2829,7 +2829,7 @@
                 "section": "def-common.GetFieldsOptions",
                 "text": "GetFieldsOptions"
               },
-              " | undefined) => Promise<",
+              ", \"allowNoIndex\"> | undefined) => Promise<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
diff --git a/api_docs/alerting.mdx b/api_docs/alerting.mdx
index 5753487f9619..23ad17f1f9d1 100644
--- a/api_docs/alerting.mdx
+++ b/api_docs/alerting.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/alerting
 title: "alerting"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the alerting plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'alerting']
 ---
 import alertingObj from './alerting.devdocs.json';
diff --git a/api_docs/apm.mdx b/api_docs/apm.mdx
index 14bac9231c35..2f785186e411 100644
--- a/api_docs/apm.mdx
+++ b/api_docs/apm.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/apm
 title: "apm"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the apm plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'apm']
 ---
 import apmObj from './apm.devdocs.json';
diff --git a/api_docs/asset_manager.mdx b/api_docs/asset_manager.mdx
index 538927e794d2..78cb1da8d62f 100644
--- a/api_docs/asset_manager.mdx
+++ b/api_docs/asset_manager.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/assetManager
 title: "assetManager"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the assetManager plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'assetManager']
 ---
 import assetManagerObj from './asset_manager.devdocs.json';
diff --git a/api_docs/banners.mdx b/api_docs/banners.mdx
index 3cd5bf40a08c..bcd850dd5086 100644
--- a/api_docs/banners.mdx
+++ b/api_docs/banners.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/banners
 title: "banners"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the banners plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'banners']
 ---
 import bannersObj from './banners.devdocs.json';
diff --git a/api_docs/bfetch.mdx b/api_docs/bfetch.mdx
index 71767cff5119..c34a9c598f58 100644
--- a/api_docs/bfetch.mdx
+++ b/api_docs/bfetch.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/bfetch
 title: "bfetch"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the bfetch plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'bfetch']
 ---
 import bfetchObj from './bfetch.devdocs.json';
diff --git a/api_docs/canvas.mdx b/api_docs/canvas.mdx
index 96e6d9813dfe..51fee8c07ce1 100644
--- a/api_docs/canvas.mdx
+++ b/api_docs/canvas.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/canvas
 title: "canvas"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the canvas plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'canvas']
 ---
 import canvasObj from './canvas.devdocs.json';
diff --git a/api_docs/cases.mdx b/api_docs/cases.mdx
index 4a4fa3782c32..638993738a7e 100644
--- a/api_docs/cases.mdx
+++ b/api_docs/cases.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cases
 title: "cases"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the cases plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cases']
 ---
 import casesObj from './cases.devdocs.json';
diff --git a/api_docs/charts.mdx b/api_docs/charts.mdx
index 6e5d11269687..da66f16a9a29 100644
--- a/api_docs/charts.mdx
+++ b/api_docs/charts.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/charts
 title: "charts"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the charts plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'charts']
 ---
 import chartsObj from './charts.devdocs.json';
diff --git a/api_docs/cloud.mdx b/api_docs/cloud.mdx
index 04c03bc097d8..e89887b379a3 100644
--- a/api_docs/cloud.mdx
+++ b/api_docs/cloud.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloud
 title: "cloud"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the cloud plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloud']
 ---
 import cloudObj from './cloud.devdocs.json';
diff --git a/api_docs/cloud_chat.mdx b/api_docs/cloud_chat.mdx
index 24afbcda5278..60ba6e375f2e 100644
--- a/api_docs/cloud_chat.mdx
+++ b/api_docs/cloud_chat.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudChat
 title: "cloudChat"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the cloudChat plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudChat']
 ---
 import cloudChatObj from './cloud_chat.devdocs.json';
diff --git a/api_docs/cloud_data_migration.mdx b/api_docs/cloud_data_migration.mdx
index ab83f33d8e42..ee2e86401cea 100644
--- a/api_docs/cloud_data_migration.mdx
+++ b/api_docs/cloud_data_migration.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudDataMigration
 title: "cloudDataMigration"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the cloudDataMigration plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudDataMigration']
 ---
 import cloudDataMigrationObj from './cloud_data_migration.devdocs.json';
diff --git a/api_docs/cloud_defend.mdx b/api_docs/cloud_defend.mdx
index e82a441c2e9b..a737156e532d 100644
--- a/api_docs/cloud_defend.mdx
+++ b/api_docs/cloud_defend.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudDefend
 title: "cloudDefend"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the cloudDefend plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudDefend']
 ---
 import cloudDefendObj from './cloud_defend.devdocs.json';
diff --git a/api_docs/cloud_experiments.mdx b/api_docs/cloud_experiments.mdx
index 33e539958d7d..45eb67f4e8eb 100644
--- a/api_docs/cloud_experiments.mdx
+++ b/api_docs/cloud_experiments.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudExperiments
 title: "cloudExperiments"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the cloudExperiments plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudExperiments']
 ---
 import cloudExperimentsObj from './cloud_experiments.devdocs.json';
diff --git a/api_docs/cloud_security_posture.mdx b/api_docs/cloud_security_posture.mdx
index 94c8b2787657..154b5a41015d 100644
--- a/api_docs/cloud_security_posture.mdx
+++ b/api_docs/cloud_security_posture.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudSecurityPosture
 title: "cloudSecurityPosture"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the cloudSecurityPosture plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudSecurityPosture']
 ---
 import cloudSecurityPostureObj from './cloud_security_posture.devdocs.json';
diff --git a/api_docs/console.mdx b/api_docs/console.mdx
index 8e0f6c6993fb..e745c3de7590 100644
--- a/api_docs/console.mdx
+++ b/api_docs/console.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/console
 title: "console"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the console plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'console']
 ---
 import consoleObj from './console.devdocs.json';
diff --git a/api_docs/content_management.mdx b/api_docs/content_management.mdx
index 5152c59eccd5..0c98565c1ba7 100644
--- a/api_docs/content_management.mdx
+++ b/api_docs/content_management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/contentManagement
 title: "contentManagement"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the contentManagement plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'contentManagement']
 ---
 import contentManagementObj from './content_management.devdocs.json';
diff --git a/api_docs/controls.mdx b/api_docs/controls.mdx
index dbc2cef31d1b..7ce0122762c8 100644
--- a/api_docs/controls.mdx
+++ b/api_docs/controls.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/controls
 title: "controls"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the controls plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'controls']
 ---
 import controlsObj from './controls.devdocs.json';
diff --git a/api_docs/custom_integrations.mdx b/api_docs/custom_integrations.mdx
index 44cd9d05cbcf..a9a298cc0c03 100644
--- a/api_docs/custom_integrations.mdx
+++ b/api_docs/custom_integrations.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/customIntegrations
 title: "customIntegrations"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the customIntegrations plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'customIntegrations']
 ---
 import customIntegrationsObj from './custom_integrations.devdocs.json';
diff --git a/api_docs/dashboard.mdx b/api_docs/dashboard.mdx
index b67e9a4a2de4..9e43f4ba0555 100644
--- a/api_docs/dashboard.mdx
+++ b/api_docs/dashboard.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dashboard
 title: "dashboard"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the dashboard plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dashboard']
 ---
 import dashboardObj from './dashboard.devdocs.json';
diff --git a/api_docs/dashboard_enhanced.mdx b/api_docs/dashboard_enhanced.mdx
index 3a4c82173058..8b0e197ce952 100644
--- a/api_docs/dashboard_enhanced.mdx
+++ b/api_docs/dashboard_enhanced.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dashboardEnhanced
 title: "dashboardEnhanced"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the dashboardEnhanced plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dashboardEnhanced']
 ---
 import dashboardEnhancedObj from './dashboard_enhanced.devdocs.json';
diff --git a/api_docs/data.devdocs.json b/api_docs/data.devdocs.json
index aec4ebb516f7..245373fcd8a9 100644
--- a/api_docs/data.devdocs.json
+++ b/api_docs/data.devdocs.json
@@ -10545,6 +10545,10 @@
             "plugin": "@kbn/core-saved-objects-api-browser",
             "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-api-browser",
+            "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-api-server",
             "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts"
@@ -10609,6 +10613,10 @@
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-browser-internal",
+            "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts"
@@ -16551,7 +16559,7 @@
                 "section": "def-common.DataViewSpec",
                 "text": "DataViewSpec"
               },
-              ", options?: ",
+              ", options?: Omit<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -16559,7 +16567,7 @@
                 "section": "def-common.GetFieldsOptions",
                 "text": "GetFieldsOptions"
               },
-              " | undefined) => Promise<",
+              ", \"allowNoIndex\"> | undefined) => Promise<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -16612,6 +16620,7 @@
                   "options for getting field list"
                 ],
                 "signature": [
+                  "Omit<",
                   {
                     "pluginId": "dataViews",
                     "scope": "common",
@@ -16619,7 +16628,7 @@
                     "section": "def-common.GetFieldsOptions",
                     "text": "GetFieldsOptions"
                   },
-                  " | undefined"
+                  ", \"allowNoIndex\"> | undefined"
                 ],
                 "path": "src/plugins/data_views/common/data_views/data_views.ts",
                 "deprecated": false,
@@ -25038,7 +25047,7 @@
                 "section": "def-common.DataViewSpec",
                 "text": "DataViewSpec"
               },
-              ", options?: ",
+              ", options?: Omit<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -25046,7 +25055,7 @@
                 "section": "def-common.GetFieldsOptions",
                 "text": "GetFieldsOptions"
               },
-              " | undefined) => Promise<",
+              ", \"allowNoIndex\"> | undefined) => Promise<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -25099,6 +25108,7 @@
                   "options for getting field list"
                 ],
                 "signature": [
+                  "Omit<",
                   {
                     "pluginId": "dataViews",
                     "scope": "common",
@@ -25106,7 +25116,7 @@
                     "section": "def-common.GetFieldsOptions",
                     "text": "GetFieldsOptions"
                   },
-                  " | undefined"
+                  ", \"allowNoIndex\"> | undefined"
                 ],
                 "path": "src/plugins/data_views/common/data_views/data_views.ts",
                 "deprecated": false,
@@ -27765,7 +27775,7 @@
             "section": "def-common.DataViewSpec",
             "text": "DataViewSpec"
           },
-          ", options?: ",
+          ", options?: Omit<",
           {
             "pluginId": "dataViews",
             "scope": "common",
@@ -27773,7 +27783,7 @@
             "section": "def-common.GetFieldsOptions",
             "text": "GetFieldsOptions"
           },
-          " | undefined) => Promise<",
+          ", \"allowNoIndex\"> | undefined) => Promise<",
           {
             "pluginId": "dataViews",
             "scope": "common",
@@ -28310,6 +28320,10 @@
             "plugin": "@kbn/core-saved-objects-api-browser",
             "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-api-browser",
+            "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-api-server",
             "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts"
@@ -28374,6 +28388,10 @@
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-browser-internal",
+            "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts"
diff --git a/api_docs/data.mdx b/api_docs/data.mdx
index f20e195cf03e..92330ee8f8bc 100644
--- a/api_docs/data.mdx
+++ b/api_docs/data.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data
 title: "data"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the data plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data']
 ---
 import dataObj from './data.devdocs.json';
diff --git a/api_docs/data_query.mdx b/api_docs/data_query.mdx
index 01c05dbfd8d6..0f3a77925482 100644
--- a/api_docs/data_query.mdx
+++ b/api_docs/data_query.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data-query
 title: "data.query"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the data.query plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data.query']
 ---
 import dataQueryObj from './data_query.devdocs.json';
diff --git a/api_docs/data_search.devdocs.json b/api_docs/data_search.devdocs.json
index 5c6bcb55054d..d1f49e73bf90 100644
--- a/api_docs/data_search.devdocs.json
+++ b/api_docs/data_search.devdocs.json
@@ -3209,7 +3209,7 @@
                 "signature": [
                   "{ page?: number | undefined; filter?: any; aggs?: Record<string, ",
                   "AggregationsAggregationContainer",
-                  "> | undefined; search?: string | undefined; namespaces?: string[] | undefined; sortField?: string | undefined; fields?: string[] | undefined; preference?: string | undefined; pit?: ",
+                  "> | undefined; search?: string | undefined; namespaces?: string[] | undefined; fields?: string[] | undefined; sortField?: string | undefined; preference?: string | undefined; pit?: ",
                   {
                     "pluginId": "@kbn/core-saved-objects-api-server",
                     "scope": "common",
diff --git a/api_docs/data_search.mdx b/api_docs/data_search.mdx
index 207b20925e9a..26187ec86424 100644
--- a/api_docs/data_search.mdx
+++ b/api_docs/data_search.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data-search
 title: "data.search"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the data.search plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data.search']
 ---
 import dataSearchObj from './data_search.devdocs.json';
diff --git a/api_docs/data_view_editor.mdx b/api_docs/data_view_editor.mdx
index 763f3a675bc5..1b1254e9dad2 100644
--- a/api_docs/data_view_editor.mdx
+++ b/api_docs/data_view_editor.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewEditor
 title: "dataViewEditor"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the dataViewEditor plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewEditor']
 ---
 import dataViewEditorObj from './data_view_editor.devdocs.json';
diff --git a/api_docs/data_view_field_editor.mdx b/api_docs/data_view_field_editor.mdx
index a372eb860b0b..5b7b8ec41f1f 100644
--- a/api_docs/data_view_field_editor.mdx
+++ b/api_docs/data_view_field_editor.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewFieldEditor
 title: "dataViewFieldEditor"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the dataViewFieldEditor plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewFieldEditor']
 ---
 import dataViewFieldEditorObj from './data_view_field_editor.devdocs.json';
diff --git a/api_docs/data_view_management.mdx b/api_docs/data_view_management.mdx
index a668a0abaa96..41e9eacd68de 100644
--- a/api_docs/data_view_management.mdx
+++ b/api_docs/data_view_management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewManagement
 title: "dataViewManagement"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the dataViewManagement plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewManagement']
 ---
 import dataViewManagementObj from './data_view_management.devdocs.json';
diff --git a/api_docs/data_views.devdocs.json b/api_docs/data_views.devdocs.json
index 7becaf0b75f2..474c9f9a255a 100644
--- a/api_docs/data_views.devdocs.json
+++ b/api_docs/data_views.devdocs.json
@@ -4375,7 +4375,7 @@
                 "section": "def-common.DataViewSpec",
                 "text": "DataViewSpec"
               },
-              ", options?: ",
+              ", options?: Omit<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -4383,7 +4383,7 @@
                 "section": "def-common.GetFieldsOptions",
                 "text": "GetFieldsOptions"
               },
-              " | undefined) => Promise<",
+              ", \"allowNoIndex\"> | undefined) => Promise<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -4436,6 +4436,7 @@
                   "options for getting field list"
                 ],
                 "signature": [
+                  "Omit<",
                   {
                     "pluginId": "dataViews",
                     "scope": "common",
@@ -4443,7 +4444,7 @@
                     "section": "def-common.GetFieldsOptions",
                     "text": "GetFieldsOptions"
                   },
-                  " | undefined"
+                  ", \"allowNoIndex\"> | undefined"
                 ],
                 "path": "src/plugins/data_views/common/data_views/data_views.ts",
                 "deprecated": false,
@@ -11627,7 +11628,7 @@
                 "section": "def-common.DataViewSpec",
                 "text": "DataViewSpec"
               },
-              ", options?: ",
+              ", options?: Omit<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -11635,7 +11636,7 @@
                 "section": "def-common.GetFieldsOptions",
                 "text": "GetFieldsOptions"
               },
-              " | undefined) => Promise<",
+              ", \"allowNoIndex\"> | undefined) => Promise<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -11688,6 +11689,7 @@
                   "options for getting field list"
                 ],
                 "signature": [
+                  "Omit<",
                   {
                     "pluginId": "dataViews",
                     "scope": "common",
@@ -11695,7 +11697,7 @@
                     "section": "def-common.GetFieldsOptions",
                     "text": "GetFieldsOptions"
                   },
-                  " | undefined"
+                  ", \"allowNoIndex\"> | undefined"
                 ],
                 "path": "src/plugins/data_views/common/data_views/data_views.ts",
                 "deprecated": false,
@@ -19591,7 +19593,7 @@
                 "section": "def-common.DataViewSpec",
                 "text": "DataViewSpec"
               },
-              ", options?: ",
+              ", options?: Omit<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -19599,7 +19601,7 @@
                 "section": "def-common.GetFieldsOptions",
                 "text": "GetFieldsOptions"
               },
-              " | undefined) => Promise<",
+              ", \"allowNoIndex\"> | undefined) => Promise<",
               {
                 "pluginId": "dataViews",
                 "scope": "common",
@@ -19652,6 +19654,7 @@
                   "options for getting field list"
                 ],
                 "signature": [
+                  "Omit<",
                   {
                     "pluginId": "dataViews",
                     "scope": "common",
@@ -19659,7 +19662,7 @@
                     "section": "def-common.GetFieldsOptions",
                     "text": "GetFieldsOptions"
                   },
-                  " | undefined"
+                  ", \"allowNoIndex\"> | undefined"
                 ],
                 "path": "src/plugins/data_views/common/data_views/data_views.ts",
                 "deprecated": false,
@@ -25114,7 +25117,7 @@
             "section": "def-common.DataViewSpec",
             "text": "DataViewSpec"
           },
-          ", options?: ",
+          ", options?: Omit<",
           {
             "pluginId": "dataViews",
             "scope": "common",
@@ -25122,7 +25125,7 @@
             "section": "def-common.GetFieldsOptions",
             "text": "GetFieldsOptions"
           },
-          " | undefined) => Promise<",
+          ", \"allowNoIndex\"> | undefined) => Promise<",
           {
             "pluginId": "dataViews",
             "scope": "common",
@@ -25860,6 +25863,10 @@
             "plugin": "@kbn/core-saved-objects-api-browser",
             "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-api-browser",
+            "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-api-server",
             "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts"
@@ -25924,6 +25931,10 @@
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-browser-internal",
+            "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts"
diff --git a/api_docs/data_views.mdx b/api_docs/data_views.mdx
index 9977aa264827..911e8ed99ef5 100644
--- a/api_docs/data_views.mdx
+++ b/api_docs/data_views.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViews
 title: "dataViews"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the dataViews plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViews']
 ---
 import dataViewsObj from './data_views.devdocs.json';
diff --git a/api_docs/data_visualizer.mdx b/api_docs/data_visualizer.mdx
index e2b179284df5..d351824fccb6 100644
--- a/api_docs/data_visualizer.mdx
+++ b/api_docs/data_visualizer.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataVisualizer
 title: "dataVisualizer"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the dataVisualizer plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataVisualizer']
 ---
 import dataVisualizerObj from './data_visualizer.devdocs.json';
diff --git a/api_docs/deprecations_by_api.mdx b/api_docs/deprecations_by_api.mdx
index b210d67281ac..a2ea98e0e615 100644
--- a/api_docs/deprecations_by_api.mdx
+++ b/api_docs/deprecations_by_api.mdx
@@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsByApi
 slug: /kibana-dev-docs/api-meta/deprecated-api-list-by-api
 title: Deprecated API usage by API
 description: A list of deprecated APIs, which plugins are still referencing them, and when they need to be removed by.
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana']
 ---
 
@@ -44,6 +44,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibDataPluginApi" section="def-public.SavedObject" text="SavedObject"/> | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-api-server, @kbn/core, home, dataViews, savedObjectsTagging, fleet, canvas, osquery, securitySolution, synthetics, savedObjects, @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-import-export-server-internal, savedObjectsTaggingOss, cases, lists, upgradeAssistant, savedObjectsManagement, @kbn/core-ui-settings-server-internal, dashboard | - |
 | <DocLink id="kibDataPluginApi" section="def-common.SavedObject" text="SavedObject"/> | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-api-server, @kbn/core, home, dataViews, savedObjectsTagging, fleet, canvas, osquery, securitySolution, synthetics, savedObjects, @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-import-export-server-internal, savedObjectsTaggingOss, cases, lists, upgradeAssistant, savedObjectsManagement, @kbn/core-ui-settings-server-internal, data | - |
 | <DocLink id="kibDataPluginApi" section="def-common.EqlSearchStrategyRequest.options" text="options"/> | securitySolution | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-api-server-internal, @kbn/core-saved-objects-import-export-server-internal, @kbn/core-saved-objects-server-internal, fleet, graph, lists, securitySolution | - |
 | <DocLink id="kibKbnSecuritysolutionListConstantsPluginApi" section="def-common.ENDPOINT_TRUSTED_APPS_LIST_ID" text="ENDPOINT_TRUSTED_APPS_LIST_ID"/> | lists, securitySolution, @kbn/securitysolution-io-ts-list-types | - |
 | <DocLink id="kibKbnSecuritysolutionListConstantsPluginApi" section="def-common.ENDPOINT_TRUSTED_APPS_LIST_NAME" text="ENDPOINT_TRUSTED_APPS_LIST_NAME"/> | lists, securitySolution, @kbn/securitysolution-io-ts-list-types | - |
 | <DocLink id="kibKbnSecuritysolutionListConstantsPluginApi" section="def-common.ENDPOINT_TRUSTED_APPS_LIST_DESCRIPTION" text="ENDPOINT_TRUSTED_APPS_LIST_DESCRIPTION"/> | lists, securitySolution, @kbn/securitysolution-io-ts-list-types | - |
@@ -67,9 +68,11 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.bulkResolve" text="bulkResolve"/> | @kbn/core-saved-objects-browser-mocks, fleet, synthetics, @kbn/core-saved-objects-browser-internal | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.update" text="update"/> | @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-browser-mocks, dataViews, savedSearch, maps, infra, savedObjects | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.bulkUpdate" text="bulkUpdate"/> | @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-browser-internal | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject.migrationVersion" text="migrationVersion"/> | @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-browser-internal | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject.save" text="save"/> | @kbn/core-saved-objects-browser-internal | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject.delete" text="delete"/> | @kbn/core-saved-objects-browser-internal | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsCreateOptions" text="SavedObjectsCreateOptions"/> | @kbn/core-saved-objects-browser-internal, @kbn/core, dataViews, savedObjects, visualizations, infra | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsCreateOptions.migrationVersion" text="migrationVersion"/> | @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-api-server-internal, canvas | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsDeleteOptions" text="SavedObjectsDeleteOptions"/> | @kbn/core-saved-objects-browser-internal, @kbn/core | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsBatchResponse" text="SavedObjectsBatchResponse"/> | @kbn/core-saved-objects-browser-internal, @kbn/core, infra | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsFindOptions" text="SavedObjectsFindOptions"/> | @kbn/core-saved-objects-browser-internal, @kbn/core, visualizations, cloudSecurityPosture | - |
@@ -96,6 +99,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibDataPluginApi" section="def-server.DataView.getNonScriptedFields" text="getNonScriptedFields"/> | visTypeTimeseries, graph, dataViewManagement, dataViews | - |
 | <DocLink id="kibDataPluginApi" section="def-server.DataView.getScriptedFields" text="getScriptedFields"/> | dataViews, dataViewManagement | - |
 | <DocLink id="kibDiscoverPluginApi" section="def-common.DiscoverAppLocatorParams.indexPatternId" text="indexPatternId"/> | observability, dataVisualizer, fleet, cloudSecurityPosture, discoverEnhanced, osquery, synthetics | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectsBulkCreateObject.migrationVersion" text="migrationVersion"/> | @kbn/core-saved-objects-api-server-internal, fleet | - |
 | <DocLink id="kibExpressionsPluginApi" section="def-public.ExpressionFunctionDefinition.context" text="context"/> | canvas | - |
 | <DocLink id="kibExpressionsPluginApi" section="def-public.ExpressionsServiceSetup.getFunction" text="getFunction"/> | canvas | - |
 | <DocLink id="kibExpressionsPluginApi" section="def-public.ExpressionsServiceSetup.getFunctions" text="getFunctions"/> | canvas | - |
@@ -121,6 +125,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsServerPluginApi" section="def-common.SavedObjectMigrationContext.convertToMultiNamespaceTypeVersion" text="convertToMultiNamespaceTypeVersion"/> | encryptedSavedObjects | - |
 | <DocLink id="kibKbnCoreElasticsearchServerPluginApi" section="def-common.ElasticsearchServiceSetup.legacy" text="legacy"/> | @kbn/core-elasticsearch-server-internal, @kbn/core-plugins-server-internal, console | - |
 | <DocLink id="kibKbnCorePluginsServerPluginApi" section="def-common.PluginManifest.extraPublicDirs" text="extraPublicDirs"/> | @kbn/core-plugins-server-internal | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectsIncrementCounterOptions.migrationVersion" text="migrationVersion"/> | @kbn/core-saved-objects-api-server-internal | - |
 | <DocLink id="kibLicensingPluginApi" section="def-public.LicensingPluginSetup.license$" text="license$"/> | security, licenseManagement, ml, apm, crossClusterReplication, logstash, painlessLab, searchprofiler, watcher | 8.8.0 |
 | <DocLink id="kibLicensingPluginApi" section="def-server.LicensingPluginSetup.license$" text="license$"/> | spaces, security, actions, alerting, ml, remoteClusters, graph, indexLifecycleManagement, mapsEms, painlessLab, rollup, searchprofiler, securitySolution, snapshotRestore, transform, upgradeAssistant | 8.8.0 |
 | <DocLink id="kibFeaturesPluginApi" section="def-server.PluginSetupContract.getKibanaFeatures" text="getKibanaFeatures"/> | spaces, security, alerting | 8.8.0 |
diff --git a/api_docs/deprecations_by_plugin.mdx b/api_docs/deprecations_by_plugin.mdx
index f7dd1cdadedf..0b6ced263b38 100644
--- a/api_docs/deprecations_by_plugin.mdx
+++ b/api_docs/deprecations_by_plugin.mdx
@@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsByPlugin
 slug: /kibana-dev-docs/api-meta/deprecated-api-list-by-plugin
 title: Deprecated API usage by plugin
 description: A list of deprecated APIs, which plugins are still referencing them, and when they need to be removed by.
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana']
 ---
 
@@ -116,8 +116,9 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 
 | Deprecated API | Reference location(s) | Remove By |
 | ---------------|-----------|-----------|
-| <DocLink id="kibDataPluginApi" section="def-public.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject)+ 2 more | - |
-| <DocLink id="kibDataPluginApi" section="def-common.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject)+ 26 more | - |
+| <DocLink id="kibDataPluginApi" section="def-public.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject)+ 3 more | - |
+| <DocLink id="kibDataPluginApi" section="def-common.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=SavedObject)+ 29 more | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=migrationVersion), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsCommonPluginApi" section="def-common.SavedObjectReference" text="SavedObjectReference"/> | [create.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/apis/create.ts#:~:text=SavedObjectReference), [create.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/apis/create.ts#:~:text=SavedObjectReference), [bulk_update.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/apis/bulk_update.ts#:~:text=SavedObjectReference), [bulk_update.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/apis/bulk_update.ts#:~:text=SavedObjectReference), [update.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/apis/update.ts#:~:text=SavedObjectReference), [update.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-browser/src/apis/update.ts#:~:text=SavedObjectReference) | - |
 
 
@@ -132,6 +133,17 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 
 
 
+## @kbn/core-saved-objects-api-server-internal
+
+| Deprecated API | Reference location(s) | Remove By |
+| ---------------|-----------|-----------|
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectsIncrementCounterOptions.migrationVersion" text="migrationVersion"/> | [repository.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts#:~:text=migrationVersion), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=migrationVersion) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectsBulkCreateObject.migrationVersion" text="migrationVersion"/> | [repository.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts#:~:text=migrationVersion), [repository.test.common.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts#:~:text=migrationVersion) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectsCreateOptions.migrationVersion" text="migrationVersion"/> | [repository.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts#:~:text=migrationVersion), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=migrationVersion) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [internal_utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts#:~:text=migrationVersion), [internal_utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts#:~:text=migrationVersion) | - |
+
+
+
 ## @kbn/core-saved-objects-browser
 
 | Deprecated API | Reference location(s) | Remove By |
@@ -144,8 +156,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 
 | Deprecated API | Reference location(s) | Remove By |
 | ---------------|-----------|-----------|
-| <DocLink id="kibDataPluginApi" section="def-public.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject)+ 18 more | - |
-| <DocLink id="kibDataPluginApi" section="def-common.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject)+ 74 more | - |
+| <DocLink id="kibDataPluginApi" section="def-public.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject)+ 19 more | - |
+| <DocLink id="kibDataPluginApi" section="def-common.SavedObject" text="SavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObject)+ 77 more | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract" text="SavedObjectsClientContract"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObjectsClientContract), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SavedObjectsClientContract), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsClientContract), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsClientContract), [simple_saved_object.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts#:~:text=SavedObjectsClientContract), [simple_saved_object.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts#:~:text=SavedObjectsClientContract) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.create" text="create"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=create), [simple_saved_object.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts#:~:text=create), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=create), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=create), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=create), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=create), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=create), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=create) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.bulkCreate" text="bulkCreate"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=bulkCreate), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=bulkCreate), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=bulkCreate), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=bulkCreate) | - |
@@ -159,9 +171,11 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.update" text="update"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=update), [simple_saved_object.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts#:~:text=update), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=update), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=update), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=update), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=update), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=update), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=update), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=update), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=update) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.bulkUpdate" text="bulkUpdate"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=bulkUpdate), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=bulkUpdate), [saved_objects_client.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.test.ts#:~:text=bulkUpdate) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject" text="SimpleSavedObject"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SimpleSavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SimpleSavedObject), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=SimpleSavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SimpleSavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SimpleSavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SimpleSavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SimpleSavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SimpleSavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SimpleSavedObject) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject.migrationVersion" text="migrationVersion"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject.save" text="save"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=save), [simple_saved_object.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts#:~:text=save), [simple_saved_object.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts#:~:text=save) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject.delete" text="delete"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=delete) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsCreateOptions" text="SavedObjectsCreateOptions"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsCreateOptions), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsCreateOptions) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsCreateOptions.migrationVersion" text="migrationVersion"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsDeleteOptions" text="SavedObjectsDeleteOptions"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsDeleteOptions), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsDeleteOptions) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsBatchResponse" text="SavedObjectsBatchResponse"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBatchResponse), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBatchResponse), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBatchResponse), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBatchResponse), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBatchResponse), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBatchResponse), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBatchResponse) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsFindOptions" text="SavedObjectsFindOptions"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsFindOptions), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsFindOptions), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsFindOptions) | - |
@@ -172,6 +186,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsBulkCreateOptions" text="SavedObjectsBulkCreateOptions"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBulkCreateOptions), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBulkCreateOptions) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsBulkCreateObject" text="SavedObjectsBulkCreateObject"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBulkCreateObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBulkCreateObject) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsBulkDeleteResponse" text="SavedObjectsBulkDeleteResponse"/> | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBulkDeleteResponse), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts#:~:text=SavedObjectsBulkDeleteResponse) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion), [simple_saved_object.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsBrowserPluginApi" section="def-common.SavedObjectsStart" text="SavedObjectsStart"/> | [saved_objects_service.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_service.ts#:~:text=SavedObjectsStart), [saved_objects_service.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_service.ts#:~:text=SavedObjectsStart), [saved_objects_service.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_service.ts#:~:text=SavedObjectsStart) | - |
 
 
@@ -195,6 +210,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.update" text="update"/> | [saved_objects_service.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/saved_objects_service.mock.ts#:~:text=update) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.bulkUpdate" text="bulkUpdate"/> | [saved_objects_service.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/saved_objects_service.mock.ts#:~:text=bulkUpdate) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject" text="SimpleSavedObject"/> | [simple_saved_object.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts#:~:text=SimpleSavedObject), [simple_saved_object.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts#:~:text=SimpleSavedObject), [simple_saved_object.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts#:~:text=SimpleSavedObject) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject.migrationVersion" text="migrationVersion"/> | [simple_saved_object.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts#:~:text=migrationVersion) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [simple_saved_object.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts#:~:text=migrationVersion), [simple_saved_object.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsBrowserPluginApi" section="def-common.SavedObjectsStart" text="SavedObjectsStart"/> | [saved_objects_service.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/saved_objects_service.mock.ts#:~:text=SavedObjectsStart), [saved_objects_service.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/saved_objects_service.mock.ts#:~:text=SavedObjectsStart) | - |
 | <DocLink id="kibKbnCoreSavedObjectsBrowserInternalPluginApi" section="def-common.SavedObjectsService" text="SavedObjectsService"/> | [saved_objects_service.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/saved_objects_service.mock.ts#:~:text=SavedObjectsService), [saved_objects_service.mock.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-browser-mocks/src/saved_objects_service.mock.ts#:~:text=SavedObjectsService) | - |
 
@@ -216,6 +233,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | ---------------|-----------|-----------|
 | <DocLink id="kibDataPluginApi" section="def-public.SavedObject" text="SavedObject"/> | [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject)+ 4 more | - |
 | <DocLink id="kibDataPluginApi" section="def-common.SavedObject" text="SavedObject"/> | [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject)+ 32 more | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [collect_saved_objects.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts#:~:text=migrationVersion), [collect_saved_objects.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts#:~:text=migrationVersion) | - |
 
 
 
@@ -239,6 +257,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 
 | Deprecated API | Reference location(s) | Remove By |
 | ---------------|-----------|-----------|
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [import_dashboards.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts#:~:text=migrationVersion), [import_dashboards.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectAttributes" text="SavedObjectAttributes"/> | [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes) | - |
 
 
@@ -367,6 +386,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreLifecycleBrowserPluginApi" section="def-common.CoreStart.savedObjects" text="savedObjects"/> | [platform.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/kibana/platform.ts#:~:text=savedObjects), [platform.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/kibana/platform.ts#:~:text=savedObjects) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract" text="SavedObjectsClientContract"/> | [platform.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/platform.ts#:~:text=SavedObjectsClientContract), [platform.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/platform.ts#:~:text=SavedObjectsClientContract) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.ResolvedSimpleSavedObject" text="ResolvedSimpleSavedObject"/> | [workpad.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/workpad.ts#:~:text=ResolvedSimpleSavedObject), [workpad.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/workpad.ts#:~:text=ResolvedSimpleSavedObject), [workpad.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/workpad.ts#:~:text=ResolvedSimpleSavedObject), [workpad.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/workpad.ts#:~:text=ResolvedSimpleSavedObject) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectsCreateOptions.migrationVersion" text="migrationVersion"/> | [workpad_route_context.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/workpad_route_context.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectAttributes" text="SavedObjectAttributes"/> | [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/custom_elements/find.ts#:~:text=SavedObjectAttributes), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/custom_elements/find.ts#:~:text=SavedObjectAttributes), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/workpad/find.ts#:~:text=SavedObjectAttributes), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/workpad/find.ts#:~:text=SavedObjectAttributes), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/shareable_runtime/types.ts#:~:text=SavedObjectAttributes), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/shareable_runtime/types.ts#:~:text=SavedObjectAttributes), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/custom_elements/find.ts#:~:text=SavedObjectAttributes), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/custom_elements/find.ts#:~:text=SavedObjectAttributes), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/workpad/find.ts#:~:text=SavedObjectAttributes), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/server/routes/workpad/find.ts#:~:text=SavedObjectAttributes) | - |
 | <DocLink id="kibKbnCoreSavedObjectsBrowserPluginApi" section="def-common.SavedObjectsStart" text="SavedObjectsStart"/> | [platform.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/platform.ts#:~:text=SavedObjectsStart), [platform.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/public/services/platform.ts#:~:text=SavedObjectsStart) | - |
 | <DocLink id="kibKbnCoreSavedObjectsCommonPluginApi" section="def-common.SavedObjectReference" text="SavedObjectReference"/> | [saved_lens.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_lens.ts#:~:text=SavedObjectReference), [saved_lens.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_lens.ts#:~:text=SavedObjectReference), [saved_map.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_map.ts#:~:text=SavedObjectReference), [saved_map.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_map.ts#:~:text=SavedObjectReference), [saved_search.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_search.ts#:~:text=SavedObjectReference), [saved_search.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_search.ts#:~:text=SavedObjectReference), [saved_visualization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_visualization.ts#:~:text=SavedObjectReference), [saved_visualization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/saved_visualization.ts#:~:text=SavedObjectReference), [embeddable.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/embeddable.ts#:~:text=SavedObjectReference), [embeddable.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/canvas/canvas_plugin_src/functions/external/embeddable.ts#:~:text=SavedObjectReference) | - |
@@ -662,6 +682,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.bulkResolve" text="bulkResolve"/> | [assets.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/assets/assets.tsx#:~:text=bulkResolve) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject" text="SimpleSavedObject"/> | [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/assets/types.ts#:~:text=SimpleSavedObject), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/assets/types.ts#:~:text=SimpleSavedObject) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.ResolvedSimpleSavedObject" text="ResolvedSimpleSavedObject"/> | [assets.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/assets/assets.tsx#:~:text=ResolvedSimpleSavedObject), [assets.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/assets/assets.tsx#:~:text=ResolvedSimpleSavedObject) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectsBulkCreateObject.migrationVersion" text="migrationVersion"/> | [install.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts#:~:text=migrationVersion) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [install.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion), [install.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion), [get.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/epm/packages/get.test.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsCommonPluginApi" section="def-common.SavedObjectAttributes" text="SavedObjectAttributes"/> | [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObjectAttributes), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObjectAttributes), [settings.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/settings.ts#:~:text=SavedObjectAttributes), [settings.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/settings.ts#:~:text=SavedObjectAttributes) | - |
 | <DocLink id="kibKbnCoreSavedObjectsCommonPluginApi" section="def-common.SavedObjectReference" text="SavedObjectReference"/> | [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObjectReference), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObjectReference), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObjectReference), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObjectReference) | - |
 
@@ -696,6 +718,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.resolve" text="resolve"/> | [saved_workspace_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/helpers/saved_workspace_utils.ts#:~:text=resolve) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject" text="SimpleSavedObject"/> | [app_state.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/types/app_state.ts#:~:text=SimpleSavedObject), [app_state.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/types/app_state.ts#:~:text=SimpleSavedObject) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.ResolvedSimpleSavedObject" text="ResolvedSimpleSavedObject"/> | [use_workspace_loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/helpers/use_workspace_loader.ts#:~:text=ResolvedSimpleSavedObject), [use_workspace_loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/helpers/use_workspace_loader.ts#:~:text=ResolvedSimpleSavedObject), [use_workspace_loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/helpers/use_workspace_loader.ts#:~:text=ResolvedSimpleSavedObject), [use_workspace_loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/helpers/use_workspace_loader.ts#:~:text=ResolvedSimpleSavedObject) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [logs.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/server/sample_data/logs.ts#:~:text=migrationVersion), [ecommerce.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/server/sample_data/ecommerce.ts#:~:text=migrationVersion), [flights.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/server/sample_data/flights.ts#:~:text=migrationVersion), [logs.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/server/sample_data/logs.ts#:~:text=migrationVersion), [ecommerce.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/server/sample_data/ecommerce.ts#:~:text=migrationVersion), [flights.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/server/sample_data/flights.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsCommonPluginApi" section="def-common.SavedObjectAttributes" text="SavedObjectAttributes"/> | [saved_workspace_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/services/persistence/saved_workspace_references.ts#:~:text=SavedObjectAttributes), [saved_workspace_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/services/persistence/saved_workspace_references.ts#:~:text=SavedObjectAttributes), [saved_workspace_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/helpers/saved_workspace_utils.ts#:~:text=SavedObjectAttributes), [saved_workspace_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/helpers/saved_workspace_utils.ts#:~:text=SavedObjectAttributes) | - |
 | <DocLink id="kibKbnCoreSavedObjectsCommonPluginApi" section="def-common.SavedObjectReference" text="SavedObjectReference"/> | [saved_workspace_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/services/persistence/saved_workspace_references.ts#:~:text=SavedObjectReference), [saved_workspace_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/services/persistence/saved_workspace_references.ts#:~:text=SavedObjectReference), [saved_workspace_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/services/persistence/saved_workspace_references.ts#:~:text=SavedObjectReference), [persistence.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/types/persistence.ts#:~:text=SavedObjectReference), [persistence.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/public/types/persistence.ts#:~:text=SavedObjectReference) | - |
 | <DocLink id="kibKbnCoreSavedObjectsServerPluginApi" section="def-common.SavedObjectsType.convertToMultiNamespaceTypeVersion" text="convertToMultiNamespaceTypeVersion"/> | [graph_workspace.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/graph/server/saved_objects/graph_workspace.ts#:~:text=convertToMultiNamespaceTypeVersion) | - |
@@ -823,6 +846,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibDataPluginApi" section="def-common.DataView.title" text="title"/> | [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title)+ 8 more | - |
 | <DocLink id="kibDataPluginApi" section="def-server.DataView.title" text="title"/> | [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title)+ 8 more | - |
 | <DocLink id="kibDataViewsPluginApi" section="def-public.DataView.title" text="title"/> | [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title), [helpers.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts#:~:text=title) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [exception_list_client.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts#:~:text=migrationVersion), [exception_list_client.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts#:~:text=migrationVersion) | - |
 | <DocLink id="kibKbnCoreSavedObjectsServerPluginApi" section="def-common.SavedObjectsType.convertToMultiNamespaceTypeVersion" text="convertToMultiNamespaceTypeVersion"/> | [exception_list.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/saved_objects/exception_list.ts#:~:text=convertToMultiNamespaceTypeVersion) | - |
 | <DocLink id="kibKbnSecuritysolutionListConstantsPluginApi" section="def-common.ENDPOINT_TRUSTED_APPS_LIST_ID" text="ENDPOINT_TRUSTED_APPS_LIST_ID"/> | [create_endpoint_trusted_apps_list.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/services/exception_lists/create_endpoint_trusted_apps_list.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [create_endpoint_trusted_apps_list.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/services/exception_lists/create_endpoint_trusted_apps_list.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [create_endpoint_trusted_apps_list.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/services/exception_lists/create_endpoint_trusted_apps_list.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/saved_objects/migrations.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/saved_objects/migrations.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/saved_objects/migrations.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [exception_list_schema.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/common/schemas/response/exception_list_schema.mock.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [exception_list_schema.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/common/schemas/response/exception_list_schema.mock.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [migrations.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/saved_objects/migrations.test.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [migrations.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/saved_objects/migrations.test.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID)+ 7 more | - |
 | <DocLink id="kibKbnSecuritysolutionListConstantsPluginApi" section="def-common.ENDPOINT_TRUSTED_APPS_LIST_NAME" text="ENDPOINT_TRUSTED_APPS_LIST_NAME"/> | [create_endpoint_trusted_apps_list.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/services/exception_lists/create_endpoint_trusted_apps_list.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_NAME), [create_endpoint_trusted_apps_list.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/server/services/exception_lists/create_endpoint_trusted_apps_list.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_NAME), [exception_list_schema.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/common/schemas/response/exception_list_schema.mock.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_NAME), [exception_list_schema.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lists/common/schemas/response/exception_list_schema.mock.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_NAME) | - |
@@ -1111,6 +1135,7 @@ migrates to using the Kibana Privilege model: https://github.com/elastic/kibana/
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract" text="SavedObjectsClientContract"/> | [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts#:~:text=SavedObjectsClientContract), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts#:~:text=SavedObjectsClientContract), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts#:~:text=SavedObjectsClientContract), [utils.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/containers/dashboards/utils.test.ts#:~:text=SavedObjectsClientContract), [utils.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/containers/dashboards/utils.test.ts#:~:text=SavedObjectsClientContract) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SavedObjectsClientContract.find" text="find"/> | [use_dashboard_button_href.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/hooks/use_dashboard_button_href.ts#:~:text=find), [index.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/overview/containers/overview_cti_links/index.tsx#:~:text=find), [index.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/overview/containers/overview_cti_links/index.tsx#:~:text=find), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts#:~:text=find), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts#:~:text=find) | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" section="def-common.SimpleSavedObject" text="SimpleSavedObject"/> | [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/hooks/types.ts#:~:text=SimpleSavedObject), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/hooks/types.ts#:~:text=SimpleSavedObject) | - |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObject.migrationVersion" text="migrationVersion"/> | [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion), [host_risk_score_dashboards.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts#:~:text=migrationVersion)+ 44 more | - |
 | <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" section="def-common.SavedObjectAttributes" text="SavedObjectAttributes"/> | [legacy_types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_types.ts#:~:text=SavedObjectAttributes), [legacy_types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_types.ts#:~:text=SavedObjectAttributes), [legacy_migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_migrations.ts#:~:text=SavedObjectAttributes), [legacy_migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_migrations.ts#:~:text=SavedObjectAttributes), [legacy_types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_types.ts#:~:text=SavedObjectAttributes), [legacy_types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_types.ts#:~:text=SavedObjectAttributes), [legacy_migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_migrations.ts#:~:text=SavedObjectAttributes), [legacy_migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_migrations.ts#:~:text=SavedObjectAttributes) | - |
 | <DocLink id="kibKbnCoreSavedObjectsServerPluginApi" section="def-common.SavedObjectsType.convertToMultiNamespaceTypeVersion" text="convertToMultiNamespaceTypeVersion"/> | [timelines.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/timeline/saved_object_mappings/timelines.ts#:~:text=convertToMultiNamespaceTypeVersion), [notes.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/timeline/saved_object_mappings/notes.ts#:~:text=convertToMultiNamespaceTypeVersion), [pinned_events.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/timeline/saved_object_mappings/pinned_events.ts#:~:text=convertToMultiNamespaceTypeVersion), [legacy_saved_object_mappings.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/rule_actions/legacy_saved_object_mappings.ts#:~:text=convertToMultiNamespaceTypeVersion) | - |
 | <DocLink id="kibKbnSecuritysolutionListConstantsPluginApi" section="def-common.ENDPOINT_TRUSTED_APPS_LIST_ID" text="ENDPOINT_TRUSTED_APPS_LIST_ID"/> | [policy_hooks.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_hooks.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [policy_hooks.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_hooks.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [constants.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/management/pages/trusted_apps/constants.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [constants.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/management/pages/trusted_apps/constants.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [api_client.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/management/pages/trusted_apps/service/api_client.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [api_client.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/management/pages/trusted_apps/service/api_client.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [api_client.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/public/management/pages/trusted_apps/service/api_client.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [lists.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [manifest_manager.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID), [manifest_manager.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts#:~:text=ENDPOINT_TRUSTED_APPS_LIST_ID)+ 34 more | - |
diff --git a/api_docs/deprecations_by_team.mdx b/api_docs/deprecations_by_team.mdx
index ab57fe4ece08..64b60a93ccdf 100644
--- a/api_docs/deprecations_by_team.mdx
+++ b/api_docs/deprecations_by_team.mdx
@@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsDueByTeam
 slug: /kibana-dev-docs/api-meta/deprecations-due-by-team
 title: Deprecated APIs due to be removed, by team
 description: Lists the teams that are referencing deprecated APIs with a remove by date.
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana']
 ---
 
diff --git a/api_docs/dev_tools.mdx b/api_docs/dev_tools.mdx
index 38a901418cf0..39b4254ffb25 100644
--- a/api_docs/dev_tools.mdx
+++ b/api_docs/dev_tools.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/devTools
 title: "devTools"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the devTools plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'devTools']
 ---
 import devToolsObj from './dev_tools.devdocs.json';
diff --git a/api_docs/discover.mdx b/api_docs/discover.mdx
index 1c4890e467b9..2a8298c88db6 100644
--- a/api_docs/discover.mdx
+++ b/api_docs/discover.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/discover
 title: "discover"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the discover plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'discover']
 ---
 import discoverObj from './discover.devdocs.json';
diff --git a/api_docs/discover_enhanced.mdx b/api_docs/discover_enhanced.mdx
index 8db358784c6b..fa3174654209 100644
--- a/api_docs/discover_enhanced.mdx
+++ b/api_docs/discover_enhanced.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/discoverEnhanced
 title: "discoverEnhanced"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the discoverEnhanced plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'discoverEnhanced']
 ---
 import discoverEnhancedObj from './discover_enhanced.devdocs.json';
diff --git a/api_docs/ecs_data_quality_dashboard.mdx b/api_docs/ecs_data_quality_dashboard.mdx
index fd459900a062..2e0ca24f71a0 100644
--- a/api_docs/ecs_data_quality_dashboard.mdx
+++ b/api_docs/ecs_data_quality_dashboard.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ecsDataQualityDashboard
 title: "ecsDataQualityDashboard"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the ecsDataQualityDashboard plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ecsDataQualityDashboard']
 ---
 import ecsDataQualityDashboardObj from './ecs_data_quality_dashboard.devdocs.json';
diff --git a/api_docs/embeddable.mdx b/api_docs/embeddable.mdx
index 6ade9ffcc892..ac9ab27987d5 100644
--- a/api_docs/embeddable.mdx
+++ b/api_docs/embeddable.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/embeddable
 title: "embeddable"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the embeddable plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'embeddable']
 ---
 import embeddableObj from './embeddable.devdocs.json';
diff --git a/api_docs/embeddable_enhanced.mdx b/api_docs/embeddable_enhanced.mdx
index 87ac6165d03f..2bc17ac616d6 100644
--- a/api_docs/embeddable_enhanced.mdx
+++ b/api_docs/embeddable_enhanced.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/embeddableEnhanced
 title: "embeddableEnhanced"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the embeddableEnhanced plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'embeddableEnhanced']
 ---
 import embeddableEnhancedObj from './embeddable_enhanced.devdocs.json';
diff --git a/api_docs/encrypted_saved_objects.mdx b/api_docs/encrypted_saved_objects.mdx
index d4bd7a19fa8d..abc88d49705a 100644
--- a/api_docs/encrypted_saved_objects.mdx
+++ b/api_docs/encrypted_saved_objects.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/encryptedSavedObjects
 title: "encryptedSavedObjects"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the encryptedSavedObjects plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'encryptedSavedObjects']
 ---
 import encryptedSavedObjectsObj from './encrypted_saved_objects.devdocs.json';
diff --git a/api_docs/enterprise_search.mdx b/api_docs/enterprise_search.mdx
index 6939157e5df5..eb3402a1059d 100644
--- a/api_docs/enterprise_search.mdx
+++ b/api_docs/enterprise_search.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/enterpriseSearch
 title: "enterpriseSearch"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the enterpriseSearch plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'enterpriseSearch']
 ---
 import enterpriseSearchObj from './enterprise_search.devdocs.json';
diff --git a/api_docs/es_ui_shared.mdx b/api_docs/es_ui_shared.mdx
index 9712e236b3d4..982d44c0dfbf 100644
--- a/api_docs/es_ui_shared.mdx
+++ b/api_docs/es_ui_shared.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/esUiShared
 title: "esUiShared"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the esUiShared plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'esUiShared']
 ---
 import esUiSharedObj from './es_ui_shared.devdocs.json';
diff --git a/api_docs/event_annotation.mdx b/api_docs/event_annotation.mdx
index 3707d8d26e0c..2924e94960c5 100644
--- a/api_docs/event_annotation.mdx
+++ b/api_docs/event_annotation.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/eventAnnotation
 title: "eventAnnotation"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the eventAnnotation plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'eventAnnotation']
 ---
 import eventAnnotationObj from './event_annotation.devdocs.json';
diff --git a/api_docs/event_log.mdx b/api_docs/event_log.mdx
index 1333140bf5ff..f0b06b7071b3 100644
--- a/api_docs/event_log.mdx
+++ b/api_docs/event_log.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/eventLog
 title: "eventLog"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the eventLog plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'eventLog']
 ---
 import eventLogObj from './event_log.devdocs.json';
diff --git a/api_docs/expression_error.mdx b/api_docs/expression_error.mdx
index 5defbeb350f3..299eac769957 100644
--- a/api_docs/expression_error.mdx
+++ b/api_docs/expression_error.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionError
 title: "expressionError"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionError plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionError']
 ---
 import expressionErrorObj from './expression_error.devdocs.json';
diff --git a/api_docs/expression_gauge.mdx b/api_docs/expression_gauge.mdx
index 7c656e65b6e5..230ad7c7b582 100644
--- a/api_docs/expression_gauge.mdx
+++ b/api_docs/expression_gauge.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionGauge
 title: "expressionGauge"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionGauge plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionGauge']
 ---
 import expressionGaugeObj from './expression_gauge.devdocs.json';
diff --git a/api_docs/expression_heatmap.mdx b/api_docs/expression_heatmap.mdx
index a282c9f6a361..b1005e44dd54 100644
--- a/api_docs/expression_heatmap.mdx
+++ b/api_docs/expression_heatmap.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionHeatmap
 title: "expressionHeatmap"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionHeatmap plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionHeatmap']
 ---
 import expressionHeatmapObj from './expression_heatmap.devdocs.json';
diff --git a/api_docs/expression_image.mdx b/api_docs/expression_image.mdx
index 636619730455..b83cf89a4968 100644
--- a/api_docs/expression_image.mdx
+++ b/api_docs/expression_image.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionImage
 title: "expressionImage"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionImage plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionImage']
 ---
 import expressionImageObj from './expression_image.devdocs.json';
diff --git a/api_docs/expression_legacy_metric_vis.mdx b/api_docs/expression_legacy_metric_vis.mdx
index f1060e246191..a8205ae96d1e 100644
--- a/api_docs/expression_legacy_metric_vis.mdx
+++ b/api_docs/expression_legacy_metric_vis.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionLegacyMetricVis
 title: "expressionLegacyMetricVis"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionLegacyMetricVis plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionLegacyMetricVis']
 ---
 import expressionLegacyMetricVisObj from './expression_legacy_metric_vis.devdocs.json';
diff --git a/api_docs/expression_metric.mdx b/api_docs/expression_metric.mdx
index 61a1f50be081..36aebe7a2085 100644
--- a/api_docs/expression_metric.mdx
+++ b/api_docs/expression_metric.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionMetric
 title: "expressionMetric"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionMetric plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionMetric']
 ---
 import expressionMetricObj from './expression_metric.devdocs.json';
diff --git a/api_docs/expression_metric_vis.mdx b/api_docs/expression_metric_vis.mdx
index 2b978f2cb969..52f7e613a594 100644
--- a/api_docs/expression_metric_vis.mdx
+++ b/api_docs/expression_metric_vis.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionMetricVis
 title: "expressionMetricVis"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionMetricVis plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionMetricVis']
 ---
 import expressionMetricVisObj from './expression_metric_vis.devdocs.json';
diff --git a/api_docs/expression_partition_vis.mdx b/api_docs/expression_partition_vis.mdx
index cb8cee628bd7..22b521d03c6c 100644
--- a/api_docs/expression_partition_vis.mdx
+++ b/api_docs/expression_partition_vis.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionPartitionVis
 title: "expressionPartitionVis"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionPartitionVis plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionPartitionVis']
 ---
 import expressionPartitionVisObj from './expression_partition_vis.devdocs.json';
diff --git a/api_docs/expression_repeat_image.mdx b/api_docs/expression_repeat_image.mdx
index 509f27619509..9b9f72aaf2cf 100644
--- a/api_docs/expression_repeat_image.mdx
+++ b/api_docs/expression_repeat_image.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionRepeatImage
 title: "expressionRepeatImage"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionRepeatImage plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionRepeatImage']
 ---
 import expressionRepeatImageObj from './expression_repeat_image.devdocs.json';
diff --git a/api_docs/expression_reveal_image.mdx b/api_docs/expression_reveal_image.mdx
index e3931fddb6ce..784237c1ce06 100644
--- a/api_docs/expression_reveal_image.mdx
+++ b/api_docs/expression_reveal_image.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionRevealImage
 title: "expressionRevealImage"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionRevealImage plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionRevealImage']
 ---
 import expressionRevealImageObj from './expression_reveal_image.devdocs.json';
diff --git a/api_docs/expression_shape.mdx b/api_docs/expression_shape.mdx
index ceef381b5ea6..c21fda9b36b6 100644
--- a/api_docs/expression_shape.mdx
+++ b/api_docs/expression_shape.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionShape
 title: "expressionShape"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionShape plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionShape']
 ---
 import expressionShapeObj from './expression_shape.devdocs.json';
diff --git a/api_docs/expression_tagcloud.mdx b/api_docs/expression_tagcloud.mdx
index 44395d8a46ca..f928ed3c87c5 100644
--- a/api_docs/expression_tagcloud.mdx
+++ b/api_docs/expression_tagcloud.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionTagcloud
 title: "expressionTagcloud"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionTagcloud plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionTagcloud']
 ---
 import expressionTagcloudObj from './expression_tagcloud.devdocs.json';
diff --git a/api_docs/expression_x_y.mdx b/api_docs/expression_x_y.mdx
index 2bccc9f00657..f9ad00b1c7e8 100644
--- a/api_docs/expression_x_y.mdx
+++ b/api_docs/expression_x_y.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionXY
 title: "expressionXY"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressionXY plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionXY']
 ---
 import expressionXYObj from './expression_x_y.devdocs.json';
diff --git a/api_docs/expressions.mdx b/api_docs/expressions.mdx
index 8070ae7cdf65..d139ad1de936 100644
--- a/api_docs/expressions.mdx
+++ b/api_docs/expressions.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressions
 title: "expressions"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the expressions plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressions']
 ---
 import expressionsObj from './expressions.devdocs.json';
diff --git a/api_docs/features.mdx b/api_docs/features.mdx
index 87a64fa2482c..708af8375f8b 100644
--- a/api_docs/features.mdx
+++ b/api_docs/features.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/features
 title: "features"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the features plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'features']
 ---
 import featuresObj from './features.devdocs.json';
diff --git a/api_docs/field_formats.mdx b/api_docs/field_formats.mdx
index fad65e92254c..90a083a93a9a 100644
--- a/api_docs/field_formats.mdx
+++ b/api_docs/field_formats.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fieldFormats
 title: "fieldFormats"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the fieldFormats plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fieldFormats']
 ---
 import fieldFormatsObj from './field_formats.devdocs.json';
diff --git a/api_docs/file_upload.mdx b/api_docs/file_upload.mdx
index 208968005e6c..4a832cb285bf 100644
--- a/api_docs/file_upload.mdx
+++ b/api_docs/file_upload.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fileUpload
 title: "fileUpload"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the fileUpload plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fileUpload']
 ---
 import fileUploadObj from './file_upload.devdocs.json';
diff --git a/api_docs/files.mdx b/api_docs/files.mdx
index 7e30e2546630..7853a6e8c094 100644
--- a/api_docs/files.mdx
+++ b/api_docs/files.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/files
 title: "files"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the files plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'files']
 ---
 import filesObj from './files.devdocs.json';
diff --git a/api_docs/files_management.mdx b/api_docs/files_management.mdx
index e7f330b243a2..415e3022ad94 100644
--- a/api_docs/files_management.mdx
+++ b/api_docs/files_management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/filesManagement
 title: "filesManagement"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the filesManagement plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'filesManagement']
 ---
 import filesManagementObj from './files_management.devdocs.json';
diff --git a/api_docs/fleet.mdx b/api_docs/fleet.mdx
index 58a735c17ee3..d0174b9123df 100644
--- a/api_docs/fleet.mdx
+++ b/api_docs/fleet.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fleet
 title: "fleet"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the fleet plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fleet']
 ---
 import fleetObj from './fleet.devdocs.json';
diff --git a/api_docs/global_search.mdx b/api_docs/global_search.mdx
index c005ddf286b8..bdfeb1b1e7f0 100644
--- a/api_docs/global_search.mdx
+++ b/api_docs/global_search.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/globalSearch
 title: "globalSearch"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the globalSearch plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'globalSearch']
 ---
 import globalSearchObj from './global_search.devdocs.json';
diff --git a/api_docs/guided_onboarding.mdx b/api_docs/guided_onboarding.mdx
index f6b103ca7394..145381c4cb13 100644
--- a/api_docs/guided_onboarding.mdx
+++ b/api_docs/guided_onboarding.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/guidedOnboarding
 title: "guidedOnboarding"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the guidedOnboarding plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'guidedOnboarding']
 ---
 import guidedOnboardingObj from './guided_onboarding.devdocs.json';
diff --git a/api_docs/home.mdx b/api_docs/home.mdx
index 36c0007246be..552d380b054d 100644
--- a/api_docs/home.mdx
+++ b/api_docs/home.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/home
 title: "home"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the home plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'home']
 ---
 import homeObj from './home.devdocs.json';
diff --git a/api_docs/image_embeddable.mdx b/api_docs/image_embeddable.mdx
index 3e174d6c7e81..f3445308deba 100644
--- a/api_docs/image_embeddable.mdx
+++ b/api_docs/image_embeddable.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/imageEmbeddable
 title: "imageEmbeddable"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the imageEmbeddable plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'imageEmbeddable']
 ---
 import imageEmbeddableObj from './image_embeddable.devdocs.json';
diff --git a/api_docs/index_lifecycle_management.mdx b/api_docs/index_lifecycle_management.mdx
index a583e7e2a218..aa85e371d701 100644
--- a/api_docs/index_lifecycle_management.mdx
+++ b/api_docs/index_lifecycle_management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/indexLifecycleManagement
 title: "indexLifecycleManagement"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the indexLifecycleManagement plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'indexLifecycleManagement']
 ---
 import indexLifecycleManagementObj from './index_lifecycle_management.devdocs.json';
diff --git a/api_docs/index_management.mdx b/api_docs/index_management.mdx
index 87cfc2a3cf24..6d8b56971844 100644
--- a/api_docs/index_management.mdx
+++ b/api_docs/index_management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/indexManagement
 title: "indexManagement"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the indexManagement plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'indexManagement']
 ---
 import indexManagementObj from './index_management.devdocs.json';
diff --git a/api_docs/infra.mdx b/api_docs/infra.mdx
index 1240bfc5ca3f..970ef063ded7 100644
--- a/api_docs/infra.mdx
+++ b/api_docs/infra.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/infra
 title: "infra"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the infra plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'infra']
 ---
 import infraObj from './infra.devdocs.json';
diff --git a/api_docs/inspector.mdx b/api_docs/inspector.mdx
index d341c1e9dd17..0abbbefed964 100644
--- a/api_docs/inspector.mdx
+++ b/api_docs/inspector.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/inspector
 title: "inspector"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the inspector plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'inspector']
 ---
 import inspectorObj from './inspector.devdocs.json';
diff --git a/api_docs/interactive_setup.mdx b/api_docs/interactive_setup.mdx
index 6d7a79d39aa8..f2843dd25499 100644
--- a/api_docs/interactive_setup.mdx
+++ b/api_docs/interactive_setup.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/interactiveSetup
 title: "interactiveSetup"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the interactiveSetup plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'interactiveSetup']
 ---
 import interactiveSetupObj from './interactive_setup.devdocs.json';
diff --git a/api_docs/kbn_ace.mdx b/api_docs/kbn_ace.mdx
index 01eff6af41b3..aa31002c1ff6 100644
--- a/api_docs/kbn_ace.mdx
+++ b/api_docs/kbn_ace.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ace
 title: "@kbn/ace"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ace plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ace']
 ---
 import kbnAceObj from './kbn_ace.devdocs.json';
diff --git a/api_docs/kbn_aiops_components.mdx b/api_docs/kbn_aiops_components.mdx
index ee1d0b95e09c..0ddd998274d7 100644
--- a/api_docs/kbn_aiops_components.mdx
+++ b/api_docs/kbn_aiops_components.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-aiops-components
 title: "@kbn/aiops-components"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/aiops-components plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/aiops-components']
 ---
 import kbnAiopsComponentsObj from './kbn_aiops_components.devdocs.json';
diff --git a/api_docs/kbn_aiops_utils.mdx b/api_docs/kbn_aiops_utils.mdx
index 79d26665bfe7..5285f44cb218 100644
--- a/api_docs/kbn_aiops_utils.mdx
+++ b/api_docs/kbn_aiops_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-aiops-utils
 title: "@kbn/aiops-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/aiops-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/aiops-utils']
 ---
 import kbnAiopsUtilsObj from './kbn_aiops_utils.devdocs.json';
diff --git a/api_docs/kbn_alerts.mdx b/api_docs/kbn_alerts.mdx
index e1a675a1fc95..82447be99352 100644
--- a/api_docs/kbn_alerts.mdx
+++ b/api_docs/kbn_alerts.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-alerts
 title: "@kbn/alerts"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/alerts plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/alerts']
 ---
 import kbnAlertsObj from './kbn_alerts.devdocs.json';
diff --git a/api_docs/kbn_alerts_as_data_utils.mdx b/api_docs/kbn_alerts_as_data_utils.mdx
index 78c8c50abe40..267bc82f3c22 100644
--- a/api_docs/kbn_alerts_as_data_utils.mdx
+++ b/api_docs/kbn_alerts_as_data_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-alerts-as-data-utils
 title: "@kbn/alerts-as-data-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/alerts-as-data-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/alerts-as-data-utils']
 ---
 import kbnAlertsAsDataUtilsObj from './kbn_alerts_as_data_utils.devdocs.json';
diff --git a/api_docs/kbn_alerts_ui_shared.mdx b/api_docs/kbn_alerts_ui_shared.mdx
index 3fd5cad17f6d..f64316380ff2 100644
--- a/api_docs/kbn_alerts_ui_shared.mdx
+++ b/api_docs/kbn_alerts_ui_shared.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-alerts-ui-shared
 title: "@kbn/alerts-ui-shared"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/alerts-ui-shared plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/alerts-ui-shared']
 ---
 import kbnAlertsUiSharedObj from './kbn_alerts_ui_shared.devdocs.json';
diff --git a/api_docs/kbn_analytics.mdx b/api_docs/kbn_analytics.mdx
index 492ef29469bf..26ee63e17f49 100644
--- a/api_docs/kbn_analytics.mdx
+++ b/api_docs/kbn_analytics.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics
 title: "@kbn/analytics"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/analytics plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics']
 ---
 import kbnAnalyticsObj from './kbn_analytics.devdocs.json';
diff --git a/api_docs/kbn_analytics_client.mdx b/api_docs/kbn_analytics_client.mdx
index ca6db2a280da..33add954e50e 100644
--- a/api_docs/kbn_analytics_client.mdx
+++ b/api_docs/kbn_analytics_client.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-client
 title: "@kbn/analytics-client"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/analytics-client plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-client']
 ---
 import kbnAnalyticsClientObj from './kbn_analytics_client.devdocs.json';
diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx
index 787a06a4b2b2..671776336a3a 100644
--- a/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx
+++ b/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-browser
 title: "@kbn/analytics-shippers-elastic-v3-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/analytics-shippers-elastic-v3-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-browser']
 ---
 import kbnAnalyticsShippersElasticV3BrowserObj from './kbn_analytics_shippers_elastic_v3_browser.devdocs.json';
diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx
index 4194156cbad5..ae90fea08775 100644
--- a/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx
+++ b/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-common
 title: "@kbn/analytics-shippers-elastic-v3-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/analytics-shippers-elastic-v3-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-common']
 ---
 import kbnAnalyticsShippersElasticV3CommonObj from './kbn_analytics_shippers_elastic_v3_common.devdocs.json';
diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx
index e34b4586bdf5..3fb68a8cf002 100644
--- a/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx
+++ b/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-server
 title: "@kbn/analytics-shippers-elastic-v3-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/analytics-shippers-elastic-v3-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-server']
 ---
 import kbnAnalyticsShippersElasticV3ServerObj from './kbn_analytics_shippers_elastic_v3_server.devdocs.json';
diff --git a/api_docs/kbn_analytics_shippers_fullstory.mdx b/api_docs/kbn_analytics_shippers_fullstory.mdx
index 9532c3e13d83..a87e3530e5f0 100644
--- a/api_docs/kbn_analytics_shippers_fullstory.mdx
+++ b/api_docs/kbn_analytics_shippers_fullstory.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-fullstory
 title: "@kbn/analytics-shippers-fullstory"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/analytics-shippers-fullstory plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-fullstory']
 ---
 import kbnAnalyticsShippersFullstoryObj from './kbn_analytics_shippers_fullstory.devdocs.json';
diff --git a/api_docs/kbn_analytics_shippers_gainsight.mdx b/api_docs/kbn_analytics_shippers_gainsight.mdx
index 569d79015a58..9986bf397640 100644
--- a/api_docs/kbn_analytics_shippers_gainsight.mdx
+++ b/api_docs/kbn_analytics_shippers_gainsight.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-gainsight
 title: "@kbn/analytics-shippers-gainsight"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/analytics-shippers-gainsight plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-gainsight']
 ---
 import kbnAnalyticsShippersGainsightObj from './kbn_analytics_shippers_gainsight.devdocs.json';
diff --git a/api_docs/kbn_apm_config_loader.mdx b/api_docs/kbn_apm_config_loader.mdx
index e1c3fcd061db..eda70b297ca2 100644
--- a/api_docs/kbn_apm_config_loader.mdx
+++ b/api_docs/kbn_apm_config_loader.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-config-loader
 title: "@kbn/apm-config-loader"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/apm-config-loader plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-config-loader']
 ---
 import kbnApmConfigLoaderObj from './kbn_apm_config_loader.devdocs.json';
diff --git a/api_docs/kbn_apm_synthtrace.mdx b/api_docs/kbn_apm_synthtrace.mdx
index 6ca15cc36b36..45c3846d12c1 100644
--- a/api_docs/kbn_apm_synthtrace.mdx
+++ b/api_docs/kbn_apm_synthtrace.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-synthtrace
 title: "@kbn/apm-synthtrace"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/apm-synthtrace plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-synthtrace']
 ---
 import kbnApmSynthtraceObj from './kbn_apm_synthtrace.devdocs.json';
diff --git a/api_docs/kbn_apm_synthtrace_client.mdx b/api_docs/kbn_apm_synthtrace_client.mdx
index d241b55fb519..8d94ec65b5c3 100644
--- a/api_docs/kbn_apm_synthtrace_client.mdx
+++ b/api_docs/kbn_apm_synthtrace_client.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-synthtrace-client
 title: "@kbn/apm-synthtrace-client"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/apm-synthtrace-client plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-synthtrace-client']
 ---
 import kbnApmSynthtraceClientObj from './kbn_apm_synthtrace_client.devdocs.json';
diff --git a/api_docs/kbn_apm_utils.mdx b/api_docs/kbn_apm_utils.mdx
index 013fdb121551..a5051ed653ff 100644
--- a/api_docs/kbn_apm_utils.mdx
+++ b/api_docs/kbn_apm_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-utils
 title: "@kbn/apm-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/apm-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-utils']
 ---
 import kbnApmUtilsObj from './kbn_apm_utils.devdocs.json';
diff --git a/api_docs/kbn_axe_config.mdx b/api_docs/kbn_axe_config.mdx
index 05650185354a..fcb5179003a8 100644
--- a/api_docs/kbn_axe_config.mdx
+++ b/api_docs/kbn_axe_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-axe-config
 title: "@kbn/axe-config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/axe-config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/axe-config']
 ---
 import kbnAxeConfigObj from './kbn_axe_config.devdocs.json';
diff --git a/api_docs/kbn_cases_components.mdx b/api_docs/kbn_cases_components.mdx
index 620c2c13e591..17007a13722a 100644
--- a/api_docs/kbn_cases_components.mdx
+++ b/api_docs/kbn_cases_components.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cases-components
 title: "@kbn/cases-components"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/cases-components plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cases-components']
 ---
 import kbnCasesComponentsObj from './kbn_cases_components.devdocs.json';
diff --git a/api_docs/kbn_cell_actions.mdx b/api_docs/kbn_cell_actions.mdx
index c81e59a3158a..851575a700a2 100644
--- a/api_docs/kbn_cell_actions.mdx
+++ b/api_docs/kbn_cell_actions.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cell-actions
 title: "@kbn/cell-actions"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/cell-actions plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cell-actions']
 ---
 import kbnCellActionsObj from './kbn_cell_actions.devdocs.json';
diff --git a/api_docs/kbn_chart_expressions_common.mdx b/api_docs/kbn_chart_expressions_common.mdx
index c7ab312dd8ce..c85adfffc722 100644
--- a/api_docs/kbn_chart_expressions_common.mdx
+++ b/api_docs/kbn_chart_expressions_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-chart-expressions-common
 title: "@kbn/chart-expressions-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/chart-expressions-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/chart-expressions-common']
 ---
 import kbnChartExpressionsCommonObj from './kbn_chart_expressions_common.devdocs.json';
diff --git a/api_docs/kbn_chart_icons.mdx b/api_docs/kbn_chart_icons.mdx
index 58a9a7f4bd94..75bbef94b0dd 100644
--- a/api_docs/kbn_chart_icons.mdx
+++ b/api_docs/kbn_chart_icons.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-chart-icons
 title: "@kbn/chart-icons"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/chart-icons plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/chart-icons']
 ---
 import kbnChartIconsObj from './kbn_chart_icons.devdocs.json';
diff --git a/api_docs/kbn_ci_stats_core.mdx b/api_docs/kbn_ci_stats_core.mdx
index 1802847917d5..16aac6f85ac6 100644
--- a/api_docs/kbn_ci_stats_core.mdx
+++ b/api_docs/kbn_ci_stats_core.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-core
 title: "@kbn/ci-stats-core"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ci-stats-core plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-core']
 ---
 import kbnCiStatsCoreObj from './kbn_ci_stats_core.devdocs.json';
diff --git a/api_docs/kbn_ci_stats_performance_metrics.mdx b/api_docs/kbn_ci_stats_performance_metrics.mdx
index 2a60dbb46c38..30b748e562e9 100644
--- a/api_docs/kbn_ci_stats_performance_metrics.mdx
+++ b/api_docs/kbn_ci_stats_performance_metrics.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-performance-metrics
 title: "@kbn/ci-stats-performance-metrics"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ci-stats-performance-metrics plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-performance-metrics']
 ---
 import kbnCiStatsPerformanceMetricsObj from './kbn_ci_stats_performance_metrics.devdocs.json';
diff --git a/api_docs/kbn_ci_stats_reporter.mdx b/api_docs/kbn_ci_stats_reporter.mdx
index a22a37579291..febce7afa034 100644
--- a/api_docs/kbn_ci_stats_reporter.mdx
+++ b/api_docs/kbn_ci_stats_reporter.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-reporter
 title: "@kbn/ci-stats-reporter"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ci-stats-reporter plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-reporter']
 ---
 import kbnCiStatsReporterObj from './kbn_ci_stats_reporter.devdocs.json';
diff --git a/api_docs/kbn_cli_dev_mode.mdx b/api_docs/kbn_cli_dev_mode.mdx
index d4009c53f4d1..9bb611b130a5 100644
--- a/api_docs/kbn_cli_dev_mode.mdx
+++ b/api_docs/kbn_cli_dev_mode.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cli-dev-mode
 title: "@kbn/cli-dev-mode"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/cli-dev-mode plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cli-dev-mode']
 ---
 import kbnCliDevModeObj from './kbn_cli_dev_mode.devdocs.json';
diff --git a/api_docs/kbn_code_editor.mdx b/api_docs/kbn_code_editor.mdx
index 31043617bbe2..bde129d806a5 100644
--- a/api_docs/kbn_code_editor.mdx
+++ b/api_docs/kbn_code_editor.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-code-editor
 title: "@kbn/code-editor"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/code-editor plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/code-editor']
 ---
 import kbnCodeEditorObj from './kbn_code_editor.devdocs.json';
diff --git a/api_docs/kbn_code_editor_mocks.mdx b/api_docs/kbn_code_editor_mocks.mdx
index 09e3432c5b70..c6d76ece54fe 100644
--- a/api_docs/kbn_code_editor_mocks.mdx
+++ b/api_docs/kbn_code_editor_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-code-editor-mocks
 title: "@kbn/code-editor-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/code-editor-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/code-editor-mocks']
 ---
 import kbnCodeEditorMocksObj from './kbn_code_editor_mocks.devdocs.json';
diff --git a/api_docs/kbn_coloring.mdx b/api_docs/kbn_coloring.mdx
index bac6eef3e358..3910fbc37db8 100644
--- a/api_docs/kbn_coloring.mdx
+++ b/api_docs/kbn_coloring.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-coloring
 title: "@kbn/coloring"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/coloring plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/coloring']
 ---
 import kbnColoringObj from './kbn_coloring.devdocs.json';
diff --git a/api_docs/kbn_config.mdx b/api_docs/kbn_config.mdx
index cb5732e95587..4fe78056a8e7 100644
--- a/api_docs/kbn_config.mdx
+++ b/api_docs/kbn_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config
 title: "@kbn/config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config']
 ---
 import kbnConfigObj from './kbn_config.devdocs.json';
diff --git a/api_docs/kbn_config_mocks.mdx b/api_docs/kbn_config_mocks.mdx
index 4244fd62f5f1..8ceab23bc0cd 100644
--- a/api_docs/kbn_config_mocks.mdx
+++ b/api_docs/kbn_config_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config-mocks
 title: "@kbn/config-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/config-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config-mocks']
 ---
 import kbnConfigMocksObj from './kbn_config_mocks.devdocs.json';
diff --git a/api_docs/kbn_config_schema.mdx b/api_docs/kbn_config_schema.mdx
index 37d8d6d9b542..515123889d01 100644
--- a/api_docs/kbn_config_schema.mdx
+++ b/api_docs/kbn_config_schema.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config-schema
 title: "@kbn/config-schema"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/config-schema plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config-schema']
 ---
 import kbnConfigSchemaObj from './kbn_config_schema.devdocs.json';
diff --git a/api_docs/kbn_content_management_content_editor.mdx b/api_docs/kbn_content_management_content_editor.mdx
index d42d01bee49f..2a99f52f40c4 100644
--- a/api_docs/kbn_content_management_content_editor.mdx
+++ b/api_docs/kbn_content_management_content_editor.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-content-management-content-editor
 title: "@kbn/content-management-content-editor"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/content-management-content-editor plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/content-management-content-editor']
 ---
 import kbnContentManagementContentEditorObj from './kbn_content_management_content_editor.devdocs.json';
diff --git a/api_docs/kbn_content_management_table_list.mdx b/api_docs/kbn_content_management_table_list.mdx
index e7e1fe4ccf2c..2da6c11504c3 100644
--- a/api_docs/kbn_content_management_table_list.mdx
+++ b/api_docs/kbn_content_management_table_list.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-content-management-table-list
 title: "@kbn/content-management-table-list"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/content-management-table-list plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/content-management-table-list']
 ---
 import kbnContentManagementTableListObj from './kbn_content_management_table_list.devdocs.json';
diff --git a/api_docs/kbn_core_analytics_browser.mdx b/api_docs/kbn_core_analytics_browser.mdx
index 91a4edb65e66..2641a1635580 100644
--- a/api_docs/kbn_core_analytics_browser.mdx
+++ b/api_docs/kbn_core_analytics_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser
 title: "@kbn/core-analytics-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-analytics-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser']
 ---
 import kbnCoreAnalyticsBrowserObj from './kbn_core_analytics_browser.devdocs.json';
diff --git a/api_docs/kbn_core_analytics_browser_internal.mdx b/api_docs/kbn_core_analytics_browser_internal.mdx
index cad6bfcf47db..e383d7d445a5 100644
--- a/api_docs/kbn_core_analytics_browser_internal.mdx
+++ b/api_docs/kbn_core_analytics_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser-internal
 title: "@kbn/core-analytics-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-analytics-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser-internal']
 ---
 import kbnCoreAnalyticsBrowserInternalObj from './kbn_core_analytics_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_analytics_browser_mocks.mdx b/api_docs/kbn_core_analytics_browser_mocks.mdx
index f6d8c903bd5e..6d525dfccd98 100644
--- a/api_docs/kbn_core_analytics_browser_mocks.mdx
+++ b/api_docs/kbn_core_analytics_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser-mocks
 title: "@kbn/core-analytics-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-analytics-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser-mocks']
 ---
 import kbnCoreAnalyticsBrowserMocksObj from './kbn_core_analytics_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_analytics_server.mdx b/api_docs/kbn_core_analytics_server.mdx
index 3f61db26e746..c7398a32bb2c 100644
--- a/api_docs/kbn_core_analytics_server.mdx
+++ b/api_docs/kbn_core_analytics_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server
 title: "@kbn/core-analytics-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-analytics-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server']
 ---
 import kbnCoreAnalyticsServerObj from './kbn_core_analytics_server.devdocs.json';
diff --git a/api_docs/kbn_core_analytics_server_internal.mdx b/api_docs/kbn_core_analytics_server_internal.mdx
index 800598527949..1e387c76631e 100644
--- a/api_docs/kbn_core_analytics_server_internal.mdx
+++ b/api_docs/kbn_core_analytics_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server-internal
 title: "@kbn/core-analytics-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-analytics-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server-internal']
 ---
 import kbnCoreAnalyticsServerInternalObj from './kbn_core_analytics_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_analytics_server_mocks.mdx b/api_docs/kbn_core_analytics_server_mocks.mdx
index 033de57593c3..03d367f68033 100644
--- a/api_docs/kbn_core_analytics_server_mocks.mdx
+++ b/api_docs/kbn_core_analytics_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server-mocks
 title: "@kbn/core-analytics-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-analytics-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server-mocks']
 ---
 import kbnCoreAnalyticsServerMocksObj from './kbn_core_analytics_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_application_browser.mdx b/api_docs/kbn_core_application_browser.mdx
index 4ee9e4fc3e50..043805bcf3e1 100644
--- a/api_docs/kbn_core_application_browser.mdx
+++ b/api_docs/kbn_core_application_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-browser
 title: "@kbn/core-application-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-application-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-browser']
 ---
 import kbnCoreApplicationBrowserObj from './kbn_core_application_browser.devdocs.json';
diff --git a/api_docs/kbn_core_application_browser_internal.mdx b/api_docs/kbn_core_application_browser_internal.mdx
index 00431116491c..460e49d21e44 100644
--- a/api_docs/kbn_core_application_browser_internal.mdx
+++ b/api_docs/kbn_core_application_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-browser-internal
 title: "@kbn/core-application-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-application-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-browser-internal']
 ---
 import kbnCoreApplicationBrowserInternalObj from './kbn_core_application_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_application_browser_mocks.mdx b/api_docs/kbn_core_application_browser_mocks.mdx
index f60972810538..29d974c8099a 100644
--- a/api_docs/kbn_core_application_browser_mocks.mdx
+++ b/api_docs/kbn_core_application_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-browser-mocks
 title: "@kbn/core-application-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-application-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-browser-mocks']
 ---
 import kbnCoreApplicationBrowserMocksObj from './kbn_core_application_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_application_common.mdx b/api_docs/kbn_core_application_common.mdx
index c019b84735dc..2ef0e8a349a2 100644
--- a/api_docs/kbn_core_application_common.mdx
+++ b/api_docs/kbn_core_application_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-common
 title: "@kbn/core-application-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-application-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-common']
 ---
 import kbnCoreApplicationCommonObj from './kbn_core_application_common.devdocs.json';
diff --git a/api_docs/kbn_core_apps_browser_internal.mdx b/api_docs/kbn_core_apps_browser_internal.mdx
index 51bdac7b1763..cba603a16d89 100644
--- a/api_docs/kbn_core_apps_browser_internal.mdx
+++ b/api_docs/kbn_core_apps_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-apps-browser-internal
 title: "@kbn/core-apps-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-apps-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-apps-browser-internal']
 ---
 import kbnCoreAppsBrowserInternalObj from './kbn_core_apps_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_apps_browser_mocks.mdx b/api_docs/kbn_core_apps_browser_mocks.mdx
index ea4c02180720..53caa9e6ac84 100644
--- a/api_docs/kbn_core_apps_browser_mocks.mdx
+++ b/api_docs/kbn_core_apps_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-apps-browser-mocks
 title: "@kbn/core-apps-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-apps-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-apps-browser-mocks']
 ---
 import kbnCoreAppsBrowserMocksObj from './kbn_core_apps_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_apps_server_internal.mdx b/api_docs/kbn_core_apps_server_internal.mdx
index cf1722cab39f..7bb91616710e 100644
--- a/api_docs/kbn_core_apps_server_internal.mdx
+++ b/api_docs/kbn_core_apps_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-apps-server-internal
 title: "@kbn/core-apps-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-apps-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-apps-server-internal']
 ---
 import kbnCoreAppsServerInternalObj from './kbn_core_apps_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_base_browser_mocks.mdx b/api_docs/kbn_core_base_browser_mocks.mdx
index bff2795a3b62..68fd5becd5b7 100644
--- a/api_docs/kbn_core_base_browser_mocks.mdx
+++ b/api_docs/kbn_core_base_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-browser-mocks
 title: "@kbn/core-base-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-base-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-browser-mocks']
 ---
 import kbnCoreBaseBrowserMocksObj from './kbn_core_base_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_base_common.mdx b/api_docs/kbn_core_base_common.mdx
index 6e845620410c..5f2b83e96348 100644
--- a/api_docs/kbn_core_base_common.mdx
+++ b/api_docs/kbn_core_base_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-common
 title: "@kbn/core-base-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-base-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-common']
 ---
 import kbnCoreBaseCommonObj from './kbn_core_base_common.devdocs.json';
diff --git a/api_docs/kbn_core_base_server_internal.mdx b/api_docs/kbn_core_base_server_internal.mdx
index 086a599f5f0c..a05385033e2b 100644
--- a/api_docs/kbn_core_base_server_internal.mdx
+++ b/api_docs/kbn_core_base_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-server-internal
 title: "@kbn/core-base-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-base-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-server-internal']
 ---
 import kbnCoreBaseServerInternalObj from './kbn_core_base_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_base_server_mocks.mdx b/api_docs/kbn_core_base_server_mocks.mdx
index 5b391ffae26d..8d63c62ab8ef 100644
--- a/api_docs/kbn_core_base_server_mocks.mdx
+++ b/api_docs/kbn_core_base_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-server-mocks
 title: "@kbn/core-base-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-base-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-server-mocks']
 ---
 import kbnCoreBaseServerMocksObj from './kbn_core_base_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_capabilities_browser_mocks.mdx b/api_docs/kbn_core_capabilities_browser_mocks.mdx
index 471d4073ff1c..6d19378b7f1e 100644
--- a/api_docs/kbn_core_capabilities_browser_mocks.mdx
+++ b/api_docs/kbn_core_capabilities_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-browser-mocks
 title: "@kbn/core-capabilities-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-capabilities-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-browser-mocks']
 ---
 import kbnCoreCapabilitiesBrowserMocksObj from './kbn_core_capabilities_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_capabilities_common.mdx b/api_docs/kbn_core_capabilities_common.mdx
index 812afa4c4eff..0edde0429744 100644
--- a/api_docs/kbn_core_capabilities_common.mdx
+++ b/api_docs/kbn_core_capabilities_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-common
 title: "@kbn/core-capabilities-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-capabilities-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-common']
 ---
 import kbnCoreCapabilitiesCommonObj from './kbn_core_capabilities_common.devdocs.json';
diff --git a/api_docs/kbn_core_capabilities_server.mdx b/api_docs/kbn_core_capabilities_server.mdx
index ed36b1cb2596..7f9c8169a6b7 100644
--- a/api_docs/kbn_core_capabilities_server.mdx
+++ b/api_docs/kbn_core_capabilities_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-server
 title: "@kbn/core-capabilities-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-capabilities-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-server']
 ---
 import kbnCoreCapabilitiesServerObj from './kbn_core_capabilities_server.devdocs.json';
diff --git a/api_docs/kbn_core_capabilities_server_mocks.mdx b/api_docs/kbn_core_capabilities_server_mocks.mdx
index 7e765cc3936f..213af1ca4855 100644
--- a/api_docs/kbn_core_capabilities_server_mocks.mdx
+++ b/api_docs/kbn_core_capabilities_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-server-mocks
 title: "@kbn/core-capabilities-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-capabilities-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-server-mocks']
 ---
 import kbnCoreCapabilitiesServerMocksObj from './kbn_core_capabilities_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_chrome_browser.mdx b/api_docs/kbn_core_chrome_browser.mdx
index a2fd2c08b3bb..28efac1ba62a 100644
--- a/api_docs/kbn_core_chrome_browser.mdx
+++ b/api_docs/kbn_core_chrome_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-chrome-browser
 title: "@kbn/core-chrome-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-chrome-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-chrome-browser']
 ---
 import kbnCoreChromeBrowserObj from './kbn_core_chrome_browser.devdocs.json';
diff --git a/api_docs/kbn_core_chrome_browser_mocks.mdx b/api_docs/kbn_core_chrome_browser_mocks.mdx
index d6464e08a5d7..91bdc1af174f 100644
--- a/api_docs/kbn_core_chrome_browser_mocks.mdx
+++ b/api_docs/kbn_core_chrome_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-chrome-browser-mocks
 title: "@kbn/core-chrome-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-chrome-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-chrome-browser-mocks']
 ---
 import kbnCoreChromeBrowserMocksObj from './kbn_core_chrome_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_config_server_internal.mdx b/api_docs/kbn_core_config_server_internal.mdx
index f45fd60b558e..e4b0bda8c7ab 100644
--- a/api_docs/kbn_core_config_server_internal.mdx
+++ b/api_docs/kbn_core_config_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-config-server-internal
 title: "@kbn/core-config-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-config-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-config-server-internal']
 ---
 import kbnCoreConfigServerInternalObj from './kbn_core_config_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_custom_branding_browser.mdx b/api_docs/kbn_core_custom_branding_browser.mdx
index e66ccef8853c..864d570df393 100644
--- a/api_docs/kbn_core_custom_branding_browser.mdx
+++ b/api_docs/kbn_core_custom_branding_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-browser
 title: "@kbn/core-custom-branding-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-custom-branding-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-browser']
 ---
 import kbnCoreCustomBrandingBrowserObj from './kbn_core_custom_branding_browser.devdocs.json';
diff --git a/api_docs/kbn_core_custom_branding_browser_internal.mdx b/api_docs/kbn_core_custom_branding_browser_internal.mdx
index 189febc82567..3311a2707b22 100644
--- a/api_docs/kbn_core_custom_branding_browser_internal.mdx
+++ b/api_docs/kbn_core_custom_branding_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-browser-internal
 title: "@kbn/core-custom-branding-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-custom-branding-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-browser-internal']
 ---
 import kbnCoreCustomBrandingBrowserInternalObj from './kbn_core_custom_branding_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_custom_branding_browser_mocks.mdx b/api_docs/kbn_core_custom_branding_browser_mocks.mdx
index 01e7e882a384..c99aeafa2539 100644
--- a/api_docs/kbn_core_custom_branding_browser_mocks.mdx
+++ b/api_docs/kbn_core_custom_branding_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-browser-mocks
 title: "@kbn/core-custom-branding-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-custom-branding-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-browser-mocks']
 ---
 import kbnCoreCustomBrandingBrowserMocksObj from './kbn_core_custom_branding_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_custom_branding_common.mdx b/api_docs/kbn_core_custom_branding_common.mdx
index aec09c992909..f6a9d5aa4cd7 100644
--- a/api_docs/kbn_core_custom_branding_common.mdx
+++ b/api_docs/kbn_core_custom_branding_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-common
 title: "@kbn/core-custom-branding-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-custom-branding-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-common']
 ---
 import kbnCoreCustomBrandingCommonObj from './kbn_core_custom_branding_common.devdocs.json';
diff --git a/api_docs/kbn_core_custom_branding_server.mdx b/api_docs/kbn_core_custom_branding_server.mdx
index 7da122eb969f..1e09d35a514b 100644
--- a/api_docs/kbn_core_custom_branding_server.mdx
+++ b/api_docs/kbn_core_custom_branding_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-server
 title: "@kbn/core-custom-branding-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-custom-branding-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-server']
 ---
 import kbnCoreCustomBrandingServerObj from './kbn_core_custom_branding_server.devdocs.json';
diff --git a/api_docs/kbn_core_custom_branding_server_internal.mdx b/api_docs/kbn_core_custom_branding_server_internal.mdx
index 30cc0dfa46bb..e406da44daff 100644
--- a/api_docs/kbn_core_custom_branding_server_internal.mdx
+++ b/api_docs/kbn_core_custom_branding_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-server-internal
 title: "@kbn/core-custom-branding-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-custom-branding-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-server-internal']
 ---
 import kbnCoreCustomBrandingServerInternalObj from './kbn_core_custom_branding_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_custom_branding_server_mocks.mdx b/api_docs/kbn_core_custom_branding_server_mocks.mdx
index e316ff503a83..a7ee82b01310 100644
--- a/api_docs/kbn_core_custom_branding_server_mocks.mdx
+++ b/api_docs/kbn_core_custom_branding_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-server-mocks
 title: "@kbn/core-custom-branding-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-custom-branding-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-server-mocks']
 ---
 import kbnCoreCustomBrandingServerMocksObj from './kbn_core_custom_branding_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_deprecations_browser.mdx b/api_docs/kbn_core_deprecations_browser.mdx
index 8801088e397b..3829a26e303c 100644
--- a/api_docs/kbn_core_deprecations_browser.mdx
+++ b/api_docs/kbn_core_deprecations_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser
 title: "@kbn/core-deprecations-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-deprecations-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser']
 ---
 import kbnCoreDeprecationsBrowserObj from './kbn_core_deprecations_browser.devdocs.json';
diff --git a/api_docs/kbn_core_deprecations_browser_internal.mdx b/api_docs/kbn_core_deprecations_browser_internal.mdx
index 4cbb31414ac7..d9eb0ac662fe 100644
--- a/api_docs/kbn_core_deprecations_browser_internal.mdx
+++ b/api_docs/kbn_core_deprecations_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser-internal
 title: "@kbn/core-deprecations-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-deprecations-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser-internal']
 ---
 import kbnCoreDeprecationsBrowserInternalObj from './kbn_core_deprecations_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_deprecations_browser_mocks.mdx b/api_docs/kbn_core_deprecations_browser_mocks.mdx
index 2f81c903e92b..2cb261599ac7 100644
--- a/api_docs/kbn_core_deprecations_browser_mocks.mdx
+++ b/api_docs/kbn_core_deprecations_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser-mocks
 title: "@kbn/core-deprecations-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-deprecations-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser-mocks']
 ---
 import kbnCoreDeprecationsBrowserMocksObj from './kbn_core_deprecations_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_deprecations_common.mdx b/api_docs/kbn_core_deprecations_common.mdx
index 94cb5043b942..cf6d6b4cbb02 100644
--- a/api_docs/kbn_core_deprecations_common.mdx
+++ b/api_docs/kbn_core_deprecations_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-common
 title: "@kbn/core-deprecations-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-deprecations-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-common']
 ---
 import kbnCoreDeprecationsCommonObj from './kbn_core_deprecations_common.devdocs.json';
diff --git a/api_docs/kbn_core_deprecations_server.mdx b/api_docs/kbn_core_deprecations_server.mdx
index 939292cc06fa..aece5b60f922 100644
--- a/api_docs/kbn_core_deprecations_server.mdx
+++ b/api_docs/kbn_core_deprecations_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-server
 title: "@kbn/core-deprecations-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-deprecations-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-server']
 ---
 import kbnCoreDeprecationsServerObj from './kbn_core_deprecations_server.devdocs.json';
diff --git a/api_docs/kbn_core_deprecations_server_internal.mdx b/api_docs/kbn_core_deprecations_server_internal.mdx
index f68748b6126f..7e43186d19f4 100644
--- a/api_docs/kbn_core_deprecations_server_internal.mdx
+++ b/api_docs/kbn_core_deprecations_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-server-internal
 title: "@kbn/core-deprecations-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-deprecations-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-server-internal']
 ---
 import kbnCoreDeprecationsServerInternalObj from './kbn_core_deprecations_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_deprecations_server_mocks.mdx b/api_docs/kbn_core_deprecations_server_mocks.mdx
index c571d6af2e4d..2603e717bd65 100644
--- a/api_docs/kbn_core_deprecations_server_mocks.mdx
+++ b/api_docs/kbn_core_deprecations_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-server-mocks
 title: "@kbn/core-deprecations-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-deprecations-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-server-mocks']
 ---
 import kbnCoreDeprecationsServerMocksObj from './kbn_core_deprecations_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_doc_links_browser.mdx b/api_docs/kbn_core_doc_links_browser.mdx
index 3fff1e6e5b6b..a77ef3eb92d3 100644
--- a/api_docs/kbn_core_doc_links_browser.mdx
+++ b/api_docs/kbn_core_doc_links_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-browser
 title: "@kbn/core-doc-links-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-doc-links-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-browser']
 ---
 import kbnCoreDocLinksBrowserObj from './kbn_core_doc_links_browser.devdocs.json';
diff --git a/api_docs/kbn_core_doc_links_browser_mocks.mdx b/api_docs/kbn_core_doc_links_browser_mocks.mdx
index df332eecf4c6..d0547412e265 100644
--- a/api_docs/kbn_core_doc_links_browser_mocks.mdx
+++ b/api_docs/kbn_core_doc_links_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-browser-mocks
 title: "@kbn/core-doc-links-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-doc-links-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-browser-mocks']
 ---
 import kbnCoreDocLinksBrowserMocksObj from './kbn_core_doc_links_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_doc_links_server.mdx b/api_docs/kbn_core_doc_links_server.mdx
index a6ba6c67a1ce..f084399e1605 100644
--- a/api_docs/kbn_core_doc_links_server.mdx
+++ b/api_docs/kbn_core_doc_links_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-server
 title: "@kbn/core-doc-links-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-doc-links-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-server']
 ---
 import kbnCoreDocLinksServerObj from './kbn_core_doc_links_server.devdocs.json';
diff --git a/api_docs/kbn_core_doc_links_server_mocks.mdx b/api_docs/kbn_core_doc_links_server_mocks.mdx
index 72f4f9fadbf7..12430f2c388b 100644
--- a/api_docs/kbn_core_doc_links_server_mocks.mdx
+++ b/api_docs/kbn_core_doc_links_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-server-mocks
 title: "@kbn/core-doc-links-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-doc-links-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-server-mocks']
 ---
 import kbnCoreDocLinksServerMocksObj from './kbn_core_doc_links_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_elasticsearch_client_server_internal.mdx b/api_docs/kbn_core_elasticsearch_client_server_internal.mdx
index 35174980d9d0..f7cf0336b4cb 100644
--- a/api_docs/kbn_core_elasticsearch_client_server_internal.mdx
+++ b/api_docs/kbn_core_elasticsearch_client_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-client-server-internal
 title: "@kbn/core-elasticsearch-client-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-elasticsearch-client-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-client-server-internal']
 ---
 import kbnCoreElasticsearchClientServerInternalObj from './kbn_core_elasticsearch_client_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx b/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx
index 79207eaa87d1..b2eaca9cc39d 100644
--- a/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx
+++ b/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-client-server-mocks
 title: "@kbn/core-elasticsearch-client-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-elasticsearch-client-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-client-server-mocks']
 ---
 import kbnCoreElasticsearchClientServerMocksObj from './kbn_core_elasticsearch_client_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_elasticsearch_server.mdx b/api_docs/kbn_core_elasticsearch_server.mdx
index 1772702252d5..1c313e04832d 100644
--- a/api_docs/kbn_core_elasticsearch_server.mdx
+++ b/api_docs/kbn_core_elasticsearch_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server
 title: "@kbn/core-elasticsearch-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-elasticsearch-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server']
 ---
 import kbnCoreElasticsearchServerObj from './kbn_core_elasticsearch_server.devdocs.json';
diff --git a/api_docs/kbn_core_elasticsearch_server_internal.mdx b/api_docs/kbn_core_elasticsearch_server_internal.mdx
index cbfdd594289d..d1131952e316 100644
--- a/api_docs/kbn_core_elasticsearch_server_internal.mdx
+++ b/api_docs/kbn_core_elasticsearch_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server-internal
 title: "@kbn/core-elasticsearch-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-elasticsearch-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server-internal']
 ---
 import kbnCoreElasticsearchServerInternalObj from './kbn_core_elasticsearch_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_elasticsearch_server_mocks.mdx b/api_docs/kbn_core_elasticsearch_server_mocks.mdx
index f09397c2e4a5..245ccb33bb29 100644
--- a/api_docs/kbn_core_elasticsearch_server_mocks.mdx
+++ b/api_docs/kbn_core_elasticsearch_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server-mocks
 title: "@kbn/core-elasticsearch-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-elasticsearch-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server-mocks']
 ---
 import kbnCoreElasticsearchServerMocksObj from './kbn_core_elasticsearch_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_environment_server_internal.mdx b/api_docs/kbn_core_environment_server_internal.mdx
index 4e5b6471bf44..a384d936f963 100644
--- a/api_docs/kbn_core_environment_server_internal.mdx
+++ b/api_docs/kbn_core_environment_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-environment-server-internal
 title: "@kbn/core-environment-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-environment-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-environment-server-internal']
 ---
 import kbnCoreEnvironmentServerInternalObj from './kbn_core_environment_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_environment_server_mocks.mdx b/api_docs/kbn_core_environment_server_mocks.mdx
index cec42bc5a420..f2134d6eeba3 100644
--- a/api_docs/kbn_core_environment_server_mocks.mdx
+++ b/api_docs/kbn_core_environment_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-environment-server-mocks
 title: "@kbn/core-environment-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-environment-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-environment-server-mocks']
 ---
 import kbnCoreEnvironmentServerMocksObj from './kbn_core_environment_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_execution_context_browser.mdx b/api_docs/kbn_core_execution_context_browser.mdx
index a22fda793975..c8e26b1013d5 100644
--- a/api_docs/kbn_core_execution_context_browser.mdx
+++ b/api_docs/kbn_core_execution_context_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser
 title: "@kbn/core-execution-context-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-execution-context-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser']
 ---
 import kbnCoreExecutionContextBrowserObj from './kbn_core_execution_context_browser.devdocs.json';
diff --git a/api_docs/kbn_core_execution_context_browser_internal.mdx b/api_docs/kbn_core_execution_context_browser_internal.mdx
index 85a1f4a896e3..d403f92b9881 100644
--- a/api_docs/kbn_core_execution_context_browser_internal.mdx
+++ b/api_docs/kbn_core_execution_context_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser-internal
 title: "@kbn/core-execution-context-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-execution-context-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser-internal']
 ---
 import kbnCoreExecutionContextBrowserInternalObj from './kbn_core_execution_context_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_execution_context_browser_mocks.mdx b/api_docs/kbn_core_execution_context_browser_mocks.mdx
index 0277c59748f6..ebab9f17790c 100644
--- a/api_docs/kbn_core_execution_context_browser_mocks.mdx
+++ b/api_docs/kbn_core_execution_context_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser-mocks
 title: "@kbn/core-execution-context-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-execution-context-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser-mocks']
 ---
 import kbnCoreExecutionContextBrowserMocksObj from './kbn_core_execution_context_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_execution_context_common.mdx b/api_docs/kbn_core_execution_context_common.mdx
index 1d27820210b4..d076b86e254d 100644
--- a/api_docs/kbn_core_execution_context_common.mdx
+++ b/api_docs/kbn_core_execution_context_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-common
 title: "@kbn/core-execution-context-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-execution-context-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-common']
 ---
 import kbnCoreExecutionContextCommonObj from './kbn_core_execution_context_common.devdocs.json';
diff --git a/api_docs/kbn_core_execution_context_server.mdx b/api_docs/kbn_core_execution_context_server.mdx
index 964e89766750..03670c5d1588 100644
--- a/api_docs/kbn_core_execution_context_server.mdx
+++ b/api_docs/kbn_core_execution_context_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server
 title: "@kbn/core-execution-context-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-execution-context-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server']
 ---
 import kbnCoreExecutionContextServerObj from './kbn_core_execution_context_server.devdocs.json';
diff --git a/api_docs/kbn_core_execution_context_server_internal.mdx b/api_docs/kbn_core_execution_context_server_internal.mdx
index 41961e35c8a1..a9ddc3bff0c8 100644
--- a/api_docs/kbn_core_execution_context_server_internal.mdx
+++ b/api_docs/kbn_core_execution_context_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server-internal
 title: "@kbn/core-execution-context-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-execution-context-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server-internal']
 ---
 import kbnCoreExecutionContextServerInternalObj from './kbn_core_execution_context_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_execution_context_server_mocks.mdx b/api_docs/kbn_core_execution_context_server_mocks.mdx
index 61cf86c3d8a3..9cf9043fc34e 100644
--- a/api_docs/kbn_core_execution_context_server_mocks.mdx
+++ b/api_docs/kbn_core_execution_context_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server-mocks
 title: "@kbn/core-execution-context-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-execution-context-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server-mocks']
 ---
 import kbnCoreExecutionContextServerMocksObj from './kbn_core_execution_context_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_fatal_errors_browser.mdx b/api_docs/kbn_core_fatal_errors_browser.mdx
index 1b0e017fd1c6..ed3f19a46900 100644
--- a/api_docs/kbn_core_fatal_errors_browser.mdx
+++ b/api_docs/kbn_core_fatal_errors_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-fatal-errors-browser
 title: "@kbn/core-fatal-errors-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-fatal-errors-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-fatal-errors-browser']
 ---
 import kbnCoreFatalErrorsBrowserObj from './kbn_core_fatal_errors_browser.devdocs.json';
diff --git a/api_docs/kbn_core_fatal_errors_browser_mocks.mdx b/api_docs/kbn_core_fatal_errors_browser_mocks.mdx
index 7e5a255895d4..be115f290ebe 100644
--- a/api_docs/kbn_core_fatal_errors_browser_mocks.mdx
+++ b/api_docs/kbn_core_fatal_errors_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-fatal-errors-browser-mocks
 title: "@kbn/core-fatal-errors-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-fatal-errors-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-fatal-errors-browser-mocks']
 ---
 import kbnCoreFatalErrorsBrowserMocksObj from './kbn_core_fatal_errors_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_http_browser.mdx b/api_docs/kbn_core_http_browser.mdx
index c7188e62bcec..3cfdaba20b59 100644
--- a/api_docs/kbn_core_http_browser.mdx
+++ b/api_docs/kbn_core_http_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser
 title: "@kbn/core-http-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser']
 ---
 import kbnCoreHttpBrowserObj from './kbn_core_http_browser.devdocs.json';
diff --git a/api_docs/kbn_core_http_browser_internal.mdx b/api_docs/kbn_core_http_browser_internal.mdx
index 59208b3ef87f..766ea1226d4e 100644
--- a/api_docs/kbn_core_http_browser_internal.mdx
+++ b/api_docs/kbn_core_http_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser-internal
 title: "@kbn/core-http-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser-internal']
 ---
 import kbnCoreHttpBrowserInternalObj from './kbn_core_http_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_http_browser_mocks.mdx b/api_docs/kbn_core_http_browser_mocks.mdx
index e82ffe7895f1..674509fd8d72 100644
--- a/api_docs/kbn_core_http_browser_mocks.mdx
+++ b/api_docs/kbn_core_http_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser-mocks
 title: "@kbn/core-http-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser-mocks']
 ---
 import kbnCoreHttpBrowserMocksObj from './kbn_core_http_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_http_common.mdx b/api_docs/kbn_core_http_common.mdx
index 1cd560267962..b612c1ab7331 100644
--- a/api_docs/kbn_core_http_common.mdx
+++ b/api_docs/kbn_core_http_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-common
 title: "@kbn/core-http-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-common']
 ---
 import kbnCoreHttpCommonObj from './kbn_core_http_common.devdocs.json';
diff --git a/api_docs/kbn_core_http_context_server_mocks.mdx b/api_docs/kbn_core_http_context_server_mocks.mdx
index 7757222b1412..a8951e258907 100644
--- a/api_docs/kbn_core_http_context_server_mocks.mdx
+++ b/api_docs/kbn_core_http_context_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-context-server-mocks
 title: "@kbn/core-http-context-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-context-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-context-server-mocks']
 ---
 import kbnCoreHttpContextServerMocksObj from './kbn_core_http_context_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_http_request_handler_context_server.mdx b/api_docs/kbn_core_http_request_handler_context_server.mdx
index 30a9812d3cb3..a24b48c7e5c2 100644
--- a/api_docs/kbn_core_http_request_handler_context_server.mdx
+++ b/api_docs/kbn_core_http_request_handler_context_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-request-handler-context-server
 title: "@kbn/core-http-request-handler-context-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-request-handler-context-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-request-handler-context-server']
 ---
 import kbnCoreHttpRequestHandlerContextServerObj from './kbn_core_http_request_handler_context_server.devdocs.json';
diff --git a/api_docs/kbn_core_http_resources_server.mdx b/api_docs/kbn_core_http_resources_server.mdx
index f100df7ecbb7..2cb7106afac1 100644
--- a/api_docs/kbn_core_http_resources_server.mdx
+++ b/api_docs/kbn_core_http_resources_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-resources-server
 title: "@kbn/core-http-resources-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-resources-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-resources-server']
 ---
 import kbnCoreHttpResourcesServerObj from './kbn_core_http_resources_server.devdocs.json';
diff --git a/api_docs/kbn_core_http_resources_server_internal.mdx b/api_docs/kbn_core_http_resources_server_internal.mdx
index 7117296e4500..028f9634a1b0 100644
--- a/api_docs/kbn_core_http_resources_server_internal.mdx
+++ b/api_docs/kbn_core_http_resources_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-resources-server-internal
 title: "@kbn/core-http-resources-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-resources-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-resources-server-internal']
 ---
 import kbnCoreHttpResourcesServerInternalObj from './kbn_core_http_resources_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_http_resources_server_mocks.mdx b/api_docs/kbn_core_http_resources_server_mocks.mdx
index 1b2c82799ee2..74d47f7c5ce8 100644
--- a/api_docs/kbn_core_http_resources_server_mocks.mdx
+++ b/api_docs/kbn_core_http_resources_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-resources-server-mocks
 title: "@kbn/core-http-resources-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-resources-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-resources-server-mocks']
 ---
 import kbnCoreHttpResourcesServerMocksObj from './kbn_core_http_resources_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_http_router_server_internal.mdx b/api_docs/kbn_core_http_router_server_internal.mdx
index 7a263648e36c..d24e968e6538 100644
--- a/api_docs/kbn_core_http_router_server_internal.mdx
+++ b/api_docs/kbn_core_http_router_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-router-server-internal
 title: "@kbn/core-http-router-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-router-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-router-server-internal']
 ---
 import kbnCoreHttpRouterServerInternalObj from './kbn_core_http_router_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_http_router_server_mocks.mdx b/api_docs/kbn_core_http_router_server_mocks.mdx
index e627d3da28af..d36a37b4001a 100644
--- a/api_docs/kbn_core_http_router_server_mocks.mdx
+++ b/api_docs/kbn_core_http_router_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-router-server-mocks
 title: "@kbn/core-http-router-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-router-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-router-server-mocks']
 ---
 import kbnCoreHttpRouterServerMocksObj from './kbn_core_http_router_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_http_server.mdx b/api_docs/kbn_core_http_server.mdx
index 3bcc32b590fa..20399579773a 100644
--- a/api_docs/kbn_core_http_server.mdx
+++ b/api_docs/kbn_core_http_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server
 title: "@kbn/core-http-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server']
 ---
 import kbnCoreHttpServerObj from './kbn_core_http_server.devdocs.json';
diff --git a/api_docs/kbn_core_http_server_internal.mdx b/api_docs/kbn_core_http_server_internal.mdx
index 03edc9c8b6f8..e96fed75a124 100644
--- a/api_docs/kbn_core_http_server_internal.mdx
+++ b/api_docs/kbn_core_http_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server-internal
 title: "@kbn/core-http-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server-internal']
 ---
 import kbnCoreHttpServerInternalObj from './kbn_core_http_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_http_server_mocks.mdx b/api_docs/kbn_core_http_server_mocks.mdx
index f7e508c4df50..83db8e6a5aeb 100644
--- a/api_docs/kbn_core_http_server_mocks.mdx
+++ b/api_docs/kbn_core_http_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server-mocks
 title: "@kbn/core-http-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-http-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server-mocks']
 ---
 import kbnCoreHttpServerMocksObj from './kbn_core_http_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_i18n_browser.mdx b/api_docs/kbn_core_i18n_browser.mdx
index 332701452924..07c7f320cac7 100644
--- a/api_docs/kbn_core_i18n_browser.mdx
+++ b/api_docs/kbn_core_i18n_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-browser
 title: "@kbn/core-i18n-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-i18n-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-browser']
 ---
 import kbnCoreI18nBrowserObj from './kbn_core_i18n_browser.devdocs.json';
diff --git a/api_docs/kbn_core_i18n_browser_mocks.mdx b/api_docs/kbn_core_i18n_browser_mocks.mdx
index 08623a0c7aef..6cbcd32107b1 100644
--- a/api_docs/kbn_core_i18n_browser_mocks.mdx
+++ b/api_docs/kbn_core_i18n_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-browser-mocks
 title: "@kbn/core-i18n-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-i18n-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-browser-mocks']
 ---
 import kbnCoreI18nBrowserMocksObj from './kbn_core_i18n_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_i18n_server.mdx b/api_docs/kbn_core_i18n_server.mdx
index 7c5bdfc6a536..32b47e0d1fc4 100644
--- a/api_docs/kbn_core_i18n_server.mdx
+++ b/api_docs/kbn_core_i18n_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-server
 title: "@kbn/core-i18n-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-i18n-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-server']
 ---
 import kbnCoreI18nServerObj from './kbn_core_i18n_server.devdocs.json';
diff --git a/api_docs/kbn_core_i18n_server_internal.mdx b/api_docs/kbn_core_i18n_server_internal.mdx
index 5a2ef51f5512..9704f6cb31f9 100644
--- a/api_docs/kbn_core_i18n_server_internal.mdx
+++ b/api_docs/kbn_core_i18n_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-server-internal
 title: "@kbn/core-i18n-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-i18n-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-server-internal']
 ---
 import kbnCoreI18nServerInternalObj from './kbn_core_i18n_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_i18n_server_mocks.mdx b/api_docs/kbn_core_i18n_server_mocks.mdx
index e05ece840d47..6c0b966e9b6f 100644
--- a/api_docs/kbn_core_i18n_server_mocks.mdx
+++ b/api_docs/kbn_core_i18n_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-server-mocks
 title: "@kbn/core-i18n-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-i18n-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-server-mocks']
 ---
 import kbnCoreI18nServerMocksObj from './kbn_core_i18n_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_injected_metadata_browser_mocks.mdx b/api_docs/kbn_core_injected_metadata_browser_mocks.mdx
index 6a75834f2699..f9b473af254a 100644
--- a/api_docs/kbn_core_injected_metadata_browser_mocks.mdx
+++ b/api_docs/kbn_core_injected_metadata_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-injected-metadata-browser-mocks
 title: "@kbn/core-injected-metadata-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-injected-metadata-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-injected-metadata-browser-mocks']
 ---
 import kbnCoreInjectedMetadataBrowserMocksObj from './kbn_core_injected_metadata_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_integrations_browser_internal.mdx b/api_docs/kbn_core_integrations_browser_internal.mdx
index 263548d0d779..8c2c66c849fd 100644
--- a/api_docs/kbn_core_integrations_browser_internal.mdx
+++ b/api_docs/kbn_core_integrations_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-integrations-browser-internal
 title: "@kbn/core-integrations-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-integrations-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-integrations-browser-internal']
 ---
 import kbnCoreIntegrationsBrowserInternalObj from './kbn_core_integrations_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_integrations_browser_mocks.mdx b/api_docs/kbn_core_integrations_browser_mocks.mdx
index 666595fa2426..2cae5e01c383 100644
--- a/api_docs/kbn_core_integrations_browser_mocks.mdx
+++ b/api_docs/kbn_core_integrations_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-integrations-browser-mocks
 title: "@kbn/core-integrations-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-integrations-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-integrations-browser-mocks']
 ---
 import kbnCoreIntegrationsBrowserMocksObj from './kbn_core_integrations_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_lifecycle_browser.mdx b/api_docs/kbn_core_lifecycle_browser.mdx
index 0094bc62d4cf..f85bc5131412 100644
--- a/api_docs/kbn_core_lifecycle_browser.mdx
+++ b/api_docs/kbn_core_lifecycle_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-browser
 title: "@kbn/core-lifecycle-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-lifecycle-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-browser']
 ---
 import kbnCoreLifecycleBrowserObj from './kbn_core_lifecycle_browser.devdocs.json';
diff --git a/api_docs/kbn_core_lifecycle_browser_mocks.mdx b/api_docs/kbn_core_lifecycle_browser_mocks.mdx
index 7ff2cafa3298..8ce174d8e443 100644
--- a/api_docs/kbn_core_lifecycle_browser_mocks.mdx
+++ b/api_docs/kbn_core_lifecycle_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-browser-mocks
 title: "@kbn/core-lifecycle-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-lifecycle-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-browser-mocks']
 ---
 import kbnCoreLifecycleBrowserMocksObj from './kbn_core_lifecycle_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_lifecycle_server.mdx b/api_docs/kbn_core_lifecycle_server.mdx
index 33338ebbfedf..524daac1844b 100644
--- a/api_docs/kbn_core_lifecycle_server.mdx
+++ b/api_docs/kbn_core_lifecycle_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-server
 title: "@kbn/core-lifecycle-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-lifecycle-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-server']
 ---
 import kbnCoreLifecycleServerObj from './kbn_core_lifecycle_server.devdocs.json';
diff --git a/api_docs/kbn_core_lifecycle_server_mocks.mdx b/api_docs/kbn_core_lifecycle_server_mocks.mdx
index 13340de78c8c..5d4ee4578cfc 100644
--- a/api_docs/kbn_core_lifecycle_server_mocks.mdx
+++ b/api_docs/kbn_core_lifecycle_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-server-mocks
 title: "@kbn/core-lifecycle-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-lifecycle-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-server-mocks']
 ---
 import kbnCoreLifecycleServerMocksObj from './kbn_core_lifecycle_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_logging_browser_mocks.mdx b/api_docs/kbn_core_logging_browser_mocks.mdx
index 84c817001618..347eb391dbad 100644
--- a/api_docs/kbn_core_logging_browser_mocks.mdx
+++ b/api_docs/kbn_core_logging_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-browser-mocks
 title: "@kbn/core-logging-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-logging-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-browser-mocks']
 ---
 import kbnCoreLoggingBrowserMocksObj from './kbn_core_logging_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_logging_common_internal.mdx b/api_docs/kbn_core_logging_common_internal.mdx
index f7d6a2ef6af0..52b71b1418c8 100644
--- a/api_docs/kbn_core_logging_common_internal.mdx
+++ b/api_docs/kbn_core_logging_common_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-common-internal
 title: "@kbn/core-logging-common-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-logging-common-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-common-internal']
 ---
 import kbnCoreLoggingCommonInternalObj from './kbn_core_logging_common_internal.devdocs.json';
diff --git a/api_docs/kbn_core_logging_server.mdx b/api_docs/kbn_core_logging_server.mdx
index e3471bd7c244..419f54162b0e 100644
--- a/api_docs/kbn_core_logging_server.mdx
+++ b/api_docs/kbn_core_logging_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server
 title: "@kbn/core-logging-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-logging-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server']
 ---
 import kbnCoreLoggingServerObj from './kbn_core_logging_server.devdocs.json';
diff --git a/api_docs/kbn_core_logging_server_internal.mdx b/api_docs/kbn_core_logging_server_internal.mdx
index 3a8e123a3f31..2986b185e8d4 100644
--- a/api_docs/kbn_core_logging_server_internal.mdx
+++ b/api_docs/kbn_core_logging_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server-internal
 title: "@kbn/core-logging-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-logging-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server-internal']
 ---
 import kbnCoreLoggingServerInternalObj from './kbn_core_logging_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_logging_server_mocks.mdx b/api_docs/kbn_core_logging_server_mocks.mdx
index 98e819230fda..d2ed6c4227ec 100644
--- a/api_docs/kbn_core_logging_server_mocks.mdx
+++ b/api_docs/kbn_core_logging_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server-mocks
 title: "@kbn/core-logging-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-logging-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server-mocks']
 ---
 import kbnCoreLoggingServerMocksObj from './kbn_core_logging_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_metrics_collectors_server_internal.mdx b/api_docs/kbn_core_metrics_collectors_server_internal.mdx
index a08f6f742a05..f8201d6485d0 100644
--- a/api_docs/kbn_core_metrics_collectors_server_internal.mdx
+++ b/api_docs/kbn_core_metrics_collectors_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-collectors-server-internal
 title: "@kbn/core-metrics-collectors-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-metrics-collectors-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-collectors-server-internal']
 ---
 import kbnCoreMetricsCollectorsServerInternalObj from './kbn_core_metrics_collectors_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_metrics_collectors_server_mocks.mdx b/api_docs/kbn_core_metrics_collectors_server_mocks.mdx
index 5ba5b3cbaa38..c28b3aa4abf2 100644
--- a/api_docs/kbn_core_metrics_collectors_server_mocks.mdx
+++ b/api_docs/kbn_core_metrics_collectors_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-collectors-server-mocks
 title: "@kbn/core-metrics-collectors-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-metrics-collectors-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-collectors-server-mocks']
 ---
 import kbnCoreMetricsCollectorsServerMocksObj from './kbn_core_metrics_collectors_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_metrics_server.mdx b/api_docs/kbn_core_metrics_server.mdx
index 03102d2a0b0b..b748fb39b03b 100644
--- a/api_docs/kbn_core_metrics_server.mdx
+++ b/api_docs/kbn_core_metrics_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server
 title: "@kbn/core-metrics-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-metrics-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server']
 ---
 import kbnCoreMetricsServerObj from './kbn_core_metrics_server.devdocs.json';
diff --git a/api_docs/kbn_core_metrics_server_internal.mdx b/api_docs/kbn_core_metrics_server_internal.mdx
index 4d4cf7a8a9b7..680a1cbed393 100644
--- a/api_docs/kbn_core_metrics_server_internal.mdx
+++ b/api_docs/kbn_core_metrics_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server-internal
 title: "@kbn/core-metrics-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-metrics-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server-internal']
 ---
 import kbnCoreMetricsServerInternalObj from './kbn_core_metrics_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_metrics_server_mocks.mdx b/api_docs/kbn_core_metrics_server_mocks.mdx
index b0bb4e05d03e..5bf6c84d68c7 100644
--- a/api_docs/kbn_core_metrics_server_mocks.mdx
+++ b/api_docs/kbn_core_metrics_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server-mocks
 title: "@kbn/core-metrics-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-metrics-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server-mocks']
 ---
 import kbnCoreMetricsServerMocksObj from './kbn_core_metrics_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_mount_utils_browser.mdx b/api_docs/kbn_core_mount_utils_browser.mdx
index 13bb4cd1357f..3ccc840d7101 100644
--- a/api_docs/kbn_core_mount_utils_browser.mdx
+++ b/api_docs/kbn_core_mount_utils_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-mount-utils-browser
 title: "@kbn/core-mount-utils-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-mount-utils-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-mount-utils-browser']
 ---
 import kbnCoreMountUtilsBrowserObj from './kbn_core_mount_utils_browser.devdocs.json';
diff --git a/api_docs/kbn_core_node_server.mdx b/api_docs/kbn_core_node_server.mdx
index 15e033b2e393..c35d05ad5d8f 100644
--- a/api_docs/kbn_core_node_server.mdx
+++ b/api_docs/kbn_core_node_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server
 title: "@kbn/core-node-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-node-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server']
 ---
 import kbnCoreNodeServerObj from './kbn_core_node_server.devdocs.json';
diff --git a/api_docs/kbn_core_node_server_internal.mdx b/api_docs/kbn_core_node_server_internal.mdx
index a78d9a2a8601..2b0fa9cb1d8b 100644
--- a/api_docs/kbn_core_node_server_internal.mdx
+++ b/api_docs/kbn_core_node_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server-internal
 title: "@kbn/core-node-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-node-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server-internal']
 ---
 import kbnCoreNodeServerInternalObj from './kbn_core_node_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_node_server_mocks.mdx b/api_docs/kbn_core_node_server_mocks.mdx
index 43de6cabf0f3..5c028c807163 100644
--- a/api_docs/kbn_core_node_server_mocks.mdx
+++ b/api_docs/kbn_core_node_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server-mocks
 title: "@kbn/core-node-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-node-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server-mocks']
 ---
 import kbnCoreNodeServerMocksObj from './kbn_core_node_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_notifications_browser.mdx b/api_docs/kbn_core_notifications_browser.mdx
index 0f484d84581d..0a15d9527ca3 100644
--- a/api_docs/kbn_core_notifications_browser.mdx
+++ b/api_docs/kbn_core_notifications_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser
 title: "@kbn/core-notifications-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-notifications-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser']
 ---
 import kbnCoreNotificationsBrowserObj from './kbn_core_notifications_browser.devdocs.json';
diff --git a/api_docs/kbn_core_notifications_browser_internal.mdx b/api_docs/kbn_core_notifications_browser_internal.mdx
index 09b91c0253c8..eb2ea6bd40e8 100644
--- a/api_docs/kbn_core_notifications_browser_internal.mdx
+++ b/api_docs/kbn_core_notifications_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser-internal
 title: "@kbn/core-notifications-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-notifications-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser-internal']
 ---
 import kbnCoreNotificationsBrowserInternalObj from './kbn_core_notifications_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_notifications_browser_mocks.mdx b/api_docs/kbn_core_notifications_browser_mocks.mdx
index 9a33e1c3a6b8..ec8fa0f6654f 100644
--- a/api_docs/kbn_core_notifications_browser_mocks.mdx
+++ b/api_docs/kbn_core_notifications_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser-mocks
 title: "@kbn/core-notifications-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-notifications-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser-mocks']
 ---
 import kbnCoreNotificationsBrowserMocksObj from './kbn_core_notifications_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_overlays_browser.mdx b/api_docs/kbn_core_overlays_browser.mdx
index 982c3fea80b2..05fc841ca26c 100644
--- a/api_docs/kbn_core_overlays_browser.mdx
+++ b/api_docs/kbn_core_overlays_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser
 title: "@kbn/core-overlays-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-overlays-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser']
 ---
 import kbnCoreOverlaysBrowserObj from './kbn_core_overlays_browser.devdocs.json';
diff --git a/api_docs/kbn_core_overlays_browser_internal.mdx b/api_docs/kbn_core_overlays_browser_internal.mdx
index cd6b7194b0b6..6b989fd75551 100644
--- a/api_docs/kbn_core_overlays_browser_internal.mdx
+++ b/api_docs/kbn_core_overlays_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser-internal
 title: "@kbn/core-overlays-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-overlays-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser-internal']
 ---
 import kbnCoreOverlaysBrowserInternalObj from './kbn_core_overlays_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_overlays_browser_mocks.mdx b/api_docs/kbn_core_overlays_browser_mocks.mdx
index 6fce1697768f..12454c9e25fa 100644
--- a/api_docs/kbn_core_overlays_browser_mocks.mdx
+++ b/api_docs/kbn_core_overlays_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser-mocks
 title: "@kbn/core-overlays-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-overlays-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser-mocks']
 ---
 import kbnCoreOverlaysBrowserMocksObj from './kbn_core_overlays_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_plugins_browser.mdx b/api_docs/kbn_core_plugins_browser.mdx
index 6a3612cef8d5..3f05c7945704 100644
--- a/api_docs/kbn_core_plugins_browser.mdx
+++ b/api_docs/kbn_core_plugins_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-browser
 title: "@kbn/core-plugins-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-plugins-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-browser']
 ---
 import kbnCorePluginsBrowserObj from './kbn_core_plugins_browser.devdocs.json';
diff --git a/api_docs/kbn_core_plugins_browser_mocks.mdx b/api_docs/kbn_core_plugins_browser_mocks.mdx
index b7028272a624..b9e52bc0bd7e 100644
--- a/api_docs/kbn_core_plugins_browser_mocks.mdx
+++ b/api_docs/kbn_core_plugins_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-browser-mocks
 title: "@kbn/core-plugins-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-plugins-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-browser-mocks']
 ---
 import kbnCorePluginsBrowserMocksObj from './kbn_core_plugins_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_plugins_server.mdx b/api_docs/kbn_core_plugins_server.mdx
index 66adbfef8351..1029ac3f9dea 100644
--- a/api_docs/kbn_core_plugins_server.mdx
+++ b/api_docs/kbn_core_plugins_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-server
 title: "@kbn/core-plugins-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-plugins-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-server']
 ---
 import kbnCorePluginsServerObj from './kbn_core_plugins_server.devdocs.json';
diff --git a/api_docs/kbn_core_plugins_server_mocks.mdx b/api_docs/kbn_core_plugins_server_mocks.mdx
index 14d1bcdce616..aaafc8285a0d 100644
--- a/api_docs/kbn_core_plugins_server_mocks.mdx
+++ b/api_docs/kbn_core_plugins_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-server-mocks
 title: "@kbn/core-plugins-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-plugins-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-server-mocks']
 ---
 import kbnCorePluginsServerMocksObj from './kbn_core_plugins_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_preboot_server.mdx b/api_docs/kbn_core_preboot_server.mdx
index 271bc0a5d255..b9038969bf02 100644
--- a/api_docs/kbn_core_preboot_server.mdx
+++ b/api_docs/kbn_core_preboot_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-preboot-server
 title: "@kbn/core-preboot-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-preboot-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-preboot-server']
 ---
 import kbnCorePrebootServerObj from './kbn_core_preboot_server.devdocs.json';
diff --git a/api_docs/kbn_core_preboot_server_mocks.mdx b/api_docs/kbn_core_preboot_server_mocks.mdx
index a924a315f5f4..2a90e547591a 100644
--- a/api_docs/kbn_core_preboot_server_mocks.mdx
+++ b/api_docs/kbn_core_preboot_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-preboot-server-mocks
 title: "@kbn/core-preboot-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-preboot-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-preboot-server-mocks']
 ---
 import kbnCorePrebootServerMocksObj from './kbn_core_preboot_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_rendering_browser_mocks.mdx b/api_docs/kbn_core_rendering_browser_mocks.mdx
index 5df60562c5ed..bc3b40366dae 100644
--- a/api_docs/kbn_core_rendering_browser_mocks.mdx
+++ b/api_docs/kbn_core_rendering_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-rendering-browser-mocks
 title: "@kbn/core-rendering-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-rendering-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-rendering-browser-mocks']
 ---
 import kbnCoreRenderingBrowserMocksObj from './kbn_core_rendering_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_rendering_server_internal.mdx b/api_docs/kbn_core_rendering_server_internal.mdx
index 0c0afd38c32f..0a55ce58a39b 100644
--- a/api_docs/kbn_core_rendering_server_internal.mdx
+++ b/api_docs/kbn_core_rendering_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-rendering-server-internal
 title: "@kbn/core-rendering-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-rendering-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-rendering-server-internal']
 ---
 import kbnCoreRenderingServerInternalObj from './kbn_core_rendering_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_rendering_server_mocks.mdx b/api_docs/kbn_core_rendering_server_mocks.mdx
index 96d4833bf6df..5d0e566cec5f 100644
--- a/api_docs/kbn_core_rendering_server_mocks.mdx
+++ b/api_docs/kbn_core_rendering_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-rendering-server-mocks
 title: "@kbn/core-rendering-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-rendering-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-rendering-server-mocks']
 ---
 import kbnCoreRenderingServerMocksObj from './kbn_core_rendering_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_root_server_internal.mdx b/api_docs/kbn_core_root_server_internal.mdx
index 84e965d97083..f8fe458cda28 100644
--- a/api_docs/kbn_core_root_server_internal.mdx
+++ b/api_docs/kbn_core_root_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-root-server-internal
 title: "@kbn/core-root-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-root-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-root-server-internal']
 ---
 import kbnCoreRootServerInternalObj from './kbn_core_root_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_api_browser.devdocs.json b/api_docs/kbn_core_saved_objects_api_browser.devdocs.json
index e60c712cdc4b..2de842b19eca 100644
--- a/api_docs/kbn_core_saved_objects_api_browser.devdocs.json
+++ b/api_docs/kbn_core_saved_objects_api_browser.devdocs.json
@@ -3000,7 +3000,6 @@
             "id": "def-common.SavedObjectsClientContract.update",
             "type": "Function",
             "tags": [
-              "prop",
               "prop",
               "deprecated"
             ],
@@ -3406,10 +3405,12 @@
             "parentPluginId": "@kbn/core-saved-objects-api-browser",
             "id": "def-common.SavedObjectsCreateOptions.migrationVersion",
             "type": "Object",
-            "tags": [],
+            "tags": [
+              "deprecated"
+            ],
             "label": "migrationVersion",
             "description": [
-              "{@inheritDoc SavedObjectsMigrationVersion}"
+              "\n{@inheritDoc SavedObjectsMigrationVersion}"
             ],
             "signature": [
               {
@@ -3422,8 +3423,18 @@
               " | undefined"
             ],
             "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/apis/create.ts",
-            "deprecated": false,
-            "trackAdoption": false
+            "deprecated": true,
+            "trackAdoption": false,
+            "references": [
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts"
+              }
+            ]
           },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-browser",
@@ -3441,6 +3452,22 @@
             "deprecated": false,
             "trackAdoption": false
           },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-api-browser",
+            "id": "def-common.SavedObjectsCreateOptions.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [
+              "A semver value that is used when migrating documents between Kibana versions."
+            ],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/apis/create.ts",
+            "deprecated": false,
+            "trackAdoption": false
+          },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-browser",
             "id": "def-common.SavedObjectsCreateOptions.references",
@@ -4236,10 +4263,12 @@
             "parentPluginId": "@kbn/core-saved-objects-api-browser",
             "id": "def-common.SimpleSavedObject.migrationVersion",
             "type": "Object",
-            "tags": [],
+            "tags": [
+              "deprecated"
+            ],
             "label": "migrationVersion",
             "description": [
-              "Migration version of the saved object"
+              "\nMigration version of the saved object"
             ],
             "signature": [
               {
@@ -4252,8 +4281,26 @@
               " | undefined"
             ],
             "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts",
-            "deprecated": false,
-            "trackAdoption": false
+            "deprecated": true,
+            "trackAdoption": false,
+            "references": [
+              {
+                "plugin": "@kbn/core-saved-objects-browser-mocks",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              }
+            ]
           },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-browser",
@@ -4271,6 +4318,22 @@
             "deprecated": false,
             "trackAdoption": false
           },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-api-browser",
+            "id": "def-common.SimpleSavedObject.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [
+              "Core migration version of the saved object"
+            ],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts",
+            "deprecated": false,
+            "trackAdoption": false
+          },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-browser",
             "id": "def-common.SimpleSavedObject.error",
@@ -4584,7 +4647,7 @@
         "signature": [
           "{ type: string | string[]; page?: number | undefined; filter?: any; aggs?: Record<string, ",
           "AggregationsAggregationContainer",
-          "> | undefined; search?: string | undefined; namespaces?: string[] | undefined; sortField?: string | undefined; fields?: string[] | undefined; preference?: string | undefined; perPage?: number | undefined; defaultSearchOperator?: \"AND\" | \"OR\" | undefined; searchFields?: string[] | undefined; hasReference?: ",
+          "> | undefined; search?: string | undefined; namespaces?: string[] | undefined; fields?: string[] | undefined; sortField?: string | undefined; preference?: string | undefined; perPage?: number | undefined; defaultSearchOperator?: \"AND\" | \"OR\" | undefined; searchFields?: string[] | undefined; hasReference?: ",
           {
             "pluginId": "@kbn/core-saved-objects-api-server",
             "scope": "common",
diff --git a/api_docs/kbn_core_saved_objects_api_browser.mdx b/api_docs/kbn_core_saved_objects_api_browser.mdx
index 8218e6108a7e..c66916f38773 100644
--- a/api_docs/kbn_core_saved_objects_api_browser.mdx
+++ b/api_docs/kbn_core_saved_objects_api_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-browser
 title: "@kbn/core-saved-objects-api-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-api-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-browser']
 ---
 import kbnCoreSavedObjectsApiBrowserObj from './kbn_core_saved_objects_api_browser.devdocs.json';
@@ -21,7 +21,7 @@ Contact [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core
 
 | Public API count  | Any count | Items lacking comments | Missing exports |
 |-------------------|-----------|------------------------|-----------------|
-| 107 | 1 | 0 | 0 |
+| 109 | 1 | 0 | 0 |
 
 ## Common
 
diff --git a/api_docs/kbn_core_saved_objects_api_server.devdocs.json b/api_docs/kbn_core_saved_objects_api_server.devdocs.json
index 58cc7a716526..eeac23ff3bf7 100644
--- a/api_docs/kbn_core_saved_objects_api_server.devdocs.json
+++ b/api_docs/kbn_core_saved_objects_api_server.devdocs.json
@@ -111,7 +111,6 @@
               "property",
               "property",
               "property",
-              "property",
               "property"
             ],
             "label": "create",
@@ -2234,10 +2233,12 @@
             "parentPluginId": "@kbn/core-saved-objects-api-server",
             "id": "def-common.SavedObject.migrationVersion",
             "type": "Object",
-            "tags": [],
+            "tags": [
+              "deprecated"
+            ],
             "label": "migrationVersion",
             "description": [
-              "{@inheritdoc SavedObjectsMigrationVersion}"
+              "\n{@inheritdoc SavedObjectsMigrationVersion}"
             ],
             "signature": [
               {
@@ -2250,8 +2251,182 @@
               " | undefined"
             ],
             "path": "packages/core/saved-objects/core-saved-objects-common/src/server_types.ts",
-            "deprecated": false,
-            "trackAdoption": false
+            "deprecated": true,
+            "trackAdoption": false,
+            "references": [
+              {
+                "plugin": "@kbn/core-saved-objects-api-browser",
+                "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-mocks",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-import-export-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts"
+              },
+              {
+                "plugin": "graph",
+                "path": "x-pack/plugins/graph/server/sample_data/logs.ts"
+              },
+              {
+                "plugin": "graph",
+                "path": "x-pack/plugins/graph/server/sample_data/ecommerce.ts"
+              },
+              {
+                "plugin": "graph",
+                "path": "x-pack/plugins/graph/server/sample_data/flights.ts"
+              },
+              {
+                "plugin": "lists",
+                "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/usage/detections/rules/get_metrics.mocks.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              }
+            ]
           },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-server",
@@ -2269,6 +2444,22 @@
             "deprecated": false,
             "trackAdoption": false
           },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-api-server",
+            "id": "def-common.SavedObject.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [
+              "A semver value that is used when migrating documents between Kibana versions."
+            ],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-common/src/server_types.ts",
+            "deprecated": false,
+            "trackAdoption": false
+          },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-server",
             "id": "def-common.SavedObject.namespaces",
@@ -2947,10 +3138,12 @@
             "parentPluginId": "@kbn/core-saved-objects-api-server",
             "id": "def-common.SavedObjectsBulkCreateObject.migrationVersion",
             "type": "Object",
-            "tags": [],
+            "tags": [
+              "deprecated"
+            ],
             "label": "migrationVersion",
             "description": [
-              "{@inheritDoc SavedObjectsMigrationVersion}"
+              "\n{@inheritDoc SavedObjectsMigrationVersion}"
             ],
             "signature": [
               {
@@ -2963,8 +3156,22 @@
               " | undefined"
             ],
             "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/bulk_create.ts",
-            "deprecated": false,
-            "trackAdoption": false
+            "deprecated": true,
+            "trackAdoption": false,
+            "references": [
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts"
+              }
+            ]
           },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-server",
@@ -2982,6 +3189,22 @@
             "deprecated": false,
             "trackAdoption": false
           },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-api-server",
+            "id": "def-common.SavedObjectsBulkCreateObject.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [
+              "A semver value that is used when migrating documents between Kibana versions."
+            ],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/bulk_create.ts",
+            "deprecated": false,
+            "trackAdoption": false
+          },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-server",
             "id": "def-common.SavedObjectsBulkCreateObject.originId",
@@ -5674,10 +5897,12 @@
             "parentPluginId": "@kbn/core-saved-objects-api-server",
             "id": "def-common.SavedObjectsCreateOptions.migrationVersion",
             "type": "Object",
-            "tags": [],
+            "tags": [
+              "deprecated"
+            ],
             "label": "migrationVersion",
             "description": [
-              "{@inheritDoc SavedObjectsMigrationVersion}"
+              "\n{@inheritDoc SavedObjectsMigrationVersion}"
             ],
             "signature": [
               {
@@ -5690,8 +5915,22 @@
               " | undefined"
             ],
             "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/create.ts",
-            "deprecated": false,
-            "trackAdoption": false
+            "deprecated": true,
+            "trackAdoption": false,
+            "references": [
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts"
+              },
+              {
+                "plugin": "canvas",
+                "path": "x-pack/plugins/canvas/server/workpad_route_context.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts"
+              }
+            ]
           },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-server",
@@ -5709,6 +5948,22 @@
             "deprecated": false,
             "trackAdoption": false
           },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-api-server",
+            "id": "def-common.SavedObjectsCreateOptions.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [
+              "\nA semver value that is used when migrating documents between Kibana versions."
+            ],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/create.ts",
+            "deprecated": false,
+            "trackAdoption": false
+          },
           {
             "parentPluginId": "@kbn/core-saved-objects-api-server",
             "id": "def-common.SavedObjectsCreateOptions.references",
@@ -6713,10 +6968,12 @@
             "parentPluginId": "@kbn/core-saved-objects-api-server",
             "id": "def-common.SavedObjectsIncrementCounterOptions.migrationVersion",
             "type": "Object",
-            "tags": [],
+            "tags": [
+              "deprecated"
+            ],
             "label": "migrationVersion",
             "description": [
-              "{@link SavedObjectsMigrationVersion}"
+              "\n{@link SavedObjectsMigrationVersion}"
             ],
             "signature": [
               {
@@ -6729,6 +6986,32 @@
               " | undefined"
             ],
             "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/increment_counter.ts",
+            "deprecated": true,
+            "trackAdoption": false,
+            "references": [
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts"
+              }
+            ]
+          },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-api-server",
+            "id": "def-common.SavedObjectsIncrementCounterOptions.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [
+              "\nA semver value that is used when migrating documents between Kibana versions."
+            ],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/increment_counter.ts",
             "deprecated": false,
             "trackAdoption": false
           },
@@ -7634,7 +7917,7 @@
         "signature": [
           "{ type: string | string[]; filter?: any; aggs?: Record<string, ",
           "AggregationsAggregationContainer",
-          "> | undefined; search?: string | undefined; namespaces?: string[] | undefined; sortField?: string | undefined; fields?: string[] | undefined; preference?: string | undefined; perPage?: number | undefined; defaultSearchOperator?: \"AND\" | \"OR\" | undefined; searchFields?: string[] | undefined; rootSearchFields?: string[] | undefined; sortOrder?: ",
+          "> | undefined; search?: string | undefined; namespaces?: string[] | undefined; fields?: string[] | undefined; sortField?: string | undefined; preference?: string | undefined; perPage?: number | undefined; defaultSearchOperator?: \"AND\" | \"OR\" | undefined; searchFields?: string[] | undefined; rootSearchFields?: string[] | undefined; sortOrder?: ",
           "SortOrder",
           " | undefined; hasReference?: ",
           {
diff --git a/api_docs/kbn_core_saved_objects_api_server.mdx b/api_docs/kbn_core_saved_objects_api_server.mdx
index 6c50cfd23036..40cc13a4d9b6 100644
--- a/api_docs/kbn_core_saved_objects_api_server.mdx
+++ b/api_docs/kbn_core_saved_objects_api_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-server
 title: "@kbn/core-saved-objects-api-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-api-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-server']
 ---
 import kbnCoreSavedObjectsApiServerObj from './kbn_core_saved_objects_api_server.devdocs.json';
@@ -21,7 +21,7 @@ Contact [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core
 
 | Public API count  | Any count | Items lacking comments | Missing exports |
 |-------------------|-----------|------------------------|-----------------|
-| 334 | 1 | 4 | 1 |
+| 338 | 1 | 4 | 1 |
 
 ## Common
 
diff --git a/api_docs/kbn_core_saved_objects_api_server_internal.mdx b/api_docs/kbn_core_saved_objects_api_server_internal.mdx
index a72fe35c29aa..c546c9223cf0 100644
--- a/api_docs/kbn_core_saved_objects_api_server_internal.mdx
+++ b/api_docs/kbn_core_saved_objects_api_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-server-internal
 title: "@kbn/core-saved-objects-api-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-api-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-server-internal']
 ---
 import kbnCoreSavedObjectsApiServerInternalObj from './kbn_core_saved_objects_api_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_api_server_mocks.mdx b/api_docs/kbn_core_saved_objects_api_server_mocks.mdx
index e2385f30e823..68299cb97cda 100644
--- a/api_docs/kbn_core_saved_objects_api_server_mocks.mdx
+++ b/api_docs/kbn_core_saved_objects_api_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-server-mocks
 title: "@kbn/core-saved-objects-api-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-api-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-server-mocks']
 ---
 import kbnCoreSavedObjectsApiServerMocksObj from './kbn_core_saved_objects_api_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_base_server_internal.mdx b/api_docs/kbn_core_saved_objects_base_server_internal.mdx
index 6725f2596309..e179b8cffa57 100644
--- a/api_docs/kbn_core_saved_objects_base_server_internal.mdx
+++ b/api_docs/kbn_core_saved_objects_base_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-base-server-internal
 title: "@kbn/core-saved-objects-base-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-base-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-base-server-internal']
 ---
 import kbnCoreSavedObjectsBaseServerInternalObj from './kbn_core_saved_objects_base_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_base_server_mocks.mdx b/api_docs/kbn_core_saved_objects_base_server_mocks.mdx
index 57569bf9ebb0..01966840af6b 100644
--- a/api_docs/kbn_core_saved_objects_base_server_mocks.mdx
+++ b/api_docs/kbn_core_saved_objects_base_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-base-server-mocks
 title: "@kbn/core-saved-objects-base-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-base-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-base-server-mocks']
 ---
 import kbnCoreSavedObjectsBaseServerMocksObj from './kbn_core_saved_objects_base_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_browser.mdx b/api_docs/kbn_core_saved_objects_browser.mdx
index 91a9058c4791..926e3aec086d 100644
--- a/api_docs/kbn_core_saved_objects_browser.mdx
+++ b/api_docs/kbn_core_saved_objects_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser
 title: "@kbn/core-saved-objects-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser']
 ---
 import kbnCoreSavedObjectsBrowserObj from './kbn_core_saved_objects_browser.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_browser_internal.mdx b/api_docs/kbn_core_saved_objects_browser_internal.mdx
index 1d7fae869274..5e3d601c823d 100644
--- a/api_docs/kbn_core_saved_objects_browser_internal.mdx
+++ b/api_docs/kbn_core_saved_objects_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser-internal
 title: "@kbn/core-saved-objects-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser-internal']
 ---
 import kbnCoreSavedObjectsBrowserInternalObj from './kbn_core_saved_objects_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_browser_mocks.mdx b/api_docs/kbn_core_saved_objects_browser_mocks.mdx
index 0f6150413ef8..97a43a554ff6 100644
--- a/api_docs/kbn_core_saved_objects_browser_mocks.mdx
+++ b/api_docs/kbn_core_saved_objects_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser-mocks
 title: "@kbn/core-saved-objects-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser-mocks']
 ---
 import kbnCoreSavedObjectsBrowserMocksObj from './kbn_core_saved_objects_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_common.devdocs.json b/api_docs/kbn_core_saved_objects_common.devdocs.json
index 6c86dcaa6cb3..b7a84d7ac7d3 100644
--- a/api_docs/kbn_core_saved_objects_common.devdocs.json
+++ b/api_docs/kbn_core_saved_objects_common.devdocs.json
@@ -1059,6 +1059,10 @@
             "plugin": "@kbn/core-saved-objects-api-browser",
             "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-api-browser",
+            "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-api-server",
             "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts"
@@ -1123,6 +1127,10 @@
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
           },
+          {
+            "plugin": "@kbn/core-saved-objects-browser-internal",
+            "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+          },
           {
             "plugin": "@kbn/core-saved-objects-browser-internal",
             "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts"
diff --git a/api_docs/kbn_core_saved_objects_common.mdx b/api_docs/kbn_core_saved_objects_common.mdx
index 340611e8d989..8e526f37bdb9 100644
--- a/api_docs/kbn_core_saved_objects_common.mdx
+++ b/api_docs/kbn_core_saved_objects_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-common
 title: "@kbn/core-saved-objects-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-common']
 ---
 import kbnCoreSavedObjectsCommonObj from './kbn_core_saved_objects_common.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx b/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx
index 5e3743718c6d..252d451f3d96 100644
--- a/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx
+++ b/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-import-export-server-internal
 title: "@kbn/core-saved-objects-import-export-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-import-export-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-import-export-server-internal']
 ---
 import kbnCoreSavedObjectsImportExportServerInternalObj from './kbn_core_saved_objects_import_export_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx b/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx
index c05c55bcbdd1..3b74f964060b 100644
--- a/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx
+++ b/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-import-export-server-mocks
 title: "@kbn/core-saved-objects-import-export-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-import-export-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-import-export-server-mocks']
 ---
 import kbnCoreSavedObjectsImportExportServerMocksObj from './kbn_core_saved_objects_import_export_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_migration_server_internal.mdx b/api_docs/kbn_core_saved_objects_migration_server_internal.mdx
index 1799fd74522a..ffd5eee48386 100644
--- a/api_docs/kbn_core_saved_objects_migration_server_internal.mdx
+++ b/api_docs/kbn_core_saved_objects_migration_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-migration-server-internal
 title: "@kbn/core-saved-objects-migration-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-migration-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-migration-server-internal']
 ---
 import kbnCoreSavedObjectsMigrationServerInternalObj from './kbn_core_saved_objects_migration_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx b/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx
index 2061a50b37c1..0b0f79d5f9a4 100644
--- a/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx
+++ b/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-migration-server-mocks
 title: "@kbn/core-saved-objects-migration-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-migration-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-migration-server-mocks']
 ---
 import kbnCoreSavedObjectsMigrationServerMocksObj from './kbn_core_saved_objects_migration_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_server.devdocs.json b/api_docs/kbn_core_saved_objects_server.devdocs.json
index 301652fc1968..26ec4d00673d 100644
--- a/api_docs/kbn_core_saved_objects_server.devdocs.json
+++ b/api_docs/kbn_core_saved_objects_server.devdocs.json
@@ -5738,10 +5738,12 @@
             "parentPluginId": "@kbn/core-saved-objects-server",
             "id": "def-common.SavedObject.migrationVersion",
             "type": "Object",
-            "tags": [],
+            "tags": [
+              "deprecated"
+            ],
             "label": "migrationVersion",
             "description": [
-              "{@inheritdoc SavedObjectsMigrationVersion}"
+              "\n{@inheritdoc SavedObjectsMigrationVersion}"
             ],
             "signature": [
               {
@@ -5754,8 +5756,182 @@
               " | undefined"
             ],
             "path": "packages/core/saved-objects/core-saved-objects-common/src/server_types.ts",
-            "deprecated": false,
-            "trackAdoption": false
+            "deprecated": true,
+            "trackAdoption": false,
+            "references": [
+              {
+                "plugin": "@kbn/core-saved-objects-api-browser",
+                "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-browser-mocks",
+                "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-api-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-import-export-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts"
+              },
+              {
+                "plugin": "@kbn/core-saved-objects-server-internal",
+                "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts"
+              },
+              {
+                "plugin": "graph",
+                "path": "x-pack/plugins/graph/server/sample_data/logs.ts"
+              },
+              {
+                "plugin": "graph",
+                "path": "x-pack/plugins/graph/server/sample_data/ecommerce.ts"
+              },
+              {
+                "plugin": "graph",
+                "path": "x-pack/plugins/graph/server/sample_data/flights.ts"
+              },
+              {
+                "plugin": "lists",
+                "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/usage/detections/rules/get_metrics.mocks.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "fleet",
+                "path": "x-pack/plugins/fleet/server/services/epm/packages/get.test.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              },
+              {
+                "plugin": "securitySolution",
+                "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts"
+              }
+            ]
           },
           {
             "parentPluginId": "@kbn/core-saved-objects-server",
@@ -5773,6 +5949,22 @@
             "deprecated": false,
             "trackAdoption": false
           },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-server",
+            "id": "def-common.SavedObject.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [
+              "A semver value that is used when migrating documents between Kibana versions."
+            ],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-common/src/server_types.ts",
+            "deprecated": false,
+            "trackAdoption": false
+          },
           {
             "parentPluginId": "@kbn/core-saved-objects-server",
             "id": "def-common.SavedObject.namespaces",
@@ -7866,6 +8058,20 @@
             "deprecated": false,
             "trackAdoption": false
           },
+          {
+            "parentPluginId": "@kbn/core-saved-objects-server",
+            "id": "def-common.SavedObjectsRawDocSource.typeMigrationVersion",
+            "type": "string",
+            "tags": [],
+            "label": "typeMigrationVersion",
+            "description": [],
+            "signature": [
+              "string | undefined"
+            ],
+            "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts",
+            "deprecated": false,
+            "trackAdoption": false
+          },
           {
             "parentPluginId": "@kbn/core-saved-objects-server",
             "id": "def-common.SavedObjectsRawDocSource.updated_at",
diff --git a/api_docs/kbn_core_saved_objects_server.mdx b/api_docs/kbn_core_saved_objects_server.mdx
index cd2a970239b6..d18db55f5156 100644
--- a/api_docs/kbn_core_saved_objects_server.mdx
+++ b/api_docs/kbn_core_saved_objects_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-server
 title: "@kbn/core-saved-objects-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-server']
 ---
 import kbnCoreSavedObjectsServerObj from './kbn_core_saved_objects_server.devdocs.json';
@@ -21,7 +21,7 @@ Contact [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core
 
 | Public API count  | Any count | Items lacking comments | Missing exports |
 |-------------------|-----------|------------------------|-----------------|
-| 489 | 1 | 98 | 4 |
+| 491 | 1 | 99 | 4 |
 
 ## Common
 
diff --git a/api_docs/kbn_core_saved_objects_server_internal.mdx b/api_docs/kbn_core_saved_objects_server_internal.mdx
index 5eca408d0220..dfa513838756 100644
--- a/api_docs/kbn_core_saved_objects_server_internal.mdx
+++ b/api_docs/kbn_core_saved_objects_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-server-internal
 title: "@kbn/core-saved-objects-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-server-internal']
 ---
 import kbnCoreSavedObjectsServerInternalObj from './kbn_core_saved_objects_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_server_mocks.mdx b/api_docs/kbn_core_saved_objects_server_mocks.mdx
index 562c4c1f5dc1..ed86e341618a 100644
--- a/api_docs/kbn_core_saved_objects_server_mocks.mdx
+++ b/api_docs/kbn_core_saved_objects_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-server-mocks
 title: "@kbn/core-saved-objects-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-server-mocks']
 ---
 import kbnCoreSavedObjectsServerMocksObj from './kbn_core_saved_objects_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_saved_objects_utils_server.mdx b/api_docs/kbn_core_saved_objects_utils_server.mdx
index d749931019f1..ea4f828e73d4 100644
--- a/api_docs/kbn_core_saved_objects_utils_server.mdx
+++ b/api_docs/kbn_core_saved_objects_utils_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-utils-server
 title: "@kbn/core-saved-objects-utils-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-saved-objects-utils-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-utils-server']
 ---
 import kbnCoreSavedObjectsUtilsServerObj from './kbn_core_saved_objects_utils_server.devdocs.json';
diff --git a/api_docs/kbn_core_status_common.mdx b/api_docs/kbn_core_status_common.mdx
index 79cf909f6e49..21e1c71e25ea 100644
--- a/api_docs/kbn_core_status_common.mdx
+++ b/api_docs/kbn_core_status_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-common
 title: "@kbn/core-status-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-status-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-common']
 ---
 import kbnCoreStatusCommonObj from './kbn_core_status_common.devdocs.json';
diff --git a/api_docs/kbn_core_status_common_internal.mdx b/api_docs/kbn_core_status_common_internal.mdx
index bf5a9d893b20..c800964bb98b 100644
--- a/api_docs/kbn_core_status_common_internal.mdx
+++ b/api_docs/kbn_core_status_common_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-common-internal
 title: "@kbn/core-status-common-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-status-common-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-common-internal']
 ---
 import kbnCoreStatusCommonInternalObj from './kbn_core_status_common_internal.devdocs.json';
diff --git a/api_docs/kbn_core_status_server.mdx b/api_docs/kbn_core_status_server.mdx
index 2b52cedd33ce..f448951c9117 100644
--- a/api_docs/kbn_core_status_server.mdx
+++ b/api_docs/kbn_core_status_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-server
 title: "@kbn/core-status-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-status-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-server']
 ---
 import kbnCoreStatusServerObj from './kbn_core_status_server.devdocs.json';
diff --git a/api_docs/kbn_core_status_server_internal.mdx b/api_docs/kbn_core_status_server_internal.mdx
index 6a2432e5e1f7..0c857f8df0e2 100644
--- a/api_docs/kbn_core_status_server_internal.mdx
+++ b/api_docs/kbn_core_status_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-server-internal
 title: "@kbn/core-status-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-status-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-server-internal']
 ---
 import kbnCoreStatusServerInternalObj from './kbn_core_status_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_status_server_mocks.mdx b/api_docs/kbn_core_status_server_mocks.mdx
index 357aa3c37501..d9f3554a695b 100644
--- a/api_docs/kbn_core_status_server_mocks.mdx
+++ b/api_docs/kbn_core_status_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-server-mocks
 title: "@kbn/core-status-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-status-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-server-mocks']
 ---
 import kbnCoreStatusServerMocksObj from './kbn_core_status_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_test_helpers_deprecations_getters.mdx b/api_docs/kbn_core_test_helpers_deprecations_getters.mdx
index da45126ba697..fb148b442331 100644
--- a/api_docs/kbn_core_test_helpers_deprecations_getters.mdx
+++ b/api_docs/kbn_core_test_helpers_deprecations_getters.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-deprecations-getters
 title: "@kbn/core-test-helpers-deprecations-getters"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-test-helpers-deprecations-getters plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-deprecations-getters']
 ---
 import kbnCoreTestHelpersDeprecationsGettersObj from './kbn_core_test_helpers_deprecations_getters.devdocs.json';
diff --git a/api_docs/kbn_core_test_helpers_http_setup_browser.mdx b/api_docs/kbn_core_test_helpers_http_setup_browser.mdx
index c5947d3bfabc..dbe80f48dd5a 100644
--- a/api_docs/kbn_core_test_helpers_http_setup_browser.mdx
+++ b/api_docs/kbn_core_test_helpers_http_setup_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-http-setup-browser
 title: "@kbn/core-test-helpers-http-setup-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-test-helpers-http-setup-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-http-setup-browser']
 ---
 import kbnCoreTestHelpersHttpSetupBrowserObj from './kbn_core_test_helpers_http_setup_browser.devdocs.json';
diff --git a/api_docs/kbn_core_test_helpers_kbn_server.mdx b/api_docs/kbn_core_test_helpers_kbn_server.mdx
index 28efb3618eb9..2de1ee3e21be 100644
--- a/api_docs/kbn_core_test_helpers_kbn_server.mdx
+++ b/api_docs/kbn_core_test_helpers_kbn_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-kbn-server
 title: "@kbn/core-test-helpers-kbn-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-test-helpers-kbn-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-kbn-server']
 ---
 import kbnCoreTestHelpersKbnServerObj from './kbn_core_test_helpers_kbn_server.devdocs.json';
diff --git a/api_docs/kbn_core_test_helpers_so_type_serializer.mdx b/api_docs/kbn_core_test_helpers_so_type_serializer.mdx
index 690f63317bcd..722f76bc67e1 100644
--- a/api_docs/kbn_core_test_helpers_so_type_serializer.mdx
+++ b/api_docs/kbn_core_test_helpers_so_type_serializer.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-so-type-serializer
 title: "@kbn/core-test-helpers-so-type-serializer"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-test-helpers-so-type-serializer plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-so-type-serializer']
 ---
 import kbnCoreTestHelpersSoTypeSerializerObj from './kbn_core_test_helpers_so_type_serializer.devdocs.json';
diff --git a/api_docs/kbn_core_test_helpers_test_utils.mdx b/api_docs/kbn_core_test_helpers_test_utils.mdx
index 61a9fe49cba6..d0a16bb62055 100644
--- a/api_docs/kbn_core_test_helpers_test_utils.mdx
+++ b/api_docs/kbn_core_test_helpers_test_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-test-utils
 title: "@kbn/core-test-helpers-test-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-test-helpers-test-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-test-utils']
 ---
 import kbnCoreTestHelpersTestUtilsObj from './kbn_core_test_helpers_test_utils.devdocs.json';
diff --git a/api_docs/kbn_core_theme_browser.mdx b/api_docs/kbn_core_theme_browser.mdx
index 123edab1aa8b..3c65603b72dc 100644
--- a/api_docs/kbn_core_theme_browser.mdx
+++ b/api_docs/kbn_core_theme_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser
 title: "@kbn/core-theme-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-theme-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser']
 ---
 import kbnCoreThemeBrowserObj from './kbn_core_theme_browser.devdocs.json';
diff --git a/api_docs/kbn_core_theme_browser_internal.mdx b/api_docs/kbn_core_theme_browser_internal.mdx
index 43e17d2e94a0..eb259cfdc4b3 100644
--- a/api_docs/kbn_core_theme_browser_internal.mdx
+++ b/api_docs/kbn_core_theme_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser-internal
 title: "@kbn/core-theme-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-theme-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser-internal']
 ---
 import kbnCoreThemeBrowserInternalObj from './kbn_core_theme_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_theme_browser_mocks.mdx b/api_docs/kbn_core_theme_browser_mocks.mdx
index 72ec19ccca23..b92909d4e4d5 100644
--- a/api_docs/kbn_core_theme_browser_mocks.mdx
+++ b/api_docs/kbn_core_theme_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser-mocks
 title: "@kbn/core-theme-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-theme-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser-mocks']
 ---
 import kbnCoreThemeBrowserMocksObj from './kbn_core_theme_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_ui_settings_browser.mdx b/api_docs/kbn_core_ui_settings_browser.mdx
index 9cf23b62995b..350de8f7cea5 100644
--- a/api_docs/kbn_core_ui_settings_browser.mdx
+++ b/api_docs/kbn_core_ui_settings_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser
 title: "@kbn/core-ui-settings-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-ui-settings-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser']
 ---
 import kbnCoreUiSettingsBrowserObj from './kbn_core_ui_settings_browser.devdocs.json';
diff --git a/api_docs/kbn_core_ui_settings_browser_internal.mdx b/api_docs/kbn_core_ui_settings_browser_internal.mdx
index edd7bb217854..5758749b3c98 100644
--- a/api_docs/kbn_core_ui_settings_browser_internal.mdx
+++ b/api_docs/kbn_core_ui_settings_browser_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser-internal
 title: "@kbn/core-ui-settings-browser-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-ui-settings-browser-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser-internal']
 ---
 import kbnCoreUiSettingsBrowserInternalObj from './kbn_core_ui_settings_browser_internal.devdocs.json';
diff --git a/api_docs/kbn_core_ui_settings_browser_mocks.mdx b/api_docs/kbn_core_ui_settings_browser_mocks.mdx
index a0924c98b888..fd8961cf753d 100644
--- a/api_docs/kbn_core_ui_settings_browser_mocks.mdx
+++ b/api_docs/kbn_core_ui_settings_browser_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser-mocks
 title: "@kbn/core-ui-settings-browser-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-ui-settings-browser-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser-mocks']
 ---
 import kbnCoreUiSettingsBrowserMocksObj from './kbn_core_ui_settings_browser_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_ui_settings_common.mdx b/api_docs/kbn_core_ui_settings_common.mdx
index 59c44e3868e0..4443b29fb530 100644
--- a/api_docs/kbn_core_ui_settings_common.mdx
+++ b/api_docs/kbn_core_ui_settings_common.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-common
 title: "@kbn/core-ui-settings-common"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-ui-settings-common plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-common']
 ---
 import kbnCoreUiSettingsCommonObj from './kbn_core_ui_settings_common.devdocs.json';
diff --git a/api_docs/kbn_core_ui_settings_server.mdx b/api_docs/kbn_core_ui_settings_server.mdx
index b97f88c3f52d..7162f21cfdaf 100644
--- a/api_docs/kbn_core_ui_settings_server.mdx
+++ b/api_docs/kbn_core_ui_settings_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-server
 title: "@kbn/core-ui-settings-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-ui-settings-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-server']
 ---
 import kbnCoreUiSettingsServerObj from './kbn_core_ui_settings_server.devdocs.json';
diff --git a/api_docs/kbn_core_ui_settings_server_internal.mdx b/api_docs/kbn_core_ui_settings_server_internal.mdx
index 06aba1beaf57..8a96477026e6 100644
--- a/api_docs/kbn_core_ui_settings_server_internal.mdx
+++ b/api_docs/kbn_core_ui_settings_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-server-internal
 title: "@kbn/core-ui-settings-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-ui-settings-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-server-internal']
 ---
 import kbnCoreUiSettingsServerInternalObj from './kbn_core_ui_settings_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_ui_settings_server_mocks.mdx b/api_docs/kbn_core_ui_settings_server_mocks.mdx
index cb1073d96cb4..99f3ddf218c0 100644
--- a/api_docs/kbn_core_ui_settings_server_mocks.mdx
+++ b/api_docs/kbn_core_ui_settings_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-server-mocks
 title: "@kbn/core-ui-settings-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-ui-settings-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-server-mocks']
 ---
 import kbnCoreUiSettingsServerMocksObj from './kbn_core_ui_settings_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_core_usage_data_server.mdx b/api_docs/kbn_core_usage_data_server.mdx
index 43aeef1e98a3..342173ababd6 100644
--- a/api_docs/kbn_core_usage_data_server.mdx
+++ b/api_docs/kbn_core_usage_data_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-usage-data-server
 title: "@kbn/core-usage-data-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-usage-data-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-usage-data-server']
 ---
 import kbnCoreUsageDataServerObj from './kbn_core_usage_data_server.devdocs.json';
diff --git a/api_docs/kbn_core_usage_data_server_internal.mdx b/api_docs/kbn_core_usage_data_server_internal.mdx
index 80e7797a7316..075bbaf8decf 100644
--- a/api_docs/kbn_core_usage_data_server_internal.mdx
+++ b/api_docs/kbn_core_usage_data_server_internal.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-usage-data-server-internal
 title: "@kbn/core-usage-data-server-internal"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-usage-data-server-internal plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-usage-data-server-internal']
 ---
 import kbnCoreUsageDataServerInternalObj from './kbn_core_usage_data_server_internal.devdocs.json';
diff --git a/api_docs/kbn_core_usage_data_server_mocks.mdx b/api_docs/kbn_core_usage_data_server_mocks.mdx
index a27f681311cf..6c0f3e4592e2 100644
--- a/api_docs/kbn_core_usage_data_server_mocks.mdx
+++ b/api_docs/kbn_core_usage_data_server_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-usage-data-server-mocks
 title: "@kbn/core-usage-data-server-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/core-usage-data-server-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-usage-data-server-mocks']
 ---
 import kbnCoreUsageDataServerMocksObj from './kbn_core_usage_data_server_mocks.devdocs.json';
diff --git a/api_docs/kbn_crypto.mdx b/api_docs/kbn_crypto.mdx
index 3202a8e7f9f6..ee077fcfb9e4 100644
--- a/api_docs/kbn_crypto.mdx
+++ b/api_docs/kbn_crypto.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-crypto
 title: "@kbn/crypto"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/crypto plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/crypto']
 ---
 import kbnCryptoObj from './kbn_crypto.devdocs.json';
diff --git a/api_docs/kbn_crypto_browser.mdx b/api_docs/kbn_crypto_browser.mdx
index d55ce5a02f72..59332844d8fc 100644
--- a/api_docs/kbn_crypto_browser.mdx
+++ b/api_docs/kbn_crypto_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-crypto-browser
 title: "@kbn/crypto-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/crypto-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/crypto-browser']
 ---
 import kbnCryptoBrowserObj from './kbn_crypto_browser.devdocs.json';
diff --git a/api_docs/kbn_cypress_config.mdx b/api_docs/kbn_cypress_config.mdx
index 9a2524698d7e..c2b8de7a8baf 100644
--- a/api_docs/kbn_cypress_config.mdx
+++ b/api_docs/kbn_cypress_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cypress-config
 title: "@kbn/cypress-config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/cypress-config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cypress-config']
 ---
 import kbnCypressConfigObj from './kbn_cypress_config.devdocs.json';
diff --git a/api_docs/kbn_datemath.mdx b/api_docs/kbn_datemath.mdx
index c4e30038b4ac..6515fb8511e5 100644
--- a/api_docs/kbn_datemath.mdx
+++ b/api_docs/kbn_datemath.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-datemath
 title: "@kbn/datemath"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/datemath plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/datemath']
 ---
 import kbnDatemathObj from './kbn_datemath.devdocs.json';
diff --git a/api_docs/kbn_dev_cli_errors.mdx b/api_docs/kbn_dev_cli_errors.mdx
index 5afd4d9f5ab1..7c7f0122a863 100644
--- a/api_docs/kbn_dev_cli_errors.mdx
+++ b/api_docs/kbn_dev_cli_errors.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-cli-errors
 title: "@kbn/dev-cli-errors"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/dev-cli-errors plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-cli-errors']
 ---
 import kbnDevCliErrorsObj from './kbn_dev_cli_errors.devdocs.json';
diff --git a/api_docs/kbn_dev_cli_runner.mdx b/api_docs/kbn_dev_cli_runner.mdx
index ca9ccde1bf44..e8fdad8bf6fe 100644
--- a/api_docs/kbn_dev_cli_runner.mdx
+++ b/api_docs/kbn_dev_cli_runner.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-cli-runner
 title: "@kbn/dev-cli-runner"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/dev-cli-runner plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-cli-runner']
 ---
 import kbnDevCliRunnerObj from './kbn_dev_cli_runner.devdocs.json';
diff --git a/api_docs/kbn_dev_proc_runner.mdx b/api_docs/kbn_dev_proc_runner.mdx
index 2b5bc222ca64..5e9262aa8fde 100644
--- a/api_docs/kbn_dev_proc_runner.mdx
+++ b/api_docs/kbn_dev_proc_runner.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-proc-runner
 title: "@kbn/dev-proc-runner"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/dev-proc-runner plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-proc-runner']
 ---
 import kbnDevProcRunnerObj from './kbn_dev_proc_runner.devdocs.json';
diff --git a/api_docs/kbn_dev_utils.mdx b/api_docs/kbn_dev_utils.mdx
index 63e739ecb99e..8a44742b99ba 100644
--- a/api_docs/kbn_dev_utils.mdx
+++ b/api_docs/kbn_dev_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-utils
 title: "@kbn/dev-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/dev-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-utils']
 ---
 import kbnDevUtilsObj from './kbn_dev_utils.devdocs.json';
diff --git a/api_docs/kbn_doc_links.mdx b/api_docs/kbn_doc_links.mdx
index 88e7bf579857..1f239a4cf27c 100644
--- a/api_docs/kbn_doc_links.mdx
+++ b/api_docs/kbn_doc_links.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-doc-links
 title: "@kbn/doc-links"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/doc-links plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/doc-links']
 ---
 import kbnDocLinksObj from './kbn_doc_links.devdocs.json';
diff --git a/api_docs/kbn_docs_utils.mdx b/api_docs/kbn_docs_utils.mdx
index 33671c341482..ee162598ffc1 100644
--- a/api_docs/kbn_docs_utils.mdx
+++ b/api_docs/kbn_docs_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-docs-utils
 title: "@kbn/docs-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/docs-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/docs-utils']
 ---
 import kbnDocsUtilsObj from './kbn_docs_utils.devdocs.json';
diff --git a/api_docs/kbn_dom_drag_drop.mdx b/api_docs/kbn_dom_drag_drop.mdx
index 35fb18e03f97..6cbff9276a5b 100644
--- a/api_docs/kbn_dom_drag_drop.mdx
+++ b/api_docs/kbn_dom_drag_drop.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dom-drag-drop
 title: "@kbn/dom-drag-drop"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/dom-drag-drop plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dom-drag-drop']
 ---
 import kbnDomDragDropObj from './kbn_dom_drag_drop.devdocs.json';
diff --git a/api_docs/kbn_ebt_tools.mdx b/api_docs/kbn_ebt_tools.mdx
index 46bcc702f34f..1a894555402a 100644
--- a/api_docs/kbn_ebt_tools.mdx
+++ b/api_docs/kbn_ebt_tools.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ebt-tools
 title: "@kbn/ebt-tools"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ebt-tools plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ebt-tools']
 ---
 import kbnEbtToolsObj from './kbn_ebt_tools.devdocs.json';
diff --git a/api_docs/kbn_ecs.mdx b/api_docs/kbn_ecs.mdx
index e1347732286f..5c885d4990f6 100644
--- a/api_docs/kbn_ecs.mdx
+++ b/api_docs/kbn_ecs.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ecs
 title: "@kbn/ecs"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ecs plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ecs']
 ---
 import kbnEcsObj from './kbn_ecs.devdocs.json';
diff --git a/api_docs/kbn_ecs_data_quality_dashboard.mdx b/api_docs/kbn_ecs_data_quality_dashboard.mdx
index f56e3da0a824..7d625ba7d26d 100644
--- a/api_docs/kbn_ecs_data_quality_dashboard.mdx
+++ b/api_docs/kbn_ecs_data_quality_dashboard.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ecs-data-quality-dashboard
 title: "@kbn/ecs-data-quality-dashboard"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ecs-data-quality-dashboard plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ecs-data-quality-dashboard']
 ---
 import kbnEcsDataQualityDashboardObj from './kbn_ecs_data_quality_dashboard.devdocs.json';
diff --git a/api_docs/kbn_es.mdx b/api_docs/kbn_es.mdx
index ccc03d2caae3..342970a490d8 100644
--- a/api_docs/kbn_es.mdx
+++ b/api_docs/kbn_es.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es
 title: "@kbn/es"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/es plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es']
 ---
 import kbnEsObj from './kbn_es.devdocs.json';
diff --git a/api_docs/kbn_es_archiver.mdx b/api_docs/kbn_es_archiver.mdx
index a28fa5a260db..787e11096180 100644
--- a/api_docs/kbn_es_archiver.mdx
+++ b/api_docs/kbn_es_archiver.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-archiver
 title: "@kbn/es-archiver"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/es-archiver plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-archiver']
 ---
 import kbnEsArchiverObj from './kbn_es_archiver.devdocs.json';
diff --git a/api_docs/kbn_es_errors.mdx b/api_docs/kbn_es_errors.mdx
index f2ca8b193f6b..aee672a62e92 100644
--- a/api_docs/kbn_es_errors.mdx
+++ b/api_docs/kbn_es_errors.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-errors
 title: "@kbn/es-errors"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/es-errors plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-errors']
 ---
 import kbnEsErrorsObj from './kbn_es_errors.devdocs.json';
diff --git a/api_docs/kbn_es_query.mdx b/api_docs/kbn_es_query.mdx
index 46097f7e7256..990a2a485320 100644
--- a/api_docs/kbn_es_query.mdx
+++ b/api_docs/kbn_es_query.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-query
 title: "@kbn/es-query"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/es-query plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-query']
 ---
 import kbnEsQueryObj from './kbn_es_query.devdocs.json';
diff --git a/api_docs/kbn_es_types.devdocs.json b/api_docs/kbn_es_types.devdocs.json
index 32c29543af11..fc197d24736d 100644
--- a/api_docs/kbn_es_types.devdocs.json
+++ b/api_docs/kbn_es_types.devdocs.json
@@ -393,7 +393,7 @@
         "signature": [
           "Omit<",
           "SearchHit",
-          "<unknown>, \"_source\" | \"fields\"> & (TSource extends false ? {} : { _source: TSource; }) & (TFields extends (string | ",
+          "<unknown>, \"fields\" | \"_source\"> & (TSource extends false ? {} : { _source: TSource; }) & (TFields extends (string | ",
           "QueryDslFieldAndFormat",
           ")[] ? { fields: Partial<Record<ValueTypeOfField<TFields>, unknown[]>>; } : {}) & (TDocValueFields extends DocValueFields ? { fields: Partial<Record<ValueTypeOfField<TDocValueFields>, unknown[]>>; } : {})"
         ],
diff --git a/api_docs/kbn_es_types.mdx b/api_docs/kbn_es_types.mdx
index d02c88106871..35398ac072ed 100644
--- a/api_docs/kbn_es_types.mdx
+++ b/api_docs/kbn_es_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-types
 title: "@kbn/es-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/es-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-types']
 ---
 import kbnEsTypesObj from './kbn_es_types.devdocs.json';
diff --git a/api_docs/kbn_eslint_plugin_imports.mdx b/api_docs/kbn_eslint_plugin_imports.mdx
index a1f77d954d01..9770b8384d3d 100644
--- a/api_docs/kbn_eslint_plugin_imports.mdx
+++ b/api_docs/kbn_eslint_plugin_imports.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-eslint-plugin-imports
 title: "@kbn/eslint-plugin-imports"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/eslint-plugin-imports plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/eslint-plugin-imports']
 ---
 import kbnEslintPluginImportsObj from './kbn_eslint_plugin_imports.devdocs.json';
diff --git a/api_docs/kbn_expandable_flyout.mdx b/api_docs/kbn_expandable_flyout.mdx
index baf2294f51d0..04818610f872 100644
--- a/api_docs/kbn_expandable_flyout.mdx
+++ b/api_docs/kbn_expandable_flyout.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-expandable-flyout
 title: "@kbn/expandable-flyout"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/expandable-flyout plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/expandable-flyout']
 ---
 import kbnExpandableFlyoutObj from './kbn_expandable_flyout.devdocs.json';
diff --git a/api_docs/kbn_field_types.mdx b/api_docs/kbn_field_types.mdx
index e10e180d08c0..ad08f7c39742 100644
--- a/api_docs/kbn_field_types.mdx
+++ b/api_docs/kbn_field_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-field-types
 title: "@kbn/field-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/field-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/field-types']
 ---
 import kbnFieldTypesObj from './kbn_field_types.devdocs.json';
diff --git a/api_docs/kbn_find_used_node_modules.mdx b/api_docs/kbn_find_used_node_modules.mdx
index 624316baca31..dedba6e91453 100644
--- a/api_docs/kbn_find_used_node_modules.mdx
+++ b/api_docs/kbn_find_used_node_modules.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-find-used-node-modules
 title: "@kbn/find-used-node-modules"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/find-used-node-modules plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/find-used-node-modules']
 ---
 import kbnFindUsedNodeModulesObj from './kbn_find_used_node_modules.devdocs.json';
diff --git a/api_docs/kbn_ftr_common_functional_services.mdx b/api_docs/kbn_ftr_common_functional_services.mdx
index 9e867858cf0d..953d5b8394ee 100644
--- a/api_docs/kbn_ftr_common_functional_services.mdx
+++ b/api_docs/kbn_ftr_common_functional_services.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ftr-common-functional-services
 title: "@kbn/ftr-common-functional-services"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ftr-common-functional-services plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ftr-common-functional-services']
 ---
 import kbnFtrCommonFunctionalServicesObj from './kbn_ftr_common_functional_services.devdocs.json';
diff --git a/api_docs/kbn_generate.mdx b/api_docs/kbn_generate.mdx
index e5396c5c9952..b0d27eb3cc1d 100644
--- a/api_docs/kbn_generate.mdx
+++ b/api_docs/kbn_generate.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-generate
 title: "@kbn/generate"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/generate plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/generate']
 ---
 import kbnGenerateObj from './kbn_generate.devdocs.json';
diff --git a/api_docs/kbn_guided_onboarding.mdx b/api_docs/kbn_guided_onboarding.mdx
index 879b347d91f6..25eddbd404cf 100644
--- a/api_docs/kbn_guided_onboarding.mdx
+++ b/api_docs/kbn_guided_onboarding.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-guided-onboarding
 title: "@kbn/guided-onboarding"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/guided-onboarding plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/guided-onboarding']
 ---
 import kbnGuidedOnboardingObj from './kbn_guided_onboarding.devdocs.json';
diff --git a/api_docs/kbn_handlebars.mdx b/api_docs/kbn_handlebars.mdx
index 6a68f533fff4..f5e3957da586 100644
--- a/api_docs/kbn_handlebars.mdx
+++ b/api_docs/kbn_handlebars.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-handlebars
 title: "@kbn/handlebars"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/handlebars plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/handlebars']
 ---
 import kbnHandlebarsObj from './kbn_handlebars.devdocs.json';
diff --git a/api_docs/kbn_hapi_mocks.mdx b/api_docs/kbn_hapi_mocks.mdx
index 6c06b5e42f84..0224338d5b6f 100644
--- a/api_docs/kbn_hapi_mocks.mdx
+++ b/api_docs/kbn_hapi_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-hapi-mocks
 title: "@kbn/hapi-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/hapi-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/hapi-mocks']
 ---
 import kbnHapiMocksObj from './kbn_hapi_mocks.devdocs.json';
diff --git a/api_docs/kbn_health_gateway_server.mdx b/api_docs/kbn_health_gateway_server.mdx
index 5791429ef586..2575d9f08d43 100644
--- a/api_docs/kbn_health_gateway_server.mdx
+++ b/api_docs/kbn_health_gateway_server.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-health-gateway-server
 title: "@kbn/health-gateway-server"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/health-gateway-server plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/health-gateway-server']
 ---
 import kbnHealthGatewayServerObj from './kbn_health_gateway_server.devdocs.json';
diff --git a/api_docs/kbn_home_sample_data_card.mdx b/api_docs/kbn_home_sample_data_card.mdx
index 4b11270918ed..51ad7e2c6e57 100644
--- a/api_docs/kbn_home_sample_data_card.mdx
+++ b/api_docs/kbn_home_sample_data_card.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-home-sample-data-card
 title: "@kbn/home-sample-data-card"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/home-sample-data-card plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/home-sample-data-card']
 ---
 import kbnHomeSampleDataCardObj from './kbn_home_sample_data_card.devdocs.json';
diff --git a/api_docs/kbn_home_sample_data_tab.mdx b/api_docs/kbn_home_sample_data_tab.mdx
index fca3ddf71838..3e1e1fac397f 100644
--- a/api_docs/kbn_home_sample_data_tab.mdx
+++ b/api_docs/kbn_home_sample_data_tab.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-home-sample-data-tab
 title: "@kbn/home-sample-data-tab"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/home-sample-data-tab plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/home-sample-data-tab']
 ---
 import kbnHomeSampleDataTabObj from './kbn_home_sample_data_tab.devdocs.json';
diff --git a/api_docs/kbn_i18n.mdx b/api_docs/kbn_i18n.mdx
index 8d16ed0b5fe1..f9cfbb4fe4f4 100644
--- a/api_docs/kbn_i18n.mdx
+++ b/api_docs/kbn_i18n.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-i18n
 title: "@kbn/i18n"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/i18n plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/i18n']
 ---
 import kbnI18nObj from './kbn_i18n.devdocs.json';
diff --git a/api_docs/kbn_i18n_react.mdx b/api_docs/kbn_i18n_react.mdx
index 45628028129b..54655a656715 100644
--- a/api_docs/kbn_i18n_react.mdx
+++ b/api_docs/kbn_i18n_react.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-i18n-react
 title: "@kbn/i18n-react"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/i18n-react plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/i18n-react']
 ---
 import kbnI18nReactObj from './kbn_i18n_react.devdocs.json';
diff --git a/api_docs/kbn_import_resolver.mdx b/api_docs/kbn_import_resolver.mdx
index 76677ae01cf4..0556ae4cb080 100644
--- a/api_docs/kbn_import_resolver.mdx
+++ b/api_docs/kbn_import_resolver.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-import-resolver
 title: "@kbn/import-resolver"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/import-resolver plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/import-resolver']
 ---
 import kbnImportResolverObj from './kbn_import_resolver.devdocs.json';
diff --git a/api_docs/kbn_interpreter.mdx b/api_docs/kbn_interpreter.mdx
index e386986ba519..988b5243bba4 100644
--- a/api_docs/kbn_interpreter.mdx
+++ b/api_docs/kbn_interpreter.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-interpreter
 title: "@kbn/interpreter"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/interpreter plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/interpreter']
 ---
 import kbnInterpreterObj from './kbn_interpreter.devdocs.json';
diff --git a/api_docs/kbn_io_ts_utils.mdx b/api_docs/kbn_io_ts_utils.mdx
index e74c60670996..bfec6789399f 100644
--- a/api_docs/kbn_io_ts_utils.mdx
+++ b/api_docs/kbn_io_ts_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-io-ts-utils
 title: "@kbn/io-ts-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/io-ts-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/io-ts-utils']
 ---
 import kbnIoTsUtilsObj from './kbn_io_ts_utils.devdocs.json';
diff --git a/api_docs/kbn_jest_serializers.mdx b/api_docs/kbn_jest_serializers.mdx
index acf935160699..6ddc63b53ec8 100644
--- a/api_docs/kbn_jest_serializers.mdx
+++ b/api_docs/kbn_jest_serializers.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-jest-serializers
 title: "@kbn/jest-serializers"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/jest-serializers plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/jest-serializers']
 ---
 import kbnJestSerializersObj from './kbn_jest_serializers.devdocs.json';
diff --git a/api_docs/kbn_journeys.mdx b/api_docs/kbn_journeys.mdx
index 54e0011d9489..2287377efe40 100644
--- a/api_docs/kbn_journeys.mdx
+++ b/api_docs/kbn_journeys.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-journeys
 title: "@kbn/journeys"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/journeys plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/journeys']
 ---
 import kbnJourneysObj from './kbn_journeys.devdocs.json';
diff --git a/api_docs/kbn_json_ast.mdx b/api_docs/kbn_json_ast.mdx
index af39c44f82c4..b7a36b67588f 100644
--- a/api_docs/kbn_json_ast.mdx
+++ b/api_docs/kbn_json_ast.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-json-ast
 title: "@kbn/json-ast"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/json-ast plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/json-ast']
 ---
 import kbnJsonAstObj from './kbn_json_ast.devdocs.json';
diff --git a/api_docs/kbn_kibana_manifest_schema.mdx b/api_docs/kbn_kibana_manifest_schema.mdx
index b015be27cf8f..b75cf0110518 100644
--- a/api_docs/kbn_kibana_manifest_schema.mdx
+++ b/api_docs/kbn_kibana_manifest_schema.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-kibana-manifest-schema
 title: "@kbn/kibana-manifest-schema"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/kibana-manifest-schema plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/kibana-manifest-schema']
 ---
 import kbnKibanaManifestSchemaObj from './kbn_kibana_manifest_schema.devdocs.json';
diff --git a/api_docs/kbn_language_documentation_popover.mdx b/api_docs/kbn_language_documentation_popover.mdx
index 0a7224ac6a8a..d0cd927f4f95 100644
--- a/api_docs/kbn_language_documentation_popover.mdx
+++ b/api_docs/kbn_language_documentation_popover.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-language-documentation-popover
 title: "@kbn/language-documentation-popover"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/language-documentation-popover plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/language-documentation-popover']
 ---
 import kbnLanguageDocumentationPopoverObj from './kbn_language_documentation_popover.devdocs.json';
diff --git a/api_docs/kbn_logging.mdx b/api_docs/kbn_logging.mdx
index 4e915d1dbeb5..86911b315d8e 100644
--- a/api_docs/kbn_logging.mdx
+++ b/api_docs/kbn_logging.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-logging
 title: "@kbn/logging"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/logging plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/logging']
 ---
 import kbnLoggingObj from './kbn_logging.devdocs.json';
diff --git a/api_docs/kbn_logging_mocks.mdx b/api_docs/kbn_logging_mocks.mdx
index 0009f99fd1f2..9685c0b7e754 100644
--- a/api_docs/kbn_logging_mocks.mdx
+++ b/api_docs/kbn_logging_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-logging-mocks
 title: "@kbn/logging-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/logging-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/logging-mocks']
 ---
 import kbnLoggingMocksObj from './kbn_logging_mocks.devdocs.json';
diff --git a/api_docs/kbn_managed_vscode_config.mdx b/api_docs/kbn_managed_vscode_config.mdx
index 65f9c21ca71e..ee315a218517 100644
--- a/api_docs/kbn_managed_vscode_config.mdx
+++ b/api_docs/kbn_managed_vscode_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-managed-vscode-config
 title: "@kbn/managed-vscode-config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/managed-vscode-config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/managed-vscode-config']
 ---
 import kbnManagedVscodeConfigObj from './kbn_managed_vscode_config.devdocs.json';
diff --git a/api_docs/kbn_mapbox_gl.mdx b/api_docs/kbn_mapbox_gl.mdx
index 8f88aa4f0254..4ab001936b9a 100644
--- a/api_docs/kbn_mapbox_gl.mdx
+++ b/api_docs/kbn_mapbox_gl.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-mapbox-gl
 title: "@kbn/mapbox-gl"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/mapbox-gl plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/mapbox-gl']
 ---
 import kbnMapboxGlObj from './kbn_mapbox_gl.devdocs.json';
diff --git a/api_docs/kbn_ml_agg_utils.mdx b/api_docs/kbn_ml_agg_utils.mdx
index 3c36df0a26d3..b1f811ac2f9e 100644
--- a/api_docs/kbn_ml_agg_utils.mdx
+++ b/api_docs/kbn_ml_agg_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-agg-utils
 title: "@kbn/ml-agg-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-agg-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-agg-utils']
 ---
 import kbnMlAggUtilsObj from './kbn_ml_agg_utils.devdocs.json';
diff --git a/api_docs/kbn_ml_date_picker.mdx b/api_docs/kbn_ml_date_picker.mdx
index e9550b96bb3d..d54b24b4a0c6 100644
--- a/api_docs/kbn_ml_date_picker.mdx
+++ b/api_docs/kbn_ml_date_picker.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-date-picker
 title: "@kbn/ml-date-picker"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-date-picker plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-date-picker']
 ---
 import kbnMlDatePickerObj from './kbn_ml_date_picker.devdocs.json';
diff --git a/api_docs/kbn_ml_is_defined.mdx b/api_docs/kbn_ml_is_defined.mdx
index f866a426efa8..2a3050db3727 100644
--- a/api_docs/kbn_ml_is_defined.mdx
+++ b/api_docs/kbn_ml_is_defined.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-is-defined
 title: "@kbn/ml-is-defined"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-is-defined plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-is-defined']
 ---
 import kbnMlIsDefinedObj from './kbn_ml_is_defined.devdocs.json';
diff --git a/api_docs/kbn_ml_is_populated_object.mdx b/api_docs/kbn_ml_is_populated_object.mdx
index 8b4bc1066fb4..3b942f3b990d 100644
--- a/api_docs/kbn_ml_is_populated_object.mdx
+++ b/api_docs/kbn_ml_is_populated_object.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-is-populated-object
 title: "@kbn/ml-is-populated-object"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-is-populated-object plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-is-populated-object']
 ---
 import kbnMlIsPopulatedObjectObj from './kbn_ml_is_populated_object.devdocs.json';
diff --git a/api_docs/kbn_ml_local_storage.mdx b/api_docs/kbn_ml_local_storage.mdx
index 6020442e1a0b..525202a33655 100644
--- a/api_docs/kbn_ml_local_storage.mdx
+++ b/api_docs/kbn_ml_local_storage.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-local-storage
 title: "@kbn/ml-local-storage"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-local-storage plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-local-storage']
 ---
 import kbnMlLocalStorageObj from './kbn_ml_local_storage.devdocs.json';
diff --git a/api_docs/kbn_ml_nested_property.mdx b/api_docs/kbn_ml_nested_property.mdx
index 7cef6e5df508..b93ffe738baa 100644
--- a/api_docs/kbn_ml_nested_property.mdx
+++ b/api_docs/kbn_ml_nested_property.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-nested-property
 title: "@kbn/ml-nested-property"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-nested-property plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-nested-property']
 ---
 import kbnMlNestedPropertyObj from './kbn_ml_nested_property.devdocs.json';
diff --git a/api_docs/kbn_ml_query_utils.mdx b/api_docs/kbn_ml_query_utils.mdx
index f56f9cd9ee5e..5403510e8aae 100644
--- a/api_docs/kbn_ml_query_utils.mdx
+++ b/api_docs/kbn_ml_query_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-query-utils
 title: "@kbn/ml-query-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-query-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-query-utils']
 ---
 import kbnMlQueryUtilsObj from './kbn_ml_query_utils.devdocs.json';
diff --git a/api_docs/kbn_ml_string_hash.mdx b/api_docs/kbn_ml_string_hash.mdx
index 51555d943680..4fef0db007d4 100644
--- a/api_docs/kbn_ml_string_hash.mdx
+++ b/api_docs/kbn_ml_string_hash.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-string-hash
 title: "@kbn/ml-string-hash"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-string-hash plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-string-hash']
 ---
 import kbnMlStringHashObj from './kbn_ml_string_hash.devdocs.json';
diff --git a/api_docs/kbn_ml_url_state.mdx b/api_docs/kbn_ml_url_state.mdx
index 0058d263ceb2..cabf8d33c70a 100644
--- a/api_docs/kbn_ml_url_state.mdx
+++ b/api_docs/kbn_ml_url_state.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-url-state
 title: "@kbn/ml-url-state"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ml-url-state plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-url-state']
 ---
 import kbnMlUrlStateObj from './kbn_ml_url_state.devdocs.json';
diff --git a/api_docs/kbn_monaco.mdx b/api_docs/kbn_monaco.mdx
index b34cd266dc16..9bd7a0cf27ba 100644
--- a/api_docs/kbn_monaco.mdx
+++ b/api_docs/kbn_monaco.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-monaco
 title: "@kbn/monaco"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/monaco plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/monaco']
 ---
 import kbnMonacoObj from './kbn_monaco.devdocs.json';
diff --git a/api_docs/kbn_object_versioning.mdx b/api_docs/kbn_object_versioning.mdx
index 6e0ca6148748..835f466f5a97 100644
--- a/api_docs/kbn_object_versioning.mdx
+++ b/api_docs/kbn_object_versioning.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-object-versioning
 title: "@kbn/object-versioning"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/object-versioning plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/object-versioning']
 ---
 import kbnObjectVersioningObj from './kbn_object_versioning.devdocs.json';
diff --git a/api_docs/kbn_optimizer.mdx b/api_docs/kbn_optimizer.mdx
index 4dd32f6bba04..d1b8c032da2b 100644
--- a/api_docs/kbn_optimizer.mdx
+++ b/api_docs/kbn_optimizer.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-optimizer
 title: "@kbn/optimizer"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/optimizer plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/optimizer']
 ---
 import kbnOptimizerObj from './kbn_optimizer.devdocs.json';
diff --git a/api_docs/kbn_optimizer_webpack_helpers.mdx b/api_docs/kbn_optimizer_webpack_helpers.mdx
index 43b10f1ab364..6fc77d42e960 100644
--- a/api_docs/kbn_optimizer_webpack_helpers.mdx
+++ b/api_docs/kbn_optimizer_webpack_helpers.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-optimizer-webpack-helpers
 title: "@kbn/optimizer-webpack-helpers"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/optimizer-webpack-helpers plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/optimizer-webpack-helpers']
 ---
 import kbnOptimizerWebpackHelpersObj from './kbn_optimizer_webpack_helpers.devdocs.json';
diff --git a/api_docs/kbn_osquery_io_ts_types.mdx b/api_docs/kbn_osquery_io_ts_types.mdx
index e1ca7f40f484..34da3485c311 100644
--- a/api_docs/kbn_osquery_io_ts_types.mdx
+++ b/api_docs/kbn_osquery_io_ts_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-osquery-io-ts-types
 title: "@kbn/osquery-io-ts-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/osquery-io-ts-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/osquery-io-ts-types']
 ---
 import kbnOsqueryIoTsTypesObj from './kbn_osquery_io_ts_types.devdocs.json';
diff --git a/api_docs/kbn_performance_testing_dataset_extractor.mdx b/api_docs/kbn_performance_testing_dataset_extractor.mdx
index a8db097b98fd..2871af59300c 100644
--- a/api_docs/kbn_performance_testing_dataset_extractor.mdx
+++ b/api_docs/kbn_performance_testing_dataset_extractor.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-performance-testing-dataset-extractor
 title: "@kbn/performance-testing-dataset-extractor"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/performance-testing-dataset-extractor plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/performance-testing-dataset-extractor']
 ---
 import kbnPerformanceTestingDatasetExtractorObj from './kbn_performance_testing_dataset_extractor.devdocs.json';
diff --git a/api_docs/kbn_plugin_generator.mdx b/api_docs/kbn_plugin_generator.mdx
index bc2022d91eb5..6f6ed974e66d 100644
--- a/api_docs/kbn_plugin_generator.mdx
+++ b/api_docs/kbn_plugin_generator.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-plugin-generator
 title: "@kbn/plugin-generator"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/plugin-generator plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/plugin-generator']
 ---
 import kbnPluginGeneratorObj from './kbn_plugin_generator.devdocs.json';
diff --git a/api_docs/kbn_plugin_helpers.mdx b/api_docs/kbn_plugin_helpers.mdx
index 97c4a5a07850..276dd142dd78 100644
--- a/api_docs/kbn_plugin_helpers.mdx
+++ b/api_docs/kbn_plugin_helpers.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-plugin-helpers
 title: "@kbn/plugin-helpers"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/plugin-helpers plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/plugin-helpers']
 ---
 import kbnPluginHelpersObj from './kbn_plugin_helpers.devdocs.json';
diff --git a/api_docs/kbn_react_field.mdx b/api_docs/kbn_react_field.mdx
index eb301dc32b98..8f9e63ba0fcd 100644
--- a/api_docs/kbn_react_field.mdx
+++ b/api_docs/kbn_react_field.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-react-field
 title: "@kbn/react-field"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/react-field plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/react-field']
 ---
 import kbnReactFieldObj from './kbn_react_field.devdocs.json';
diff --git a/api_docs/kbn_repo_file_maps.mdx b/api_docs/kbn_repo_file_maps.mdx
index 2e31037b229c..9ae665a35f64 100644
--- a/api_docs/kbn_repo_file_maps.mdx
+++ b/api_docs/kbn_repo_file_maps.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-file-maps
 title: "@kbn/repo-file-maps"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/repo-file-maps plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-file-maps']
 ---
 import kbnRepoFileMapsObj from './kbn_repo_file_maps.devdocs.json';
diff --git a/api_docs/kbn_repo_linter.mdx b/api_docs/kbn_repo_linter.mdx
index 445c9cb46527..fe889fba7214 100644
--- a/api_docs/kbn_repo_linter.mdx
+++ b/api_docs/kbn_repo_linter.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-linter
 title: "@kbn/repo-linter"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/repo-linter plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-linter']
 ---
 import kbnRepoLinterObj from './kbn_repo_linter.devdocs.json';
diff --git a/api_docs/kbn_repo_path.mdx b/api_docs/kbn_repo_path.mdx
index f1bfdaced32a..ae9141e4f035 100644
--- a/api_docs/kbn_repo_path.mdx
+++ b/api_docs/kbn_repo_path.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-path
 title: "@kbn/repo-path"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/repo-path plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-path']
 ---
 import kbnRepoPathObj from './kbn_repo_path.devdocs.json';
diff --git a/api_docs/kbn_repo_source_classifier.mdx b/api_docs/kbn_repo_source_classifier.mdx
index 7159a86062aa..64ad6f21b8c1 100644
--- a/api_docs/kbn_repo_source_classifier.mdx
+++ b/api_docs/kbn_repo_source_classifier.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-source-classifier
 title: "@kbn/repo-source-classifier"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/repo-source-classifier plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-source-classifier']
 ---
 import kbnRepoSourceClassifierObj from './kbn_repo_source_classifier.devdocs.json';
diff --git a/api_docs/kbn_rison.mdx b/api_docs/kbn_rison.mdx
index 865105debb3d..29a6230a2707 100644
--- a/api_docs/kbn_rison.mdx
+++ b/api_docs/kbn_rison.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-rison
 title: "@kbn/rison"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/rison plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/rison']
 ---
 import kbnRisonObj from './kbn_rison.devdocs.json';
diff --git a/api_docs/kbn_rule_data_utils.mdx b/api_docs/kbn_rule_data_utils.mdx
index af60d3321510..2250e87c5e0c 100644
--- a/api_docs/kbn_rule_data_utils.mdx
+++ b/api_docs/kbn_rule_data_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-rule-data-utils
 title: "@kbn/rule-data-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/rule-data-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/rule-data-utils']
 ---
 import kbnRuleDataUtilsObj from './kbn_rule_data_utils.devdocs.json';
diff --git a/api_docs/kbn_security_solution_side_nav.mdx b/api_docs/kbn_security_solution_side_nav.mdx
index cc71b6099b00..9a144adf18f7 100644
--- a/api_docs/kbn_security_solution_side_nav.mdx
+++ b/api_docs/kbn_security_solution_side_nav.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-security-solution-side-nav
 title: "@kbn/security-solution-side-nav"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/security-solution-side-nav plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/security-solution-side-nav']
 ---
 import kbnSecuritySolutionSideNavObj from './kbn_security_solution_side_nav.devdocs.json';
diff --git a/api_docs/kbn_security_solution_storybook_config.mdx b/api_docs/kbn_security_solution_storybook_config.mdx
index 5863a8fbece5..211e76665da6 100644
--- a/api_docs/kbn_security_solution_storybook_config.mdx
+++ b/api_docs/kbn_security_solution_storybook_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-security-solution-storybook-config
 title: "@kbn/security-solution-storybook-config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/security-solution-storybook-config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/security-solution-storybook-config']
 ---
 import kbnSecuritySolutionStorybookConfigObj from './kbn_security_solution_storybook_config.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_autocomplete.mdx b/api_docs/kbn_securitysolution_autocomplete.mdx
index f243689b9cbc..9d7ae05b8ed6 100644
--- a/api_docs/kbn_securitysolution_autocomplete.mdx
+++ b/api_docs/kbn_securitysolution_autocomplete.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-autocomplete
 title: "@kbn/securitysolution-autocomplete"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-autocomplete plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-autocomplete']
 ---
 import kbnSecuritysolutionAutocompleteObj from './kbn_securitysolution_autocomplete.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_ecs.mdx b/api_docs/kbn_securitysolution_ecs.mdx
index 72aeefeeb6ab..6b65a42bcdbe 100644
--- a/api_docs/kbn_securitysolution_ecs.mdx
+++ b/api_docs/kbn_securitysolution_ecs.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-ecs
 title: "@kbn/securitysolution-ecs"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-ecs plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-ecs']
 ---
 import kbnSecuritysolutionEcsObj from './kbn_securitysolution_ecs.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_es_utils.mdx b/api_docs/kbn_securitysolution_es_utils.mdx
index 421935658fc3..c5fa74185786 100644
--- a/api_docs/kbn_securitysolution_es_utils.mdx
+++ b/api_docs/kbn_securitysolution_es_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-es-utils
 title: "@kbn/securitysolution-es-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-es-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-es-utils']
 ---
 import kbnSecuritysolutionEsUtilsObj from './kbn_securitysolution_es_utils.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_exception_list_components.devdocs.json b/api_docs/kbn_securitysolution_exception_list_components.devdocs.json
index a03c05c30692..1ba351068e14 100644
--- a/api_docs/kbn_securitysolution_exception_list_components.devdocs.json
+++ b/api_docs/kbn_securitysolution_exception_list_components.devdocs.json
@@ -834,7 +834,7 @@
             "label": "formattedDateComponent",
             "description": [],
             "signature": [
-              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"pattern\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
+              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"pattern\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
             ],
             "path": "packages/kbn-securitysolution-exception-list-components/src/exception_item_card/meta/index.tsx",
             "deprecated": false,
@@ -848,7 +848,7 @@
             "label": "securityLinkAnchorComponent",
             "description": [],
             "signature": [
-              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"pattern\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
+              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"pattern\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
             ],
             "path": "packages/kbn-securitysolution-exception-list-components/src/exception_item_card/meta/index.tsx",
             "deprecated": false,
@@ -987,7 +987,7 @@
             "label": "securityLinkAnchorComponent",
             "description": [],
             "signature": [
-              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"pattern\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
+              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"pattern\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
             ],
             "path": "packages/kbn-securitysolution-exception-list-components/src/exception_item_card/exception_item_card.tsx",
             "deprecated": false,
@@ -1001,7 +1001,7 @@
             "label": "formattedDateComponent",
             "description": [],
             "signature": [
-              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"pattern\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
+              "\"symbol\" | \"object\" | \"source\" | \"desc\" | \"filter\" | \"big\" | \"link\" | \"small\" | \"sub\" | \"sup\" | \"text\" | \"map\" | \"head\" | React.ComponentType<any> | \"meta\" | \"pattern\" | \"title\" | \"template\" | \"main\" | \"a\" | \"abbr\" | \"address\" | \"area\" | \"article\" | \"aside\" | \"audio\" | \"b\" | \"base\" | \"bdi\" | \"bdo\" | \"blockquote\" | \"body\" | \"br\" | \"button\" | \"canvas\" | \"caption\" | \"cite\" | \"code\" | \"col\" | \"colgroup\" | \"data\" | \"datalist\" | \"dd\" | \"del\" | \"details\" | \"dfn\" | \"dialog\" | \"div\" | \"dl\" | \"dt\" | \"em\" | \"embed\" | \"fieldset\" | \"figcaption\" | \"figure\" | \"footer\" | \"form\" | \"h1\" | \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"header\" | \"hgroup\" | \"hr\" | \"html\" | \"i\" | \"iframe\" | \"img\" | \"input\" | \"ins\" | \"kbd\" | \"keygen\" | \"label\" | \"legend\" | \"li\" | \"mark\" | \"menu\" | \"menuitem\" | \"meter\" | \"nav\" | \"noindex\" | \"noscript\" | \"ol\" | \"optgroup\" | \"option\" | \"output\" | \"p\" | \"param\" | \"picture\" | \"pre\" | \"progress\" | \"q\" | \"rp\" | \"rt\" | \"ruby\" | \"s\" | \"samp\" | \"slot\" | \"script\" | \"section\" | \"select\" | \"span\" | \"strong\" | \"style\" | \"summary\" | \"table\" | \"tbody\" | \"td\" | \"textarea\" | \"tfoot\" | \"th\" | \"thead\" | \"time\" | \"tr\" | \"track\" | \"u\" | \"ul\" | \"var\" | \"video\" | \"wbr\" | \"webview\" | \"svg\" | \"animate\" | \"animateMotion\" | \"animateTransform\" | \"circle\" | \"clipPath\" | \"defs\" | \"ellipse\" | \"feBlend\" | \"feColorMatrix\" | \"feComponentTransfer\" | \"feComposite\" | \"feConvolveMatrix\" | \"feDiffuseLighting\" | \"feDisplacementMap\" | \"feDistantLight\" | \"feDropShadow\" | \"feFlood\" | \"feFuncA\" | \"feFuncB\" | \"feFuncG\" | \"feFuncR\" | \"feGaussianBlur\" | \"feImage\" | \"feMerge\" | \"feMergeNode\" | \"feMorphology\" | \"feOffset\" | \"fePointLight\" | \"feSpecularLighting\" | \"feSpotLight\" | \"feTile\" | \"feTurbulence\" | \"foreignObject\" | \"g\" | \"image\" | \"line\" | \"linearGradient\" | \"marker\" | \"mask\" | \"metadata\" | \"mpath\" | \"path\" | \"polygon\" | \"polyline\" | \"radialGradient\" | \"rect\" | \"stop\" | \"switch\" | \"textPath\" | \"tspan\" | \"use\" | \"view\""
             ],
             "path": "packages/kbn-securitysolution-exception-list-components/src/exception_item_card/exception_item_card.tsx",
             "deprecated": false,
diff --git a/api_docs/kbn_securitysolution_exception_list_components.mdx b/api_docs/kbn_securitysolution_exception_list_components.mdx
index e71508442a46..aaf2e55c9c39 100644
--- a/api_docs/kbn_securitysolution_exception_list_components.mdx
+++ b/api_docs/kbn_securitysolution_exception_list_components.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-exception-list-components
 title: "@kbn/securitysolution-exception-list-components"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-exception-list-components plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-exception-list-components']
 ---
 import kbnSecuritysolutionExceptionListComponentsObj from './kbn_securitysolution_exception_list_components.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_grouping.mdx b/api_docs/kbn_securitysolution_grouping.mdx
index 59c612d49c64..d978c788b261 100644
--- a/api_docs/kbn_securitysolution_grouping.mdx
+++ b/api_docs/kbn_securitysolution_grouping.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-grouping
 title: "@kbn/securitysolution-grouping"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-grouping plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-grouping']
 ---
 import kbnSecuritysolutionGroupingObj from './kbn_securitysolution_grouping.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_hook_utils.mdx b/api_docs/kbn_securitysolution_hook_utils.mdx
index 972d5e7e70ee..83c57d61de2f 100644
--- a/api_docs/kbn_securitysolution_hook_utils.mdx
+++ b/api_docs/kbn_securitysolution_hook_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-hook-utils
 title: "@kbn/securitysolution-hook-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-hook-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-hook-utils']
 ---
 import kbnSecuritysolutionHookUtilsObj from './kbn_securitysolution_hook_utils.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx b/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx
index 9e073fcc3f81..26df351337de 100644
--- a/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx
+++ b/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-alerting-types
 title: "@kbn/securitysolution-io-ts-alerting-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-io-ts-alerting-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-alerting-types']
 ---
 import kbnSecuritysolutionIoTsAlertingTypesObj from './kbn_securitysolution_io_ts_alerting_types.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_io_ts_list_types.mdx b/api_docs/kbn_securitysolution_io_ts_list_types.mdx
index 09656d42de7e..54e8f0392d39 100644
--- a/api_docs/kbn_securitysolution_io_ts_list_types.mdx
+++ b/api_docs/kbn_securitysolution_io_ts_list_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-list-types
 title: "@kbn/securitysolution-io-ts-list-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-io-ts-list-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-list-types']
 ---
 import kbnSecuritysolutionIoTsListTypesObj from './kbn_securitysolution_io_ts_list_types.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_io_ts_types.mdx b/api_docs/kbn_securitysolution_io_ts_types.mdx
index 50a03acb8664..1923e43d38d5 100644
--- a/api_docs/kbn_securitysolution_io_ts_types.mdx
+++ b/api_docs/kbn_securitysolution_io_ts_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-types
 title: "@kbn/securitysolution-io-ts-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-io-ts-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-types']
 ---
 import kbnSecuritysolutionIoTsTypesObj from './kbn_securitysolution_io_ts_types.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_io_ts_utils.mdx b/api_docs/kbn_securitysolution_io_ts_utils.mdx
index 81673503d0b4..4d8345037827 100644
--- a/api_docs/kbn_securitysolution_io_ts_utils.mdx
+++ b/api_docs/kbn_securitysolution_io_ts_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-utils
 title: "@kbn/securitysolution-io-ts-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-io-ts-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-utils']
 ---
 import kbnSecuritysolutionIoTsUtilsObj from './kbn_securitysolution_io_ts_utils.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_list_api.mdx b/api_docs/kbn_securitysolution_list_api.mdx
index f245ba41922d..e4c1acb3d73c 100644
--- a/api_docs/kbn_securitysolution_list_api.mdx
+++ b/api_docs/kbn_securitysolution_list_api.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-api
 title: "@kbn/securitysolution-list-api"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-list-api plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-api']
 ---
 import kbnSecuritysolutionListApiObj from './kbn_securitysolution_list_api.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_list_constants.mdx b/api_docs/kbn_securitysolution_list_constants.mdx
index b277a4b449a3..a7e7f5763e9f 100644
--- a/api_docs/kbn_securitysolution_list_constants.mdx
+++ b/api_docs/kbn_securitysolution_list_constants.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-constants
 title: "@kbn/securitysolution-list-constants"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-list-constants plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-constants']
 ---
 import kbnSecuritysolutionListConstantsObj from './kbn_securitysolution_list_constants.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_list_hooks.mdx b/api_docs/kbn_securitysolution_list_hooks.mdx
index 56ffb4778139..b44ba57ffc74 100644
--- a/api_docs/kbn_securitysolution_list_hooks.mdx
+++ b/api_docs/kbn_securitysolution_list_hooks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-hooks
 title: "@kbn/securitysolution-list-hooks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-list-hooks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-hooks']
 ---
 import kbnSecuritysolutionListHooksObj from './kbn_securitysolution_list_hooks.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_list_utils.mdx b/api_docs/kbn_securitysolution_list_utils.mdx
index 145cbc1f7544..940342d2c0bd 100644
--- a/api_docs/kbn_securitysolution_list_utils.mdx
+++ b/api_docs/kbn_securitysolution_list_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-utils
 title: "@kbn/securitysolution-list-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-list-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-utils']
 ---
 import kbnSecuritysolutionListUtilsObj from './kbn_securitysolution_list_utils.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_rules.mdx b/api_docs/kbn_securitysolution_rules.mdx
index 4285f70087d2..d0d903532ff6 100644
--- a/api_docs/kbn_securitysolution_rules.mdx
+++ b/api_docs/kbn_securitysolution_rules.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-rules
 title: "@kbn/securitysolution-rules"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-rules plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-rules']
 ---
 import kbnSecuritysolutionRulesObj from './kbn_securitysolution_rules.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_t_grid.mdx b/api_docs/kbn_securitysolution_t_grid.mdx
index ea0bc591a9c8..8b574516b8a8 100644
--- a/api_docs/kbn_securitysolution_t_grid.mdx
+++ b/api_docs/kbn_securitysolution_t_grid.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-t-grid
 title: "@kbn/securitysolution-t-grid"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-t-grid plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-t-grid']
 ---
 import kbnSecuritysolutionTGridObj from './kbn_securitysolution_t_grid.devdocs.json';
diff --git a/api_docs/kbn_securitysolution_utils.mdx b/api_docs/kbn_securitysolution_utils.mdx
index b6397c543f91..c8c952becad1 100644
--- a/api_docs/kbn_securitysolution_utils.mdx
+++ b/api_docs/kbn_securitysolution_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-utils
 title: "@kbn/securitysolution-utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/securitysolution-utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-utils']
 ---
 import kbnSecuritysolutionUtilsObj from './kbn_securitysolution_utils.devdocs.json';
diff --git a/api_docs/kbn_server_http_tools.mdx b/api_docs/kbn_server_http_tools.mdx
index ef7b2fad139f..f6ecc03d3c0e 100644
--- a/api_docs/kbn_server_http_tools.mdx
+++ b/api_docs/kbn_server_http_tools.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-server-http-tools
 title: "@kbn/server-http-tools"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/server-http-tools plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/server-http-tools']
 ---
 import kbnServerHttpToolsObj from './kbn_server_http_tools.devdocs.json';
diff --git a/api_docs/kbn_server_route_repository.mdx b/api_docs/kbn_server_route_repository.mdx
index d0c15e92527b..749d3d56c430 100644
--- a/api_docs/kbn_server_route_repository.mdx
+++ b/api_docs/kbn_server_route_repository.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-server-route-repository
 title: "@kbn/server-route-repository"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/server-route-repository plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/server-route-repository']
 ---
 import kbnServerRouteRepositoryObj from './kbn_server_route_repository.devdocs.json';
diff --git a/api_docs/kbn_shared_svg.mdx b/api_docs/kbn_shared_svg.mdx
index 9fd361e7cab0..41cf335bc5b5 100644
--- a/api_docs/kbn_shared_svg.mdx
+++ b/api_docs/kbn_shared_svg.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-svg
 title: "@kbn/shared-svg"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-svg plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-svg']
 ---
 import kbnSharedSvgObj from './kbn_shared_svg.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_avatar_solution.mdx b/api_docs/kbn_shared_ux_avatar_solution.mdx
index 49380f55eaa2..8cd36a058a74 100644
--- a/api_docs/kbn_shared_ux_avatar_solution.mdx
+++ b/api_docs/kbn_shared_ux_avatar_solution.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-avatar-solution
 title: "@kbn/shared-ux-avatar-solution"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-avatar-solution plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-avatar-solution']
 ---
 import kbnSharedUxAvatarSolutionObj from './kbn_shared_ux_avatar_solution.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx b/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx
index a068dceb7db0..43b5a67de8ca 100644
--- a/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx
+++ b/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-avatar-user-profile-components
 title: "@kbn/shared-ux-avatar-user-profile-components"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-avatar-user-profile-components plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-avatar-user-profile-components']
 ---
 import kbnSharedUxAvatarUserProfileComponentsObj from './kbn_shared_ux_avatar_user_profile_components.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_button_exit_full_screen.mdx b/api_docs/kbn_shared_ux_button_exit_full_screen.mdx
index 8d72ab999715..0cab0389b024 100644
--- a/api_docs/kbn_shared_ux_button_exit_full_screen.mdx
+++ b/api_docs/kbn_shared_ux_button_exit_full_screen.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-exit-full-screen
 title: "@kbn/shared-ux-button-exit-full-screen"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-button-exit-full-screen plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-exit-full-screen']
 ---
 import kbnSharedUxButtonExitFullScreenObj from './kbn_shared_ux_button_exit_full_screen.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx b/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx
index 8d1421db00cb..c7be6cb18e32 100644
--- a/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx
+++ b/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-exit-full-screen-mocks
 title: "@kbn/shared-ux-button-exit-full-screen-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-button-exit-full-screen-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-exit-full-screen-mocks']
 ---
 import kbnSharedUxButtonExitFullScreenMocksObj from './kbn_shared_ux_button_exit_full_screen_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_button_toolbar.mdx b/api_docs/kbn_shared_ux_button_toolbar.mdx
index fadfa5947cef..a220ce4e1ae8 100644
--- a/api_docs/kbn_shared_ux_button_toolbar.mdx
+++ b/api_docs/kbn_shared_ux_button_toolbar.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-toolbar
 title: "@kbn/shared-ux-button-toolbar"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-button-toolbar plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-toolbar']
 ---
 import kbnSharedUxButtonToolbarObj from './kbn_shared_ux_button_toolbar.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_card_no_data.mdx b/api_docs/kbn_shared_ux_card_no_data.mdx
index 018b5642a231..99231b90b083 100644
--- a/api_docs/kbn_shared_ux_card_no_data.mdx
+++ b/api_docs/kbn_shared_ux_card_no_data.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-card-no-data
 title: "@kbn/shared-ux-card-no-data"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-card-no-data plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-card-no-data']
 ---
 import kbnSharedUxCardNoDataObj from './kbn_shared_ux_card_no_data.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_card_no_data_mocks.mdx b/api_docs/kbn_shared_ux_card_no_data_mocks.mdx
index 0c2abad1bdfe..af6e7a1bec59 100644
--- a/api_docs/kbn_shared_ux_card_no_data_mocks.mdx
+++ b/api_docs/kbn_shared_ux_card_no_data_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-card-no-data-mocks
 title: "@kbn/shared-ux-card-no-data-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-card-no-data-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-card-no-data-mocks']
 ---
 import kbnSharedUxCardNoDataMocksObj from './kbn_shared_ux_card_no_data_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_context.mdx b/api_docs/kbn_shared_ux_file_context.mdx
index b895d964696c..ac07b24036aa 100644
--- a/api_docs/kbn_shared_ux_file_context.mdx
+++ b/api_docs/kbn_shared_ux_file_context.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-context
 title: "@kbn/shared-ux-file-context"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-context plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-context']
 ---
 import kbnSharedUxFileContextObj from './kbn_shared_ux_file_context.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_image.mdx b/api_docs/kbn_shared_ux_file_image.mdx
index 1567a2d6d9d8..639b40c29ad0 100644
--- a/api_docs/kbn_shared_ux_file_image.mdx
+++ b/api_docs/kbn_shared_ux_file_image.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-image
 title: "@kbn/shared-ux-file-image"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-image plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-image']
 ---
 import kbnSharedUxFileImageObj from './kbn_shared_ux_file_image.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_image_mocks.mdx b/api_docs/kbn_shared_ux_file_image_mocks.mdx
index 183b3c7f2219..f351b72c77cb 100644
--- a/api_docs/kbn_shared_ux_file_image_mocks.mdx
+++ b/api_docs/kbn_shared_ux_file_image_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-image-mocks
 title: "@kbn/shared-ux-file-image-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-image-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-image-mocks']
 ---
 import kbnSharedUxFileImageMocksObj from './kbn_shared_ux_file_image_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_mocks.mdx b/api_docs/kbn_shared_ux_file_mocks.mdx
index dd2ddf5655f3..95829dfe6460 100644
--- a/api_docs/kbn_shared_ux_file_mocks.mdx
+++ b/api_docs/kbn_shared_ux_file_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-mocks
 title: "@kbn/shared-ux-file-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-mocks']
 ---
 import kbnSharedUxFileMocksObj from './kbn_shared_ux_file_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_picker.mdx b/api_docs/kbn_shared_ux_file_picker.mdx
index d1d9be6242d6..a08d8491a9be 100644
--- a/api_docs/kbn_shared_ux_file_picker.mdx
+++ b/api_docs/kbn_shared_ux_file_picker.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-picker
 title: "@kbn/shared-ux-file-picker"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-picker plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-picker']
 ---
 import kbnSharedUxFilePickerObj from './kbn_shared_ux_file_picker.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_types.mdx b/api_docs/kbn_shared_ux_file_types.mdx
index 2dfaf6ee9d17..7e89eb52452c 100644
--- a/api_docs/kbn_shared_ux_file_types.mdx
+++ b/api_docs/kbn_shared_ux_file_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-types
 title: "@kbn/shared-ux-file-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-types']
 ---
 import kbnSharedUxFileTypesObj from './kbn_shared_ux_file_types.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_upload.mdx b/api_docs/kbn_shared_ux_file_upload.mdx
index 7af40d5ac306..94cdd2f9ad11 100644
--- a/api_docs/kbn_shared_ux_file_upload.mdx
+++ b/api_docs/kbn_shared_ux_file_upload.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-upload
 title: "@kbn/shared-ux-file-upload"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-upload plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-upload']
 ---
 import kbnSharedUxFileUploadObj from './kbn_shared_ux_file_upload.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_file_util.mdx b/api_docs/kbn_shared_ux_file_util.mdx
index 0e094ac3d488..3e2d790516b0 100644
--- a/api_docs/kbn_shared_ux_file_util.mdx
+++ b/api_docs/kbn_shared_ux_file_util.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-util
 title: "@kbn/shared-ux-file-util"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-file-util plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-util']
 ---
 import kbnSharedUxFileUtilObj from './kbn_shared_ux_file_util.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_link_redirect_app.mdx b/api_docs/kbn_shared_ux_link_redirect_app.mdx
index 5b3ba4399d2c..be7562389720 100644
--- a/api_docs/kbn_shared_ux_link_redirect_app.mdx
+++ b/api_docs/kbn_shared_ux_link_redirect_app.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-link-redirect-app
 title: "@kbn/shared-ux-link-redirect-app"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-link-redirect-app plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-link-redirect-app']
 ---
 import kbnSharedUxLinkRedirectAppObj from './kbn_shared_ux_link_redirect_app.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx b/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx
index 13ac572a3130..cc50d66f9ce2 100644
--- a/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx
+++ b/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-link-redirect-app-mocks
 title: "@kbn/shared-ux-link-redirect-app-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-link-redirect-app-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-link-redirect-app-mocks']
 ---
 import kbnSharedUxLinkRedirectAppMocksObj from './kbn_shared_ux_link_redirect_app_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_markdown.mdx b/api_docs/kbn_shared_ux_markdown.mdx
index 974b15ef1596..01341d440a21 100644
--- a/api_docs/kbn_shared_ux_markdown.mdx
+++ b/api_docs/kbn_shared_ux_markdown.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-markdown
 title: "@kbn/shared-ux-markdown"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-markdown plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-markdown']
 ---
 import kbnSharedUxMarkdownObj from './kbn_shared_ux_markdown.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_markdown_mocks.mdx b/api_docs/kbn_shared_ux_markdown_mocks.mdx
index 57933fd240af..5c55615680eb 100644
--- a/api_docs/kbn_shared_ux_markdown_mocks.mdx
+++ b/api_docs/kbn_shared_ux_markdown_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-markdown-mocks
 title: "@kbn/shared-ux-markdown-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-markdown-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-markdown-mocks']
 ---
 import kbnSharedUxMarkdownMocksObj from './kbn_shared_ux_markdown_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_analytics_no_data.mdx b/api_docs/kbn_shared_ux_page_analytics_no_data.mdx
index beb2d701fb13..ea1624c6b8b4 100644
--- a/api_docs/kbn_shared_ux_page_analytics_no_data.mdx
+++ b/api_docs/kbn_shared_ux_page_analytics_no_data.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-analytics-no-data
 title: "@kbn/shared-ux-page-analytics-no-data"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-analytics-no-data plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-analytics-no-data']
 ---
 import kbnSharedUxPageAnalyticsNoDataObj from './kbn_shared_ux_page_analytics_no_data.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx
index 8a710409aabb..ab134aabf484 100644
--- a/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx
+++ b/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-analytics-no-data-mocks
 title: "@kbn/shared-ux-page-analytics-no-data-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-analytics-no-data-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-analytics-no-data-mocks']
 ---
 import kbnSharedUxPageAnalyticsNoDataMocksObj from './kbn_shared_ux_page_analytics_no_data_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_kibana_no_data.mdx b/api_docs/kbn_shared_ux_page_kibana_no_data.mdx
index 80600f372006..4dd9720f571e 100644
--- a/api_docs/kbn_shared_ux_page_kibana_no_data.mdx
+++ b/api_docs/kbn_shared_ux_page_kibana_no_data.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-no-data
 title: "@kbn/shared-ux-page-kibana-no-data"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-kibana-no-data plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-no-data']
 ---
 import kbnSharedUxPageKibanaNoDataObj from './kbn_shared_ux_page_kibana_no_data.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx
index 38803d12ad24..02908f373f1b 100644
--- a/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx
+++ b/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-no-data-mocks
 title: "@kbn/shared-ux-page-kibana-no-data-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-kibana-no-data-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-no-data-mocks']
 ---
 import kbnSharedUxPageKibanaNoDataMocksObj from './kbn_shared_ux_page_kibana_no_data_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_kibana_template.mdx b/api_docs/kbn_shared_ux_page_kibana_template.mdx
index 0d269f05e607..b922c4f96c6e 100644
--- a/api_docs/kbn_shared_ux_page_kibana_template.mdx
+++ b/api_docs/kbn_shared_ux_page_kibana_template.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-template
 title: "@kbn/shared-ux-page-kibana-template"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-kibana-template plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-template']
 ---
 import kbnSharedUxPageKibanaTemplateObj from './kbn_shared_ux_page_kibana_template.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx b/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx
index 4211443951d5..ee9285220dac 100644
--- a/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx
+++ b/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-template-mocks
 title: "@kbn/shared-ux-page-kibana-template-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-kibana-template-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-template-mocks']
 ---
 import kbnSharedUxPageKibanaTemplateMocksObj from './kbn_shared_ux_page_kibana_template_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_no_data.mdx b/api_docs/kbn_shared_ux_page_no_data.mdx
index 208627563078..9972e83b4e4f 100644
--- a/api_docs/kbn_shared_ux_page_no_data.mdx
+++ b/api_docs/kbn_shared_ux_page_no_data.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data
 title: "@kbn/shared-ux-page-no-data"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-no-data plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data']
 ---
 import kbnSharedUxPageNoDataObj from './kbn_shared_ux_page_no_data.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_no_data_config.mdx b/api_docs/kbn_shared_ux_page_no_data_config.mdx
index 5144ac935dd1..e540bf5b767a 100644
--- a/api_docs/kbn_shared_ux_page_no_data_config.mdx
+++ b/api_docs/kbn_shared_ux_page_no_data_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data-config
 title: "@kbn/shared-ux-page-no-data-config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-no-data-config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data-config']
 ---
 import kbnSharedUxPageNoDataConfigObj from './kbn_shared_ux_page_no_data_config.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx b/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx
index b5a20ccbbb40..e9466064e690 100644
--- a/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx
+++ b/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data-config-mocks
 title: "@kbn/shared-ux-page-no-data-config-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-no-data-config-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data-config-mocks']
 ---
 import kbnSharedUxPageNoDataConfigMocksObj from './kbn_shared_ux_page_no_data_config_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_no_data_mocks.mdx
index 8bf9a9928a45..755743cdd4a1 100644
--- a/api_docs/kbn_shared_ux_page_no_data_mocks.mdx
+++ b/api_docs/kbn_shared_ux_page_no_data_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data-mocks
 title: "@kbn/shared-ux-page-no-data-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-no-data-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data-mocks']
 ---
 import kbnSharedUxPageNoDataMocksObj from './kbn_shared_ux_page_no_data_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_page_solution_nav.mdx b/api_docs/kbn_shared_ux_page_solution_nav.mdx
index 86756629c36c..1129b5854c92 100644
--- a/api_docs/kbn_shared_ux_page_solution_nav.mdx
+++ b/api_docs/kbn_shared_ux_page_solution_nav.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-solution-nav
 title: "@kbn/shared-ux-page-solution-nav"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-page-solution-nav plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-solution-nav']
 ---
 import kbnSharedUxPageSolutionNavObj from './kbn_shared_ux_page_solution_nav.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_prompt_no_data_views.mdx b/api_docs/kbn_shared_ux_prompt_no_data_views.mdx
index 1c2a67f63817..a23265284cc2 100644
--- a/api_docs/kbn_shared_ux_prompt_no_data_views.mdx
+++ b/api_docs/kbn_shared_ux_prompt_no_data_views.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-no-data-views
 title: "@kbn/shared-ux-prompt-no-data-views"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-prompt-no-data-views plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-no-data-views']
 ---
 import kbnSharedUxPromptNoDataViewsObj from './kbn_shared_ux_prompt_no_data_views.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx b/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx
index a966f0765a34..522e780b6941 100644
--- a/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx
+++ b/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-no-data-views-mocks
 title: "@kbn/shared-ux-prompt-no-data-views-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-prompt-no-data-views-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-no-data-views-mocks']
 ---
 import kbnSharedUxPromptNoDataViewsMocksObj from './kbn_shared_ux_prompt_no_data_views_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_prompt_not_found.mdx b/api_docs/kbn_shared_ux_prompt_not_found.mdx
index 4580e07e2640..cb3608fb8147 100644
--- a/api_docs/kbn_shared_ux_prompt_not_found.mdx
+++ b/api_docs/kbn_shared_ux_prompt_not_found.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-not-found
 title: "@kbn/shared-ux-prompt-not-found"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-prompt-not-found plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-not-found']
 ---
 import kbnSharedUxPromptNotFoundObj from './kbn_shared_ux_prompt_not_found.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_router.mdx b/api_docs/kbn_shared_ux_router.mdx
index 16e9193a7461..d372e321999e 100644
--- a/api_docs/kbn_shared_ux_router.mdx
+++ b/api_docs/kbn_shared_ux_router.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-router
 title: "@kbn/shared-ux-router"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-router plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-router']
 ---
 import kbnSharedUxRouterObj from './kbn_shared_ux_router.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_router_mocks.mdx b/api_docs/kbn_shared_ux_router_mocks.mdx
index c1e21460c8b1..2bf46615c2a2 100644
--- a/api_docs/kbn_shared_ux_router_mocks.mdx
+++ b/api_docs/kbn_shared_ux_router_mocks.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-router-mocks
 title: "@kbn/shared-ux-router-mocks"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-router-mocks plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-router-mocks']
 ---
 import kbnSharedUxRouterMocksObj from './kbn_shared_ux_router_mocks.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_storybook_config.mdx b/api_docs/kbn_shared_ux_storybook_config.mdx
index 630ad588d5ff..69140a652e09 100644
--- a/api_docs/kbn_shared_ux_storybook_config.mdx
+++ b/api_docs/kbn_shared_ux_storybook_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-storybook-config
 title: "@kbn/shared-ux-storybook-config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-storybook-config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-storybook-config']
 ---
 import kbnSharedUxStorybookConfigObj from './kbn_shared_ux_storybook_config.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_storybook_mock.mdx b/api_docs/kbn_shared_ux_storybook_mock.mdx
index fe488d0198ab..ff23d7997e1f 100644
--- a/api_docs/kbn_shared_ux_storybook_mock.mdx
+++ b/api_docs/kbn_shared_ux_storybook_mock.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-storybook-mock
 title: "@kbn/shared-ux-storybook-mock"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-storybook-mock plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-storybook-mock']
 ---
 import kbnSharedUxStorybookMockObj from './kbn_shared_ux_storybook_mock.devdocs.json';
diff --git a/api_docs/kbn_shared_ux_utility.mdx b/api_docs/kbn_shared_ux_utility.mdx
index 6858650192b0..0c7f3ad4e35a 100644
--- a/api_docs/kbn_shared_ux_utility.mdx
+++ b/api_docs/kbn_shared_ux_utility.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-utility
 title: "@kbn/shared-ux-utility"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/shared-ux-utility plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-utility']
 ---
 import kbnSharedUxUtilityObj from './kbn_shared_ux_utility.devdocs.json';
diff --git a/api_docs/kbn_slo_schema.mdx b/api_docs/kbn_slo_schema.mdx
index 2364eb9278e8..82b6cae1ae52 100644
--- a/api_docs/kbn_slo_schema.mdx
+++ b/api_docs/kbn_slo_schema.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-slo-schema
 title: "@kbn/slo-schema"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/slo-schema plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/slo-schema']
 ---
 import kbnSloSchemaObj from './kbn_slo_schema.devdocs.json';
diff --git a/api_docs/kbn_some_dev_log.mdx b/api_docs/kbn_some_dev_log.mdx
index 433df0361bf4..7080a28d3bca 100644
--- a/api_docs/kbn_some_dev_log.mdx
+++ b/api_docs/kbn_some_dev_log.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-some-dev-log
 title: "@kbn/some-dev-log"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/some-dev-log plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/some-dev-log']
 ---
 import kbnSomeDevLogObj from './kbn_some_dev_log.devdocs.json';
diff --git a/api_docs/kbn_std.mdx b/api_docs/kbn_std.mdx
index 05b4aeaefef0..d12b41feeac7 100644
--- a/api_docs/kbn_std.mdx
+++ b/api_docs/kbn_std.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-std
 title: "@kbn/std"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/std plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/std']
 ---
 import kbnStdObj from './kbn_std.devdocs.json';
diff --git a/api_docs/kbn_stdio_dev_helpers.mdx b/api_docs/kbn_stdio_dev_helpers.mdx
index c8e3f401c3ea..1e0775938c03 100644
--- a/api_docs/kbn_stdio_dev_helpers.mdx
+++ b/api_docs/kbn_stdio_dev_helpers.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-stdio-dev-helpers
 title: "@kbn/stdio-dev-helpers"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/stdio-dev-helpers plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/stdio-dev-helpers']
 ---
 import kbnStdioDevHelpersObj from './kbn_stdio_dev_helpers.devdocs.json';
diff --git a/api_docs/kbn_storybook.mdx b/api_docs/kbn_storybook.mdx
index a4da70ffd037..cec83c542d0d 100644
--- a/api_docs/kbn_storybook.mdx
+++ b/api_docs/kbn_storybook.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-storybook
 title: "@kbn/storybook"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/storybook plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/storybook']
 ---
 import kbnStorybookObj from './kbn_storybook.devdocs.json';
diff --git a/api_docs/kbn_telemetry_tools.mdx b/api_docs/kbn_telemetry_tools.mdx
index 7d483ae54df1..1cba4ed23372 100644
--- a/api_docs/kbn_telemetry_tools.mdx
+++ b/api_docs/kbn_telemetry_tools.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-telemetry-tools
 title: "@kbn/telemetry-tools"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/telemetry-tools plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/telemetry-tools']
 ---
 import kbnTelemetryToolsObj from './kbn_telemetry_tools.devdocs.json';
diff --git a/api_docs/kbn_test.mdx b/api_docs/kbn_test.mdx
index 821b0a554f3e..cb918d7bb15a 100644
--- a/api_docs/kbn_test.mdx
+++ b/api_docs/kbn_test.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test
 title: "@kbn/test"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/test plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test']
 ---
 import kbnTestObj from './kbn_test.devdocs.json';
diff --git a/api_docs/kbn_test_jest_helpers.mdx b/api_docs/kbn_test_jest_helpers.mdx
index 37283826239b..f4159301255c 100644
--- a/api_docs/kbn_test_jest_helpers.mdx
+++ b/api_docs/kbn_test_jest_helpers.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test-jest-helpers
 title: "@kbn/test-jest-helpers"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/test-jest-helpers plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test-jest-helpers']
 ---
 import kbnTestJestHelpersObj from './kbn_test_jest_helpers.devdocs.json';
diff --git a/api_docs/kbn_test_subj_selector.mdx b/api_docs/kbn_test_subj_selector.mdx
index 68a20d5b9964..141754123ecc 100644
--- a/api_docs/kbn_test_subj_selector.mdx
+++ b/api_docs/kbn_test_subj_selector.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test-subj-selector
 title: "@kbn/test-subj-selector"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/test-subj-selector plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test-subj-selector']
 ---
 import kbnTestSubjSelectorObj from './kbn_test_subj_selector.devdocs.json';
diff --git a/api_docs/kbn_tooling_log.mdx b/api_docs/kbn_tooling_log.mdx
index 1ec169137f8d..091f9f45d60e 100644
--- a/api_docs/kbn_tooling_log.mdx
+++ b/api_docs/kbn_tooling_log.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-tooling-log
 title: "@kbn/tooling-log"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/tooling-log plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/tooling-log']
 ---
 import kbnToolingLogObj from './kbn_tooling_log.devdocs.json';
diff --git a/api_docs/kbn_ts_projects.mdx b/api_docs/kbn_ts_projects.mdx
index 1740f20d80b7..33d9419a89d1 100644
--- a/api_docs/kbn_ts_projects.mdx
+++ b/api_docs/kbn_ts_projects.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ts-projects
 title: "@kbn/ts-projects"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ts-projects plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ts-projects']
 ---
 import kbnTsProjectsObj from './kbn_ts_projects.devdocs.json';
diff --git a/api_docs/kbn_typed_react_router_config.mdx b/api_docs/kbn_typed_react_router_config.mdx
index 40ae959ca905..c8844246e9cf 100644
--- a/api_docs/kbn_typed_react_router_config.mdx
+++ b/api_docs/kbn_typed_react_router_config.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-typed-react-router-config
 title: "@kbn/typed-react-router-config"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/typed-react-router-config plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/typed-react-router-config']
 ---
 import kbnTypedReactRouterConfigObj from './kbn_typed_react_router_config.devdocs.json';
diff --git a/api_docs/kbn_ui_actions_browser.mdx b/api_docs/kbn_ui_actions_browser.mdx
index 795902e721b4..25880bc7c279 100644
--- a/api_docs/kbn_ui_actions_browser.mdx
+++ b/api_docs/kbn_ui_actions_browser.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ui-actions-browser
 title: "@kbn/ui-actions-browser"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ui-actions-browser plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ui-actions-browser']
 ---
 import kbnUiActionsBrowserObj from './kbn_ui_actions_browser.devdocs.json';
diff --git a/api_docs/kbn_ui_shared_deps_src.mdx b/api_docs/kbn_ui_shared_deps_src.mdx
index 50ab84d5148b..e8973059df59 100644
--- a/api_docs/kbn_ui_shared_deps_src.mdx
+++ b/api_docs/kbn_ui_shared_deps_src.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ui-shared-deps-src
 title: "@kbn/ui-shared-deps-src"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ui-shared-deps-src plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ui-shared-deps-src']
 ---
 import kbnUiSharedDepsSrcObj from './kbn_ui_shared_deps_src.devdocs.json';
diff --git a/api_docs/kbn_ui_theme.mdx b/api_docs/kbn_ui_theme.mdx
index ae3e0be2e623..0ac053944008 100644
--- a/api_docs/kbn_ui_theme.mdx
+++ b/api_docs/kbn_ui_theme.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ui-theme
 title: "@kbn/ui-theme"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/ui-theme plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ui-theme']
 ---
 import kbnUiThemeObj from './kbn_ui_theme.devdocs.json';
diff --git a/api_docs/kbn_user_profile_components.mdx b/api_docs/kbn_user_profile_components.mdx
index 8c53b33ec51e..3e556210155a 100644
--- a/api_docs/kbn_user_profile_components.mdx
+++ b/api_docs/kbn_user_profile_components.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-user-profile-components
 title: "@kbn/user-profile-components"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/user-profile-components plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/user-profile-components']
 ---
 import kbnUserProfileComponentsObj from './kbn_user_profile_components.devdocs.json';
diff --git a/api_docs/kbn_utility_types.mdx b/api_docs/kbn_utility_types.mdx
index fe24c04005fa..5fae174432a6 100644
--- a/api_docs/kbn_utility_types.mdx
+++ b/api_docs/kbn_utility_types.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utility-types
 title: "@kbn/utility-types"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/utility-types plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utility-types']
 ---
 import kbnUtilityTypesObj from './kbn_utility_types.devdocs.json';
diff --git a/api_docs/kbn_utility_types_jest.mdx b/api_docs/kbn_utility_types_jest.mdx
index cf9d1fdc6361..2d4e1a0f50e9 100644
--- a/api_docs/kbn_utility_types_jest.mdx
+++ b/api_docs/kbn_utility_types_jest.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utility-types-jest
 title: "@kbn/utility-types-jest"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/utility-types-jest plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utility-types-jest']
 ---
 import kbnUtilityTypesJestObj from './kbn_utility_types_jest.devdocs.json';
diff --git a/api_docs/kbn_utils.mdx b/api_docs/kbn_utils.mdx
index bb4b56383e72..f929b7f6aed5 100644
--- a/api_docs/kbn_utils.mdx
+++ b/api_docs/kbn_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utils
 title: "@kbn/utils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/utils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utils']
 ---
 import kbnUtilsObj from './kbn_utils.devdocs.json';
diff --git a/api_docs/kbn_yarn_lock_validator.mdx b/api_docs/kbn_yarn_lock_validator.mdx
index 87d20b2818da..4e7f491adf60 100644
--- a/api_docs/kbn_yarn_lock_validator.mdx
+++ b/api_docs/kbn_yarn_lock_validator.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-yarn-lock-validator
 title: "@kbn/yarn-lock-validator"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the @kbn/yarn-lock-validator plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/yarn-lock-validator']
 ---
 import kbnYarnLockValidatorObj from './kbn_yarn_lock_validator.devdocs.json';
diff --git a/api_docs/kibana_overview.mdx b/api_docs/kibana_overview.mdx
index 1395a1fd1e14..6026ebb40239 100644
--- a/api_docs/kibana_overview.mdx
+++ b/api_docs/kibana_overview.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaOverview
 title: "kibanaOverview"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the kibanaOverview plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaOverview']
 ---
 import kibanaOverviewObj from './kibana_overview.devdocs.json';
diff --git a/api_docs/kibana_react.mdx b/api_docs/kibana_react.mdx
index 34cef706cfe0..0d7478a42119 100644
--- a/api_docs/kibana_react.mdx
+++ b/api_docs/kibana_react.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaReact
 title: "kibanaReact"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the kibanaReact plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaReact']
 ---
 import kibanaReactObj from './kibana_react.devdocs.json';
diff --git a/api_docs/kibana_utils.mdx b/api_docs/kibana_utils.mdx
index 5c17373f1261..2b1e896ffc16 100644
--- a/api_docs/kibana_utils.mdx
+++ b/api_docs/kibana_utils.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaUtils
 title: "kibanaUtils"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the kibanaUtils plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaUtils']
 ---
 import kibanaUtilsObj from './kibana_utils.devdocs.json';
diff --git a/api_docs/kubernetes_security.mdx b/api_docs/kubernetes_security.mdx
index 4cd25bccbb58..54eb31b95dc3 100644
--- a/api_docs/kubernetes_security.mdx
+++ b/api_docs/kubernetes_security.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kubernetesSecurity
 title: "kubernetesSecurity"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the kubernetesSecurity plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kubernetesSecurity']
 ---
 import kubernetesSecurityObj from './kubernetes_security.devdocs.json';
diff --git a/api_docs/lens.mdx b/api_docs/lens.mdx
index 811ccc766b09..de816a4350f7 100644
--- a/api_docs/lens.mdx
+++ b/api_docs/lens.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/lens
 title: "lens"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the lens plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'lens']
 ---
 import lensObj from './lens.devdocs.json';
diff --git a/api_docs/license_api_guard.mdx b/api_docs/license_api_guard.mdx
index 209c9e02d533..8ad9ae67d29c 100644
--- a/api_docs/license_api_guard.mdx
+++ b/api_docs/license_api_guard.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licenseApiGuard
 title: "licenseApiGuard"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the licenseApiGuard plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licenseApiGuard']
 ---
 import licenseApiGuardObj from './license_api_guard.devdocs.json';
diff --git a/api_docs/license_management.mdx b/api_docs/license_management.mdx
index 5c1e9e7eb0c2..45fe0ebf6171 100644
--- a/api_docs/license_management.mdx
+++ b/api_docs/license_management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licenseManagement
 title: "licenseManagement"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the licenseManagement plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licenseManagement']
 ---
 import licenseManagementObj from './license_management.devdocs.json';
diff --git a/api_docs/licensing.mdx b/api_docs/licensing.mdx
index 6d8397152d8a..b9670ee4b81c 100644
--- a/api_docs/licensing.mdx
+++ b/api_docs/licensing.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licensing
 title: "licensing"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the licensing plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licensing']
 ---
 import licensingObj from './licensing.devdocs.json';
diff --git a/api_docs/lists.mdx b/api_docs/lists.mdx
index b388a1f0467b..d1b99d659c82 100644
--- a/api_docs/lists.mdx
+++ b/api_docs/lists.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/lists
 title: "lists"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the lists plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'lists']
 ---
 import listsObj from './lists.devdocs.json';
diff --git a/api_docs/management.mdx b/api_docs/management.mdx
index ec012a367e6c..e3b0d7d79c8b 100644
--- a/api_docs/management.mdx
+++ b/api_docs/management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/management
 title: "management"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the management plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'management']
 ---
 import managementObj from './management.devdocs.json';
diff --git a/api_docs/maps.mdx b/api_docs/maps.mdx
index f8bc3b685f8b..372d637cc7c0 100644
--- a/api_docs/maps.mdx
+++ b/api_docs/maps.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/maps
 title: "maps"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the maps plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'maps']
 ---
 import mapsObj from './maps.devdocs.json';
diff --git a/api_docs/maps_ems.mdx b/api_docs/maps_ems.mdx
index 5ac67bcb7ee8..9916797b9291 100644
--- a/api_docs/maps_ems.mdx
+++ b/api_docs/maps_ems.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/mapsEms
 title: "mapsEms"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the mapsEms plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'mapsEms']
 ---
 import mapsEmsObj from './maps_ems.devdocs.json';
diff --git a/api_docs/ml.mdx b/api_docs/ml.mdx
index 15e41573af59..10e160d34453 100644
--- a/api_docs/ml.mdx
+++ b/api_docs/ml.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ml
 title: "ml"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the ml plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ml']
 ---
 import mlObj from './ml.devdocs.json';
diff --git a/api_docs/monitoring.mdx b/api_docs/monitoring.mdx
index 5b350801d17d..10274faa1569 100644
--- a/api_docs/monitoring.mdx
+++ b/api_docs/monitoring.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/monitoring
 title: "monitoring"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the monitoring plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'monitoring']
 ---
 import monitoringObj from './monitoring.devdocs.json';
diff --git a/api_docs/monitoring_collection.mdx b/api_docs/monitoring_collection.mdx
index 14301d5207a8..effebf208273 100644
--- a/api_docs/monitoring_collection.mdx
+++ b/api_docs/monitoring_collection.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/monitoringCollection
 title: "monitoringCollection"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the monitoringCollection plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'monitoringCollection']
 ---
 import monitoringCollectionObj from './monitoring_collection.devdocs.json';
diff --git a/api_docs/navigation.mdx b/api_docs/navigation.mdx
index c12692296af3..0038e4fae4c6 100644
--- a/api_docs/navigation.mdx
+++ b/api_docs/navigation.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/navigation
 title: "navigation"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the navigation plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'navigation']
 ---
 import navigationObj from './navigation.devdocs.json';
diff --git a/api_docs/newsfeed.mdx b/api_docs/newsfeed.mdx
index 4ff9ffc4b63b..79c40578077b 100644
--- a/api_docs/newsfeed.mdx
+++ b/api_docs/newsfeed.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/newsfeed
 title: "newsfeed"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the newsfeed plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'newsfeed']
 ---
 import newsfeedObj from './newsfeed.devdocs.json';
diff --git a/api_docs/notifications.mdx b/api_docs/notifications.mdx
index c548f6aa60ca..10e09b220a47 100644
--- a/api_docs/notifications.mdx
+++ b/api_docs/notifications.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/notifications
 title: "notifications"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the notifications plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'notifications']
 ---
 import notificationsObj from './notifications.devdocs.json';
diff --git a/api_docs/observability.mdx b/api_docs/observability.mdx
index d263fe804696..2e6f43a6d919 100644
--- a/api_docs/observability.mdx
+++ b/api_docs/observability.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/observability
 title: "observability"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the observability plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'observability']
 ---
 import observabilityObj from './observability.devdocs.json';
diff --git a/api_docs/osquery.mdx b/api_docs/osquery.mdx
index 89a756f2e7e5..fe9ad8cb3546 100644
--- a/api_docs/osquery.mdx
+++ b/api_docs/osquery.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/osquery
 title: "osquery"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the osquery plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'osquery']
 ---
 import osqueryObj from './osquery.devdocs.json';
diff --git a/api_docs/plugin_directory.mdx b/api_docs/plugin_directory.mdx
index aa2b78339a70..f09e44748153 100644
--- a/api_docs/plugin_directory.mdx
+++ b/api_docs/plugin_directory.mdx
@@ -7,7 +7,7 @@ id: kibDevDocsPluginDirectory
 slug: /kibana-dev-docs/api-meta/plugin-api-directory
 title: Directory
 description: Directory of public APIs available through plugins or packages.
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana']
 ---
 
@@ -21,7 +21,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 
 | API Count | Any Count | Missing comments | Missing exports |
 |--------------|----------|-----------------|--------|
-| 68276 | 519 | 58927 | 1288 |
+| 68284 | 519 | 58928 | 1288 |
 
 ## Plugin Directory
 
@@ -344,8 +344,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreRenderingServerInternalPluginApi" text="@kbn/core-rendering-server-internal"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 2 | 0 | 2 | 1 |
 | <DocLink id="kibKbnCoreRenderingServerMocksPluginApi" text="@kbn/core-rendering-server-mocks"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 4 | 0 | 4 | 1 |
 | <DocLink id="kibKbnCoreRootServerInternalPluginApi" text="@kbn/core-root-server-internal"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 25 | 1 | 24 | 0 |
-| <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" text="@kbn/core-saved-objects-api-browser"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 107 | 1 | 0 | 0 |
-| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" text="@kbn/core-saved-objects-api-server"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 334 | 1 | 4 | 1 |
+| <DocLink id="kibKbnCoreSavedObjectsApiBrowserPluginApi" text="@kbn/core-saved-objects-api-browser"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 109 | 1 | 0 | 0 |
+| <DocLink id="kibKbnCoreSavedObjectsApiServerPluginApi" text="@kbn/core-saved-objects-api-server"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 338 | 1 | 4 | 1 |
 | <DocLink id="kibKbnCoreSavedObjectsApiServerInternalPluginApi" text="@kbn/core-saved-objects-api-server-internal"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 75 | 0 | 54 | 1 |
 | <DocLink id="kibKbnCoreSavedObjectsApiServerMocksPluginApi" text="@kbn/core-saved-objects-api-server-mocks"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 11 | 0 | 11 | 0 |
 | <DocLink id="kibKbnCoreSavedObjectsBaseServerInternalPluginApi" text="@kbn/core-saved-objects-base-server-internal"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 76 | 0 | 56 | 7 |
@@ -358,7 +358,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana']
 | <DocLink id="kibKbnCoreSavedObjectsImportExportServerMocksPluginApi" text="@kbn/core-saved-objects-import-export-server-mocks"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 4 | 0 | 4 | 0 |
 | <DocLink id="kibKbnCoreSavedObjectsMigrationServerInternalPluginApi" text="@kbn/core-saved-objects-migration-server-internal"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 116 | 0 | 81 | 46 |
 | <DocLink id="kibKbnCoreSavedObjectsMigrationServerMocksPluginApi" text="@kbn/core-saved-objects-migration-server-mocks"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 12 | 0 | 12 | 0 |
-| <DocLink id="kibKbnCoreSavedObjectsServerPluginApi" text="@kbn/core-saved-objects-server"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 489 | 1 | 98 | 4 |
+| <DocLink id="kibKbnCoreSavedObjectsServerPluginApi" text="@kbn/core-saved-objects-server"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 491 | 1 | 99 | 4 |
 | <DocLink id="kibKbnCoreSavedObjectsServerInternalPluginApi" text="@kbn/core-saved-objects-server-internal"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 69 | 0 | 69 | 4 |
 | <DocLink id="kibKbnCoreSavedObjectsServerMocksPluginApi" text="@kbn/core-saved-objects-server-mocks"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 14 | 0 | 14 | 0 |
 | <DocLink id="kibKbnCoreSavedObjectsUtilsServerPluginApi" text="@kbn/core-saved-objects-utils-server"/> | [@elastic/kibana-core](https://github.com/orgs/elastic/teams/kibana-core) | - | 30 | 0 | 6 | 0 |
diff --git a/api_docs/presentation_util.mdx b/api_docs/presentation_util.mdx
index b4fae8158c81..df8ac558f850 100644
--- a/api_docs/presentation_util.mdx
+++ b/api_docs/presentation_util.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/presentationUtil
 title: "presentationUtil"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the presentationUtil plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'presentationUtil']
 ---
 import presentationUtilObj from './presentation_util.devdocs.json';
diff --git a/api_docs/profiling.mdx b/api_docs/profiling.mdx
index 83327d24d9b3..89fb45d3a81a 100644
--- a/api_docs/profiling.mdx
+++ b/api_docs/profiling.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/profiling
 title: "profiling"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the profiling plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'profiling']
 ---
 import profilingObj from './profiling.devdocs.json';
diff --git a/api_docs/remote_clusters.mdx b/api_docs/remote_clusters.mdx
index ce17abe83100..16ed3281e82a 100644
--- a/api_docs/remote_clusters.mdx
+++ b/api_docs/remote_clusters.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/remoteClusters
 title: "remoteClusters"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the remoteClusters plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'remoteClusters']
 ---
 import remoteClustersObj from './remote_clusters.devdocs.json';
diff --git a/api_docs/reporting.mdx b/api_docs/reporting.mdx
index 6cdaeb5bd750..478e5b64d864 100644
--- a/api_docs/reporting.mdx
+++ b/api_docs/reporting.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/reporting
 title: "reporting"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the reporting plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'reporting']
 ---
 import reportingObj from './reporting.devdocs.json';
diff --git a/api_docs/rollup.mdx b/api_docs/rollup.mdx
index cb0be5aa42e8..c04abd9eb74a 100644
--- a/api_docs/rollup.mdx
+++ b/api_docs/rollup.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/rollup
 title: "rollup"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the rollup plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'rollup']
 ---
 import rollupObj from './rollup.devdocs.json';
diff --git a/api_docs/rule_registry.mdx b/api_docs/rule_registry.mdx
index f4e5a3b86326..67dd37528d0d 100644
--- a/api_docs/rule_registry.mdx
+++ b/api_docs/rule_registry.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ruleRegistry
 title: "ruleRegistry"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the ruleRegistry plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ruleRegistry']
 ---
 import ruleRegistryObj from './rule_registry.devdocs.json';
diff --git a/api_docs/runtime_fields.mdx b/api_docs/runtime_fields.mdx
index ba0b6723fe62..e73e976b13d6 100644
--- a/api_docs/runtime_fields.mdx
+++ b/api_docs/runtime_fields.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/runtimeFields
 title: "runtimeFields"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the runtimeFields plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'runtimeFields']
 ---
 import runtimeFieldsObj from './runtime_fields.devdocs.json';
diff --git a/api_docs/saved_objects.mdx b/api_docs/saved_objects.mdx
index ef79c7e2a533..d5b25a34f406 100644
--- a/api_docs/saved_objects.mdx
+++ b/api_docs/saved_objects.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjects
 title: "savedObjects"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the savedObjects plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjects']
 ---
 import savedObjectsObj from './saved_objects.devdocs.json';
diff --git a/api_docs/saved_objects_finder.mdx b/api_docs/saved_objects_finder.mdx
index dbc403532f24..4627d5d17315 100644
--- a/api_docs/saved_objects_finder.mdx
+++ b/api_docs/saved_objects_finder.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsFinder
 title: "savedObjectsFinder"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the savedObjectsFinder plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsFinder']
 ---
 import savedObjectsFinderObj from './saved_objects_finder.devdocs.json';
diff --git a/api_docs/saved_objects_management.mdx b/api_docs/saved_objects_management.mdx
index 8807512bddad..7815ff2a1cbd 100644
--- a/api_docs/saved_objects_management.mdx
+++ b/api_docs/saved_objects_management.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsManagement
 title: "savedObjectsManagement"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the savedObjectsManagement plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsManagement']
 ---
 import savedObjectsManagementObj from './saved_objects_management.devdocs.json';
diff --git a/api_docs/saved_objects_tagging.mdx b/api_docs/saved_objects_tagging.mdx
index 5c6aa5d47a8f..5ee928ba590b 100644
--- a/api_docs/saved_objects_tagging.mdx
+++ b/api_docs/saved_objects_tagging.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsTagging
 title: "savedObjectsTagging"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the savedObjectsTagging plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsTagging']
 ---
 import savedObjectsTaggingObj from './saved_objects_tagging.devdocs.json';
diff --git a/api_docs/saved_objects_tagging_oss.mdx b/api_docs/saved_objects_tagging_oss.mdx
index 116ea7793ef9..da7742514f09 100644
--- a/api_docs/saved_objects_tagging_oss.mdx
+++ b/api_docs/saved_objects_tagging_oss.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsTaggingOss
 title: "savedObjectsTaggingOss"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the savedObjectsTaggingOss plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsTaggingOss']
 ---
 import savedObjectsTaggingOssObj from './saved_objects_tagging_oss.devdocs.json';
diff --git a/api_docs/saved_search.mdx b/api_docs/saved_search.mdx
index 421823d17c5e..a8288ad9f127 100644
--- a/api_docs/saved_search.mdx
+++ b/api_docs/saved_search.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedSearch
 title: "savedSearch"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the savedSearch plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedSearch']
 ---
 import savedSearchObj from './saved_search.devdocs.json';
diff --git a/api_docs/screenshot_mode.mdx b/api_docs/screenshot_mode.mdx
index fcd292ade0a7..68ab2fdb62f5 100644
--- a/api_docs/screenshot_mode.mdx
+++ b/api_docs/screenshot_mode.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/screenshotMode
 title: "screenshotMode"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the screenshotMode plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'screenshotMode']
 ---
 import screenshotModeObj from './screenshot_mode.devdocs.json';
diff --git a/api_docs/screenshotting.mdx b/api_docs/screenshotting.mdx
index 243e9c814700..92e4fdf2b10f 100644
--- a/api_docs/screenshotting.mdx
+++ b/api_docs/screenshotting.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/screenshotting
 title: "screenshotting"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the screenshotting plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'screenshotting']
 ---
 import screenshottingObj from './screenshotting.devdocs.json';
diff --git a/api_docs/security.mdx b/api_docs/security.mdx
index e55bf752fa82..bf60fa2db100 100644
--- a/api_docs/security.mdx
+++ b/api_docs/security.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/security
 title: "security"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the security plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'security']
 ---
 import securityObj from './security.devdocs.json';
diff --git a/api_docs/security_solution.mdx b/api_docs/security_solution.mdx
index 9d1e4b48f59f..37dc2bb312f2 100644
--- a/api_docs/security_solution.mdx
+++ b/api_docs/security_solution.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/securitySolution
 title: "securitySolution"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the securitySolution plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'securitySolution']
 ---
 import securitySolutionObj from './security_solution.devdocs.json';
diff --git a/api_docs/session_view.mdx b/api_docs/session_view.mdx
index 05db8612d684..0e13a480bda5 100644
--- a/api_docs/session_view.mdx
+++ b/api_docs/session_view.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/sessionView
 title: "sessionView"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the sessionView plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'sessionView']
 ---
 import sessionViewObj from './session_view.devdocs.json';
diff --git a/api_docs/share.mdx b/api_docs/share.mdx
index 2e4522a2f065..b04729a04eb9 100644
--- a/api_docs/share.mdx
+++ b/api_docs/share.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/share
 title: "share"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the share plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'share']
 ---
 import shareObj from './share.devdocs.json';
diff --git a/api_docs/snapshot_restore.mdx b/api_docs/snapshot_restore.mdx
index 6a3139d82db1..25995eb31d24 100644
--- a/api_docs/snapshot_restore.mdx
+++ b/api_docs/snapshot_restore.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/snapshotRestore
 title: "snapshotRestore"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the snapshotRestore plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'snapshotRestore']
 ---
 import snapshotRestoreObj from './snapshot_restore.devdocs.json';
diff --git a/api_docs/spaces.mdx b/api_docs/spaces.mdx
index 008a9b75cc6a..ac678cffaed0 100644
--- a/api_docs/spaces.mdx
+++ b/api_docs/spaces.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/spaces
 title: "spaces"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the spaces plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'spaces']
 ---
 import spacesObj from './spaces.devdocs.json';
diff --git a/api_docs/stack_alerts.mdx b/api_docs/stack_alerts.mdx
index 680228492c1c..e1bf1ad9252e 100644
--- a/api_docs/stack_alerts.mdx
+++ b/api_docs/stack_alerts.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/stackAlerts
 title: "stackAlerts"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the stackAlerts plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'stackAlerts']
 ---
 import stackAlertsObj from './stack_alerts.devdocs.json';
diff --git a/api_docs/stack_connectors.mdx b/api_docs/stack_connectors.mdx
index 7e30dd65f127..3fb236164b6c 100644
--- a/api_docs/stack_connectors.mdx
+++ b/api_docs/stack_connectors.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/stackConnectors
 title: "stackConnectors"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the stackConnectors plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'stackConnectors']
 ---
 import stackConnectorsObj from './stack_connectors.devdocs.json';
diff --git a/api_docs/task_manager.mdx b/api_docs/task_manager.mdx
index ce180915af0d..b38c55e1211a 100644
--- a/api_docs/task_manager.mdx
+++ b/api_docs/task_manager.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/taskManager
 title: "taskManager"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the taskManager plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'taskManager']
 ---
 import taskManagerObj from './task_manager.devdocs.json';
diff --git a/api_docs/telemetry.mdx b/api_docs/telemetry.mdx
index 7173a790a90e..81f1803f413e 100644
--- a/api_docs/telemetry.mdx
+++ b/api_docs/telemetry.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetry
 title: "telemetry"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the telemetry plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetry']
 ---
 import telemetryObj from './telemetry.devdocs.json';
diff --git a/api_docs/telemetry_collection_manager.mdx b/api_docs/telemetry_collection_manager.mdx
index f4af0b0e23dd..98a9c9046f58 100644
--- a/api_docs/telemetry_collection_manager.mdx
+++ b/api_docs/telemetry_collection_manager.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryCollectionManager
 title: "telemetryCollectionManager"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the telemetryCollectionManager plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryCollectionManager']
 ---
 import telemetryCollectionManagerObj from './telemetry_collection_manager.devdocs.json';
diff --git a/api_docs/telemetry_collection_xpack.mdx b/api_docs/telemetry_collection_xpack.mdx
index ac770a8b7880..9ac0a8e3fa67 100644
--- a/api_docs/telemetry_collection_xpack.mdx
+++ b/api_docs/telemetry_collection_xpack.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryCollectionXpack
 title: "telemetryCollectionXpack"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the telemetryCollectionXpack plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryCollectionXpack']
 ---
 import telemetryCollectionXpackObj from './telemetry_collection_xpack.devdocs.json';
diff --git a/api_docs/telemetry_management_section.mdx b/api_docs/telemetry_management_section.mdx
index e60774993145..eb846da162d6 100644
--- a/api_docs/telemetry_management_section.mdx
+++ b/api_docs/telemetry_management_section.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryManagementSection
 title: "telemetryManagementSection"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the telemetryManagementSection plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryManagementSection']
 ---
 import telemetryManagementSectionObj from './telemetry_management_section.devdocs.json';
diff --git a/api_docs/threat_intelligence.mdx b/api_docs/threat_intelligence.mdx
index 9d3bfeb769bb..d81e5a8bfb39 100644
--- a/api_docs/threat_intelligence.mdx
+++ b/api_docs/threat_intelligence.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/threatIntelligence
 title: "threatIntelligence"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the threatIntelligence plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'threatIntelligence']
 ---
 import threatIntelligenceObj from './threat_intelligence.devdocs.json';
diff --git a/api_docs/timelines.mdx b/api_docs/timelines.mdx
index d834b8db1db9..f8840cc82c7c 100644
--- a/api_docs/timelines.mdx
+++ b/api_docs/timelines.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/timelines
 title: "timelines"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the timelines plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'timelines']
 ---
 import timelinesObj from './timelines.devdocs.json';
diff --git a/api_docs/transform.mdx b/api_docs/transform.mdx
index 93e2c9faa20c..f4dd1a900713 100644
--- a/api_docs/transform.mdx
+++ b/api_docs/transform.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/transform
 title: "transform"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the transform plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'transform']
 ---
 import transformObj from './transform.devdocs.json';
diff --git a/api_docs/triggers_actions_ui.mdx b/api_docs/triggers_actions_ui.mdx
index b135eb339960..9cdbcacc59b9 100644
--- a/api_docs/triggers_actions_ui.mdx
+++ b/api_docs/triggers_actions_ui.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/triggersActionsUi
 title: "triggersActionsUi"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the triggersActionsUi plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'triggersActionsUi']
 ---
 import triggersActionsUiObj from './triggers_actions_ui.devdocs.json';
diff --git a/api_docs/ui_actions.mdx b/api_docs/ui_actions.mdx
index d517031c3c35..5d980710c436 100644
--- a/api_docs/ui_actions.mdx
+++ b/api_docs/ui_actions.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/uiActions
 title: "uiActions"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the uiActions plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'uiActions']
 ---
 import uiActionsObj from './ui_actions.devdocs.json';
diff --git a/api_docs/ui_actions_enhanced.mdx b/api_docs/ui_actions_enhanced.mdx
index 4bdfa0a92940..ed946cb5170f 100644
--- a/api_docs/ui_actions_enhanced.mdx
+++ b/api_docs/ui_actions_enhanced.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/uiActionsEnhanced
 title: "uiActionsEnhanced"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the uiActionsEnhanced plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'uiActionsEnhanced']
 ---
 import uiActionsEnhancedObj from './ui_actions_enhanced.devdocs.json';
diff --git a/api_docs/unified_field_list.mdx b/api_docs/unified_field_list.mdx
index 21211626b400..243cfd6a8dd0 100644
--- a/api_docs/unified_field_list.mdx
+++ b/api_docs/unified_field_list.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedFieldList
 title: "unifiedFieldList"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the unifiedFieldList plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedFieldList']
 ---
 import unifiedFieldListObj from './unified_field_list.devdocs.json';
diff --git a/api_docs/unified_histogram.mdx b/api_docs/unified_histogram.mdx
index daf9690e19fb..6e5841d65f79 100644
--- a/api_docs/unified_histogram.mdx
+++ b/api_docs/unified_histogram.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedHistogram
 title: "unifiedHistogram"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the unifiedHistogram plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedHistogram']
 ---
 import unifiedHistogramObj from './unified_histogram.devdocs.json';
diff --git a/api_docs/unified_search.mdx b/api_docs/unified_search.mdx
index fe015b0bfc94..3dfd3da6cd32 100644
--- a/api_docs/unified_search.mdx
+++ b/api_docs/unified_search.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedSearch
 title: "unifiedSearch"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the unifiedSearch plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedSearch']
 ---
 import unifiedSearchObj from './unified_search.devdocs.json';
diff --git a/api_docs/unified_search_autocomplete.mdx b/api_docs/unified_search_autocomplete.mdx
index 0c68d4a7e49a..d583e67c5716 100644
--- a/api_docs/unified_search_autocomplete.mdx
+++ b/api_docs/unified_search_autocomplete.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedSearch-autocomplete
 title: "unifiedSearch.autocomplete"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the unifiedSearch.autocomplete plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedSearch.autocomplete']
 ---
 import unifiedSearchAutocompleteObj from './unified_search_autocomplete.devdocs.json';
diff --git a/api_docs/url_forwarding.mdx b/api_docs/url_forwarding.mdx
index 54182f797ae9..9a4e76fe0db2 100644
--- a/api_docs/url_forwarding.mdx
+++ b/api_docs/url_forwarding.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/urlForwarding
 title: "urlForwarding"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the urlForwarding plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'urlForwarding']
 ---
 import urlForwardingObj from './url_forwarding.devdocs.json';
diff --git a/api_docs/usage_collection.mdx b/api_docs/usage_collection.mdx
index 652a5e124e67..febd028ced82 100644
--- a/api_docs/usage_collection.mdx
+++ b/api_docs/usage_collection.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/usageCollection
 title: "usageCollection"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the usageCollection plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'usageCollection']
 ---
 import usageCollectionObj from './usage_collection.devdocs.json';
diff --git a/api_docs/ux.mdx b/api_docs/ux.mdx
index 1d97a1cebb8e..28ec36ee5907 100644
--- a/api_docs/ux.mdx
+++ b/api_docs/ux.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ux
 title: "ux"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the ux plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ux']
 ---
 import uxObj from './ux.devdocs.json';
diff --git a/api_docs/vis_default_editor.mdx b/api_docs/vis_default_editor.mdx
index e0452654b4f0..39ddadfb2cf2 100644
--- a/api_docs/vis_default_editor.mdx
+++ b/api_docs/vis_default_editor.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visDefaultEditor
 title: "visDefaultEditor"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visDefaultEditor plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visDefaultEditor']
 ---
 import visDefaultEditorObj from './vis_default_editor.devdocs.json';
diff --git a/api_docs/vis_type_gauge.mdx b/api_docs/vis_type_gauge.mdx
index ce46a45282e8..07c757c68c9a 100644
--- a/api_docs/vis_type_gauge.mdx
+++ b/api_docs/vis_type_gauge.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeGauge
 title: "visTypeGauge"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeGauge plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeGauge']
 ---
 import visTypeGaugeObj from './vis_type_gauge.devdocs.json';
diff --git a/api_docs/vis_type_heatmap.mdx b/api_docs/vis_type_heatmap.mdx
index 2c5cc063b559..cc7492544aad 100644
--- a/api_docs/vis_type_heatmap.mdx
+++ b/api_docs/vis_type_heatmap.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeHeatmap
 title: "visTypeHeatmap"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeHeatmap plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeHeatmap']
 ---
 import visTypeHeatmapObj from './vis_type_heatmap.devdocs.json';
diff --git a/api_docs/vis_type_pie.mdx b/api_docs/vis_type_pie.mdx
index 4e057c16b1c1..d17c2389a325 100644
--- a/api_docs/vis_type_pie.mdx
+++ b/api_docs/vis_type_pie.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypePie
 title: "visTypePie"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypePie plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypePie']
 ---
 import visTypePieObj from './vis_type_pie.devdocs.json';
diff --git a/api_docs/vis_type_table.mdx b/api_docs/vis_type_table.mdx
index efc70c8aac92..3c11e6cd83aa 100644
--- a/api_docs/vis_type_table.mdx
+++ b/api_docs/vis_type_table.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTable
 title: "visTypeTable"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeTable plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTable']
 ---
 import visTypeTableObj from './vis_type_table.devdocs.json';
diff --git a/api_docs/vis_type_timelion.mdx b/api_docs/vis_type_timelion.mdx
index fa06e8af50b5..931ac039c172 100644
--- a/api_docs/vis_type_timelion.mdx
+++ b/api_docs/vis_type_timelion.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTimelion
 title: "visTypeTimelion"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeTimelion plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTimelion']
 ---
 import visTypeTimelionObj from './vis_type_timelion.devdocs.json';
diff --git a/api_docs/vis_type_timeseries.mdx b/api_docs/vis_type_timeseries.mdx
index 7ca7d5c1e818..704ee789aadc 100644
--- a/api_docs/vis_type_timeseries.mdx
+++ b/api_docs/vis_type_timeseries.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTimeseries
 title: "visTypeTimeseries"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeTimeseries plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTimeseries']
 ---
 import visTypeTimeseriesObj from './vis_type_timeseries.devdocs.json';
diff --git a/api_docs/vis_type_vega.mdx b/api_docs/vis_type_vega.mdx
index 78c129a02b87..2a1a7b905df8 100644
--- a/api_docs/vis_type_vega.mdx
+++ b/api_docs/vis_type_vega.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeVega
 title: "visTypeVega"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeVega plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeVega']
 ---
 import visTypeVegaObj from './vis_type_vega.devdocs.json';
diff --git a/api_docs/vis_type_vislib.mdx b/api_docs/vis_type_vislib.mdx
index ea6923a19712..85cf9e929e75 100644
--- a/api_docs/vis_type_vislib.mdx
+++ b/api_docs/vis_type_vislib.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeVislib
 title: "visTypeVislib"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeVislib plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeVislib']
 ---
 import visTypeVislibObj from './vis_type_vislib.devdocs.json';
diff --git a/api_docs/vis_type_xy.mdx b/api_docs/vis_type_xy.mdx
index 43d7e5551b75..61d4b6e62cde 100644
--- a/api_docs/vis_type_xy.mdx
+++ b/api_docs/vis_type_xy.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeXy
 title: "visTypeXy"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visTypeXy plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeXy']
 ---
 import visTypeXyObj from './vis_type_xy.devdocs.json';
diff --git a/api_docs/visualizations.mdx b/api_docs/visualizations.mdx
index 8ca53e720189..7d37cfe37788 100644
--- a/api_docs/visualizations.mdx
+++ b/api_docs/visualizations.mdx
@@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visualizations
 title: "visualizations"
 image: https://source.unsplash.com/400x175/?github
 description: API docs for the visualizations plugin
-date: 2023-03-24
+date: 2023-03-25
 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visualizations']
 ---
 import visualizationsObj from './visualizations.devdocs.json';
diff --git a/docs/developer/contributing/interpreting-ci-failures.asciidoc b/docs/developer/contributing/interpreting-ci-failures.asciidoc
index eead720f03c6..7708c866c3a8 100644
--- a/docs/developer/contributing/interpreting-ci-failures.asciidoc
+++ b/docs/developer/contributing/interpreting-ci-failures.asciidoc
@@ -1,44 +1,34 @@
 [[interpreting-ci-failures]]
 == Interpreting CI Failures
 
-{kib} CI uses a Jenkins feature called "Pipelines" to automate testing of the code in pull requests and on tracked branches. Pipelines are defined within the repository via the `Jenkinsfile` at the root of the project.
+{kib} CI uses a Buildkite feature called "Pipelines" to automate testing of the code in pull requests and on tracked branches. Pipelines are defined within the repository via the `Pipelines` at the `.buildkite/pipelines` folder.
 
-More information about Jenkins Pipelines can be found link:https://jenkins.io/doc/book/pipeline/[in the Jenkins book].
+More information about Buildkite Pipelines can be found link:https://buildkite.com/docs/pipelines[in the docs].
 
 [discrete]
 === Github Checks
 
 When a test fails it will be reported to Github via Github Checks. We currently bucket tests into several categories which run in parallel to make CI faster. Groups like `ciGroup{X}` get a single check in Github, and other tests like linting, or type checks, get their own checks.
 
-Clicking the link next to the check in the conversation tab of a pull request will take you to the log output from that section of the tests. If that log output is truncated, or doesn't clearly identify what happened, you can usually get more complete information by visiting Jenkins directly.
+Clicking the link next to the check in the conversation tab of a pull request will take you to the log output from that section of the tests. If that log output is truncated, or doesn't clearly identify what happened, you can usually get more complete information by visiting Buildkite directly.
 
 [discrete]
-=== Viewing Job Executions in Jenkins
+=== Viewing Job Executions in Kibana
 
-To view the results of a job execution in Jenkins, either click the link in the comment left by `@elasticmachine` or search for the `kibana-ci` check in the list at the bottom of the PR. This link will take you to the top-level page for the specific job execution that failed.
+To view the results of a job execution in Buildkite, either click the link in the comment left by `@elasticmachine` or search for the `kibana-ci` check in the list at the bottom of the PR. This link will take you to the top-level page for the specific job execution that failed.
 
-image::images/job_view.png[Jenkins job view showing a test failure]
+image::images/job_view.png[Buildkite pipeline view showing a few test failures]
 
-1. *Git Changes:* the list of commits that were in this build which weren't in the previous build. For Pull Requests this list is calculated by comparing against the most recent Pull Request which was tested, it is not limited to build for this specific Pull Request, so it's not very useful.
-2. *Test Results:* A link to the test results screen, and shortcuts to the failed tests. Functional tests capture and store the log output from each specific test, and make it visible at these links. For other test runners only the error message is visible and log output must be tracked down in the *Pipeline Steps*.
-3. *Google Cloud Storage (GCS) Upload Report:* Link to the screen which lists out the artifacts uploaded to GCS during this job execution.
-4. *Pipeline Steps:*: A breakdown of the pipeline that was executed, along with individual log output for each step in the pipeline.
-
-[discrete]
-=== Viewing ciGroup/test Logs
-
-To view the logs for a failed specific ciGroup, jest, type checkers, linters, etc., click on the *Pipeline Steps* link in from the Job page.
-
-image::images/pipeline_steps_view.png[Jenkins pipeline steps screenshot]
-
-Scroll down the page until you find a failed step *(1)*, and then look up a few lines for the `Branch:` step to see which specific job this is. If this is the job you're looking for click the little terminal icon next to the failed step *(1)* to view the logs for that specific step in the Pipeline.
+1. *Git commit:* the git commit that caused this build.
+2. *Test Results:* A link to the test results screen, and shortcuts to the logs and jobs of the failed tests. Functional tests capture and store the log output from each specific test, and make it visible at these links.
+3. *Pipeline Steps:*: A breakdown of the pipeline that was executed, along with individual log output for each step in the pipeline.
 
 [discrete]
 === Debugging Functional UI Test Failures
 
-The logs in Pipeline Steps contain `Info` level logging.  To debug Functional UI tests it's usually helpful to see the debug logging.  You can go to the list of all tests including failures (1), or directly to the failures (2).
+The logs in Pipeline Steps contain `Info` level logging. To debug Functional UI tests it's usually helpful to see the debug logging. You can go to the test failure details by clicking on the *logs* (1).
 
-image::images/test_results.png[Jenkisn build screenshot]
+image::images/test_results.png[Buildkite build screenshot]
 
 Looking at the failure, we first look at the Error and stack trace. In the example below, this test failed to find an element within the timeout;
  `Error: retry.try timeout: TimeoutError: Waiting for element to be located By(css selector, [data-test-subj="createSpace"])`
diff --git a/docs/developer/images/job_view.png b/docs/developer/images/job_view.png
index 41ceed366fa1..9308a76108c8 100644
Binary files a/docs/developer/images/job_view.png and b/docs/developer/images/job_view.png differ
diff --git a/docs/developer/images/pipeline_steps_view.png b/docs/developer/images/pipeline_steps_view.png
deleted file mode 100644
index cb107bc2a72f..000000000000
Binary files a/docs/developer/images/pipeline_steps_view.png and /dev/null differ
diff --git a/docs/developer/images/test_results.png b/docs/developer/images/test_results.png
index b685bf7e3023..763e937b8cc2 100644
Binary files a/docs/developer/images/test_results.png and b/docs/developer/images/test_results.png differ
diff --git a/docs/user/alerting/alerting-setup.asciidoc b/docs/user/alerting/alerting-setup.asciidoc
index 5217e80ed2c0..41675029e411 100644
--- a/docs/user/alerting/alerting-setup.asciidoc
+++ b/docs/user/alerting/alerting-setup.asciidoc
@@ -48,8 +48,10 @@ appropriate feature privileges. For example, to create rules in
 *{stack-manage-app} > {rules-ui}*, you must have `all` privileges for the
 *Management > {stack-rules-feature}* feature. To add rule actions and test
 connectors, you must also have `read` privileges for the *{connectors-feature}*
-feature. For more information on configuring roles that provide access to
-features, go to <<kibana-feature-privileges>>.
+feature. To change rule settings, you must have `all` privileges for the
+*Rules Settings* privilege or `all` privileges for the appropriate sub-feature
+such as flapping detection. For more information on configuring roles that
+provide access to features, go to <<kibana-feature-privileges>>.
 
 For details about the prerequisites for each API, refer to <<alerting-apis>>.
 
diff --git a/docs/user/alerting/create-and-manage-rules.asciidoc b/docs/user/alerting/create-and-manage-rules.asciidoc
index 86716a99f51a..b796128b95bc 100644
--- a/docs/user/alerting/create-and-manage-rules.asciidoc
+++ b/docs/user/alerting/create-and-manage-rules.asciidoc
@@ -11,6 +11,7 @@ central place to:
 * <<create-edit-rules,Create and edit>> rules
 * <<controlling-rules,Manage rules>> including enabling/disabling, muting/unmuting, and deleting
 * Drill down to <<rule-details,rule details>>
+* Configure settings that apply to all rules in the space
 
 [role="screenshot"]
 image:images/rules-ui.png[Example rule listing in {rules-ui}]
@@ -127,17 +128,9 @@ time, indefinitely, or schedule single or recurring downtimes:
 image:images/snooze-panel.png[Snooze notifications for a rule]
 // NOTE: This is an autogenerated screenshot. Do not edit it directly.
 
-When a rule is in a `snoozed` state, you can cancel or change the duration of
+When a rule is in a snoozed state, you can cancel or change the duration of
 this state.
 
-[float]
-=== Rule status
-
-A rule can have one of the following statuses:
-
-`failed`:: The rule ran with errors.
-`succeeded`:: The rule ran without errors.
-`warning`:: The rule ran with some non-critical errors.
 
 [float]
 [[importing-and-exporting-rules]]
@@ -160,19 +153,30 @@ image::images/rules-imported-banner.png[Rules import banner,500]
 
 [float]
 [[rule-details]]
-=== Drill down to rule details
+=== View rule details
 
-Select a rule name from the rule listing to access the *Rule details* page, which tells you about the state of the rule and provides granular control over the actions it is taking. 
+You can determine the health of a rule by looking at the *Last response* column
+in  *{stack-manage-app}* > *{rules-ui}*. A rule can have one of the following
+responses:
+
+`failed`:: The rule ran with errors.
+`succeeded`:: The rule ran without errors.
+`warning`:: The rule ran with some non-critical errors.
+
+Click the rule name to access a rule details page:
 
 [role="screenshot"]
 image::images/rule-details-alerts-active.png[Rule details page with three alerts]
 
 In this example, the rule detects when a site serves more than a threshold number of bytes in a 24 hour period. Four sites are above the threshold. These are called alerts - occurrences of the condition being detected - and the alert name, status, time of detection, and duration of the condition are shown in this view. Alerts come and go from the list depending on whether the rule conditions are met.
 
-When an alert is created, it generates actions. If the conditions that caused the alert persist, the actions run again according to the rule notification settings. There are two common alert statuses:
+When an alert is created, it generates actions. If the conditions that caused the alert persist, the actions run again according to the rule notification settings. There are three common alert statuses:
+
+`active`:: The conditions for the rule are met and actions should be generated according to the notification settings.
+`flapping`:: The alert is switching repeatedly between active and recovered states.
+`recovered`:: The conditions for the rule are no longer met and recovery actions should be generated.
 
-`active`:: The conditions for the rule are met, and actions should be generated according to the notification settings.
-`recovered`:: The conditions for the rule are no longer met, and recovery actions should be generated.
+NOTE: The `flapping` state is possible only if you have enabled alert flapping detection in *{stack-manage-app}* > *{rules-ui}* > *Settings*. For each space, you can choose a look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping.
 
 You can suppress future actions for a specific alert by turning on the *Mute* toggle. If a muted alert no longer meets the rule conditions, it stays in the list to avoid generating actions if the conditions recur. You can also disable a rule, which stops it from running checks and clears any alerts it was tracking. You may want to disable rules that are not currently needed to reduce the load on {kib} and {es}.
 
diff --git a/docs/user/alerting/images/individual-enable-disable.png b/docs/user/alerting/images/individual-enable-disable.png
index dc0420feb7d4..60de6079befb 100644
Binary files a/docs/user/alerting/images/individual-enable-disable.png and b/docs/user/alerting/images/individual-enable-disable.png differ
diff --git a/docs/user/alerting/images/rules-ui.png b/docs/user/alerting/images/rules-ui.png
index d83bd28c699e..ba7b4db071fe 100644
Binary files a/docs/user/alerting/images/rules-ui.png and b/docs/user/alerting/images/rules-ui.png differ
diff --git a/docs/user/alerting/images/snooze-panel.png b/docs/user/alerting/images/snooze-panel.png
index 353f848200d9..a65bfa6bf2e6 100644
Binary files a/docs/user/alerting/images/snooze-panel.png and b/docs/user/alerting/images/snooze-panel.png differ
diff --git a/src/plugins/console/server/lib/spec_definitions/js/aggregations.ts b/src/plugins/console/server/lib/spec_definitions/js/aggregations.ts
index bb8379ab5076..33c76be0bcb8 100644
--- a/src/plugins/console/server/lib/spec_definitions/js/aggregations.ts
+++ b/src/plugins/console/server/lib/spec_definitions/js/aggregations.ts
@@ -164,7 +164,6 @@ const rules = {
     terms: {
       __template: {
         field: '',
-        size: 10,
       },
       field: '{field}',
       size: 10,
@@ -268,11 +267,11 @@ const rules = {
     date_histogram: {
       __template: {
         field: 'date',
-        interval: 'month',
+        fixed_interval: '1d',
       },
       field: '{field}',
-      interval: {
-        __one_of: ['year', 'quarter', 'week', 'day', 'hour', 'minute', 'second'],
+      fixed_interval: {
+        __one_of: ['1d', '1h', '1m', '1s', '1ms'],
       },
       min_doc_count: 0,
       extended_bounds: {
@@ -294,7 +293,6 @@ const rules = {
       keyed: { __one_of: [true, false] },
       pre_zone: '-01:00',
       post_zone: '-01:00',
-      pre_zone_adjust_large_interval: { __one_of: [true, false] },
       factor: 1000,
       pre_offset: '1d',
       post_offset: '1d',
@@ -302,7 +300,22 @@ const rules = {
       time_zone: '00:00',
       missing: '',
       calendar_interval: {
-        __one_of: ['year', 'quarter', 'week', 'day', 'hour', 'minute', 'second'],
+        __one_of: [
+          'year',
+          'quarter',
+          'month',
+          'week',
+          'day',
+          'hour',
+          'minute',
+          '1y',
+          '1q',
+          '1M',
+          '1w',
+          '1d',
+          '1h',
+          '1m',
+        ],
       },
     },
     geo_distance: {
diff --git a/test/functional/services/dashboard/expectations.ts b/test/functional/services/dashboard/expectations.ts
index 6e20e5b57420..266022d1a815 100644
--- a/test/functional/services/dashboard/expectations.ts
+++ b/test/functional/services/dashboard/expectations.ts
@@ -32,11 +32,42 @@ export class DashboardExpectService extends FtrService {
   }
 
   async visualizationsArePresent(vizList: string[]) {
-    this.log.debug('Checking all visualisations are present on dashsboard');
+    this.log.debug('Checking all visualisations are present on the dashboard');
     const notLoaded = await this.dashboard.getNotLoadedVisualizations(vizList);
     expect(notLoaded).to.be.empty();
   }
 
+  /**
+   * Asserts that there is no error embeddables on the dashboard
+   * @throws An error if an error embeddable is present
+   */
+  async noErrorEmbeddablesPresent() {
+    this.log.debug('Ensure that there are no error embeddables on the dashboard');
+
+    const errorEmbeddables = await this.testSubjects.findAll('embeddableError');
+    if (errorEmbeddables.length > 0) {
+      const errorMessages = await Promise.all(
+        errorEmbeddables.map(async (embeddable) => {
+          const panel = await embeddable.findByXpath('./..'); // get the parent of 'embeddableError'
+          let panelTitle = 'Empty title';
+          if (await this.testSubjects.descendantExists('dashboardPanelTitle', panel)) {
+            panelTitle = await (
+              await this.testSubjects.findDescendant('dashboardPanelTitle', panel)
+            ).getVisibleText();
+          }
+          const panelError = await embeddable.getVisibleText();
+          return `${panelTitle}: "${panelError}"`;
+        })
+      );
+
+      throw new Error(
+        `Found error embeddable(s): ${errorMessages.reduce((errorString, error) => {
+          return errorString + '\n' + `\t- ${error}`;
+        }, '')}`
+      );
+    }
+  }
+
   async selectedLegendColorCount(color: string, expectedCount: number) {
     this.log.debug(`DashboardExpect.selectedLegendColorCount(${color}, ${expectedCount})`);
     await this.retry.try(async () => {
diff --git a/x-pack/plugins/alerting/server/saved_objects/migrations/8.8/index.ts b/x-pack/plugins/alerting/server/saved_objects/migrations/8.8/index.ts
index fb90230f64f6..3f6d2df5192f 100644
--- a/x-pack/plugins/alerting/server/saved_objects/migrations/8.8/index.ts
+++ b/x-pack/plugins/alerting/server/saved_objects/migrations/8.8/index.ts
@@ -8,7 +8,7 @@
 import { SavedObjectUnsanitizedDoc } from '@kbn/core-saved-objects-server';
 import { EncryptedSavedObjectsPluginSetup } from '@kbn/encrypted-saved-objects-plugin/server';
 import { v4 as uuidv4 } from 'uuid';
-import { createEsoMigration, pipeMigrations } from '../utils';
+import { createEsoMigration, isDetectionEngineAADRuleType, pipeMigrations } from '../utils';
 import { RawRule } from '../../../types';
 
 function addRevision(doc: SavedObjectUnsanitizedDoc<RawRule>): SavedObjectUnsanitizedDoc<RawRule> {
@@ -16,7 +16,7 @@ function addRevision(doc: SavedObjectUnsanitizedDoc<RawRule>): SavedObjectUnsani
     ...doc,
     attributes: {
       ...doc.attributes,
-      revision: 0,
+      revision: isDetectionEngineAADRuleType(doc) ? (doc.attributes.params.version as number) : 0,
     },
   };
 }
diff --git a/x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts b/x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
index aba9b085f70d..2cd4eb0d0521 100644
--- a/x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
+++ b/x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
@@ -2660,6 +2660,14 @@ describe('successful migrations', () => {
       const migratedAlert880 = migration880(rule, migrationContext);
       expect(migratedAlert880.attributes.revision).toEqual(0);
     });
+
+    test('migrates security rule version to revision', () => {
+      const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)['8.8.0'];
+
+      const rule = getMockData({ alertTypeId: ruleTypeMappings.eql, params: { version: 2 } });
+      const migratedAlert880 = migration880(rule, migrationContext);
+      expect(migratedAlert880.attributes.revision).toEqual(2);
+    });
   });
 
   describe('Metrics Inventory Threshold rule', () => {
diff --git a/x-pack/plugins/cases/server/telemetry/constants.ts b/x-pack/plugins/cases/server/telemetry/constants.ts
deleted file mode 100644
index 705321e3f1fa..000000000000
--- a/x-pack/plugins/cases/server/telemetry/constants.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { GENERAL_CASES_OWNER, OBSERVABILITY_OWNER, SECURITY_SOLUTION_OWNER } from '../../common';
-
-/**
- * This should only be used within telemetry
- */
-export const OWNERS = [OBSERVABILITY_OWNER, SECURITY_SOLUTION_OWNER, GENERAL_CASES_OWNER] as const;
diff --git a/x-pack/plugins/cases/server/telemetry/index.ts b/x-pack/plugins/cases/server/telemetry/index.ts
index 6cd796eca2c1..7ef14541ced0 100644
--- a/x-pack/plugins/cases/server/telemetry/index.ts
+++ b/x-pack/plugins/cases/server/telemetry/index.ts
@@ -14,6 +14,7 @@ import type {
 import { SavedObjectsErrorHelpers } from '@kbn/core/server';
 import type { TaskManagerSetupContract } from '@kbn/task-manager-plugin/server';
 import type { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
+import { FILE_SO_TYPE } from '@kbn/files-plugin/common';
 import { collectTelemetryData } from './collect_telemetry_data';
 import {
   CASE_TELEMETRY_SAVED_OBJECT,
@@ -42,7 +43,7 @@ export const createCasesTelemetry = async ({
 }: CreateCasesTelemetryArgs) => {
   const getInternalSavedObjectClient = async (): Promise<ISavedObjectsRepository> => {
     const [coreStart] = await core.getStartServices();
-    return coreStart.savedObjects.createInternalRepository(SAVED_OBJECT_TYPES);
+    return coreStart.savedObjects.createInternalRepository([...SAVED_OBJECT_TYPES, FILE_SO_TYPE]);
   };
 
   taskManager.registerTaskDefinitions({
diff --git a/x-pack/plugins/cases/server/telemetry/queries/cases.test.ts b/x-pack/plugins/cases/server/telemetry/queries/cases.test.ts
index 41cbfc2a1200..ca6049885b29 100644
--- a/x-pack/plugins/cases/server/telemetry/queries/cases.test.ts
+++ b/x-pack/plugins/cases/server/telemetry/queries/cases.test.ts
@@ -8,20 +8,25 @@
 import type { SavedObjectsFindResponse } from '@kbn/core/server';
 import { savedObjectsRepositoryMock, loggingSystemMock } from '@kbn/core/server/mocks';
 import { ESCaseStatus } from '../../services/cases/types';
-import type { CaseAggregationResult } from '../types';
+import type {
+  AttachmentAggregationResult,
+  AttachmentFrameworkAggsResult,
+  CaseAggregationResult,
+  FileAttachmentAggregationResult,
+} from '../types';
 import { getCasesTelemetryData } from './cases';
 
+const MOCK_FIND_TOTAL = 5;
+const SOLUTION_TOTAL = 1;
+
 describe('getCasesTelemetryData', () => {
   describe('getCasesTelemetryData', () => {
     const logger = loggingSystemMock.createLogger();
     const savedObjectsClient = savedObjectsRepositoryMock.create();
 
-    const mockFind = (
-      aggs: Record<string, unknown> = {},
-      so: SavedObjectsFindResponse['saved_objects'] = []
-    ) => {
+    const mockFind = (aggs: object, so: SavedObjectsFindResponse['saved_objects'] = []) => {
       savedObjectsClient.find.mockResolvedValueOnce({
-        total: 5,
+        total: MOCK_FIND_TOTAL,
         saved_objects: so,
         per_page: 1,
         page: 1,
@@ -103,22 +108,100 @@ describe('getCasesTelemetryData', () => {
           buckets: [
             {
               key: 'observability',
-              doc_count: 1,
+              doc_count: SOLUTION_TOTAL,
             },
             {
               key: 'securitySolution',
-              doc_count: 1,
+              doc_count: SOLUTION_TOTAL,
             },
             {
               key: 'cases',
-              doc_count: 1,
+              doc_count: SOLUTION_TOTAL,
             },
           ],
         },
       };
 
+      const attachmentFramework: AttachmentFrameworkAggsResult = {
+        externalReferenceTypes: {
+          buckets: [
+            {
+              doc_count: 5,
+              key: '.osquery',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+            {
+              doc_count: 5,
+              key: '.files',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+          ],
+        },
+        persistableReferenceTypes: {
+          buckets: [
+            {
+              doc_count: 5,
+              key: '.ml',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+            {
+              doc_count: 5,
+              key: '.files',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+          ],
+        },
+      };
+
+      const attachmentAggsResult: AttachmentAggregationResult = {
+        securitySolution: { ...attachmentFramework },
+        observability: { ...attachmentFramework },
+        cases: { ...attachmentFramework },
+        participants: {
+          value: 2,
+        },
+        ...attachmentFramework,
+      };
+
+      const filesRes: FileAttachmentAggregationResult = {
+        securitySolution: {
+          averageSize: 500,
+        },
+        observability: {
+          averageSize: 500,
+        },
+        cases: {
+          averageSize: 500,
+        },
+        averageSize: 500,
+      };
+
       mockFind(caseAggsResult);
-      mockFind({ participants: { value: 2 } });
+      mockFind(attachmentAggsResult);
       mockFind({ references: { referenceType: { referenceAgg: { value: 3 } } } });
       mockFind({ references: { referenceType: { referenceAgg: { value: 4 } } } });
       mockSavedObjectResponse({
@@ -130,6 +213,7 @@ describe('getCasesTelemetryData', () => {
       mockSavedObjectResponse({
         closed_at: '2022-03-08T12:24:11.429Z',
       });
+      mockFind(filesRes);
     };
 
     beforeEach(() => {
@@ -139,10 +223,62 @@ describe('getCasesTelemetryData', () => {
     it('it returns the correct res', async () => {
       mockResponse();
 
+      const attachmentFramework = (total: number, average: number) => {
+        return {
+          attachmentFramework: {
+            externalAttachments: [
+              {
+                average,
+                maxOnACase: 10,
+                total,
+                type: '.osquery',
+              },
+              {
+                average,
+                maxOnACase: 10,
+                total,
+                type: '.files',
+              },
+            ],
+            persistableAttachments: [
+              {
+                average,
+                maxOnACase: 10,
+                total,
+                type: '.ml',
+              },
+              {
+                average,
+                maxOnACase: 10,
+                total,
+                type: '.files',
+              },
+            ],
+            files: {
+              averageSize: 500,
+              average,
+              maxOnACase: 10,
+              total,
+            },
+          },
+        };
+      };
+
       const res = await getCasesTelemetryData({ savedObjectsClient, logger });
+
+      const allAttachmentsTotal = 5;
+      const allAttachmentsAverage = allAttachmentsTotal / MOCK_FIND_TOTAL;
+
+      const solutionAttachmentsTotal = 5;
+      const solutionAttachmentsAverage = solutionAttachmentsTotal / SOLUTION_TOTAL;
+      const solutionAttachmentFrameworkStats = attachmentFramework(
+        solutionAttachmentsTotal,
+        solutionAttachmentsAverage
+      );
+
       expect(res).toEqual({
         all: {
-          total: 5,
+          total: MOCK_FIND_TOTAL,
           daily: 3,
           weekly: 2,
           monthly: 1,
@@ -168,6 +304,7 @@ describe('getCasesTelemetryData', () => {
             totalWithZero: 100,
             totalWithAtLeastOne: 0,
           },
+          ...attachmentFramework(allAttachmentsTotal, allAttachmentsAverage),
         },
         main: {
           assignees: {
@@ -175,6 +312,7 @@ describe('getCasesTelemetryData', () => {
             totalWithZero: 100,
             totalWithAtLeastOne: 0,
           },
+          ...solutionAttachmentFrameworkStats,
           total: 1,
           daily: 3,
           weekly: 2,
@@ -186,6 +324,7 @@ describe('getCasesTelemetryData', () => {
             totalWithZero: 100,
             totalWithAtLeastOne: 0,
           },
+          ...solutionAttachmentFrameworkStats,
           total: 1,
           daily: 3,
           weekly: 2,
@@ -197,6 +336,7 @@ describe('getCasesTelemetryData', () => {
             totalWithZero: 100,
             totalWithAtLeastOne: 0,
           },
+          ...solutionAttachmentFrameworkStats,
           total: 1,
           daily: 3,
           weekly: 2,
@@ -468,18 +608,311 @@ describe('getCasesTelemetryData', () => {
         }
       `);
 
-      expect(savedObjectsClient.find.mock.calls[1][0]).toEqual({
-        aggs: {
-          participants: {
-            cardinality: {
-              field: 'cases-comments.attributes.created_by.username',
+      expect(savedObjectsClient.find.mock.calls[1][0]).toMatchInlineSnapshot(`
+        Object {
+          "aggs": Object {
+            "cases": Object {
+              "aggs": Object {
+                "externalReferenceTypes": Object {
+                  "aggs": Object {
+                    "references": Object {
+                      "aggregations": Object {
+                        "cases": Object {
+                          "aggregations": Object {
+                            "ids": Object {
+                              "terms": Object {
+                                "field": "cases-comments.references.id",
+                              },
+                            },
+                            "max": Object {
+                              "max_bucket": Object {
+                                "buckets_path": "ids._count",
+                              },
+                            },
+                          },
+                          "filter": Object {
+                            "term": Object {
+                              "cases-comments.references.type": "cases",
+                            },
+                          },
+                        },
+                      },
+                      "nested": Object {
+                        "path": "cases-comments.references",
+                      },
+                    },
+                  },
+                  "terms": Object {
+                    "field": "cases-comments.attributes.externalReferenceAttachmentTypeId",
+                  },
+                },
+                "persistableReferenceTypes": Object {
+                  "aggs": Object {
+                    "references": Object {
+                      "aggregations": Object {
+                        "cases": Object {
+                          "aggregations": Object {
+                            "ids": Object {
+                              "terms": Object {
+                                "field": "cases-comments.references.id",
+                              },
+                            },
+                            "max": Object {
+                              "max_bucket": Object {
+                                "buckets_path": "ids._count",
+                              },
+                            },
+                          },
+                          "filter": Object {
+                            "term": Object {
+                              "cases-comments.references.type": "cases",
+                            },
+                          },
+                        },
+                      },
+                      "nested": Object {
+                        "path": "cases-comments.references",
+                      },
+                    },
+                  },
+                  "terms": Object {
+                    "field": "cases-comments.attributes.persistableStateAttachmentTypeId",
+                  },
+                },
+              },
+              "filter": Object {
+                "term": Object {
+                  "cases-comments.attributes.owner": "cases",
+                },
+              },
+            },
+            "externalReferenceTypes": Object {
+              "aggs": Object {
+                "references": Object {
+                  "aggregations": Object {
+                    "cases": Object {
+                      "aggregations": Object {
+                        "ids": Object {
+                          "terms": Object {
+                            "field": "cases-comments.references.id",
+                          },
+                        },
+                        "max": Object {
+                          "max_bucket": Object {
+                            "buckets_path": "ids._count",
+                          },
+                        },
+                      },
+                      "filter": Object {
+                        "term": Object {
+                          "cases-comments.references.type": "cases",
+                        },
+                      },
+                    },
+                  },
+                  "nested": Object {
+                    "path": "cases-comments.references",
+                  },
+                },
+              },
+              "terms": Object {
+                "field": "cases-comments.attributes.externalReferenceAttachmentTypeId",
+              },
+            },
+            "observability": Object {
+              "aggs": Object {
+                "externalReferenceTypes": Object {
+                  "aggs": Object {
+                    "references": Object {
+                      "aggregations": Object {
+                        "cases": Object {
+                          "aggregations": Object {
+                            "ids": Object {
+                              "terms": Object {
+                                "field": "cases-comments.references.id",
+                              },
+                            },
+                            "max": Object {
+                              "max_bucket": Object {
+                                "buckets_path": "ids._count",
+                              },
+                            },
+                          },
+                          "filter": Object {
+                            "term": Object {
+                              "cases-comments.references.type": "cases",
+                            },
+                          },
+                        },
+                      },
+                      "nested": Object {
+                        "path": "cases-comments.references",
+                      },
+                    },
+                  },
+                  "terms": Object {
+                    "field": "cases-comments.attributes.externalReferenceAttachmentTypeId",
+                  },
+                },
+                "persistableReferenceTypes": Object {
+                  "aggs": Object {
+                    "references": Object {
+                      "aggregations": Object {
+                        "cases": Object {
+                          "aggregations": Object {
+                            "ids": Object {
+                              "terms": Object {
+                                "field": "cases-comments.references.id",
+                              },
+                            },
+                            "max": Object {
+                              "max_bucket": Object {
+                                "buckets_path": "ids._count",
+                              },
+                            },
+                          },
+                          "filter": Object {
+                            "term": Object {
+                              "cases-comments.references.type": "cases",
+                            },
+                          },
+                        },
+                      },
+                      "nested": Object {
+                        "path": "cases-comments.references",
+                      },
+                    },
+                  },
+                  "terms": Object {
+                    "field": "cases-comments.attributes.persistableStateAttachmentTypeId",
+                  },
+                },
+              },
+              "filter": Object {
+                "term": Object {
+                  "cases-comments.attributes.owner": "observability",
+                },
+              },
+            },
+            "participants": Object {
+              "cardinality": Object {
+                "field": "cases-comments.attributes.created_by.username",
+              },
+            },
+            "persistableReferenceTypes": Object {
+              "aggs": Object {
+                "references": Object {
+                  "aggregations": Object {
+                    "cases": Object {
+                      "aggregations": Object {
+                        "ids": Object {
+                          "terms": Object {
+                            "field": "cases-comments.references.id",
+                          },
+                        },
+                        "max": Object {
+                          "max_bucket": Object {
+                            "buckets_path": "ids._count",
+                          },
+                        },
+                      },
+                      "filter": Object {
+                        "term": Object {
+                          "cases-comments.references.type": "cases",
+                        },
+                      },
+                    },
+                  },
+                  "nested": Object {
+                    "path": "cases-comments.references",
+                  },
+                },
+              },
+              "terms": Object {
+                "field": "cases-comments.attributes.persistableStateAttachmentTypeId",
+              },
+            },
+            "securitySolution": Object {
+              "aggs": Object {
+                "externalReferenceTypes": Object {
+                  "aggs": Object {
+                    "references": Object {
+                      "aggregations": Object {
+                        "cases": Object {
+                          "aggregations": Object {
+                            "ids": Object {
+                              "terms": Object {
+                                "field": "cases-comments.references.id",
+                              },
+                            },
+                            "max": Object {
+                              "max_bucket": Object {
+                                "buckets_path": "ids._count",
+                              },
+                            },
+                          },
+                          "filter": Object {
+                            "term": Object {
+                              "cases-comments.references.type": "cases",
+                            },
+                          },
+                        },
+                      },
+                      "nested": Object {
+                        "path": "cases-comments.references",
+                      },
+                    },
+                  },
+                  "terms": Object {
+                    "field": "cases-comments.attributes.externalReferenceAttachmentTypeId",
+                  },
+                },
+                "persistableReferenceTypes": Object {
+                  "aggs": Object {
+                    "references": Object {
+                      "aggregations": Object {
+                        "cases": Object {
+                          "aggregations": Object {
+                            "ids": Object {
+                              "terms": Object {
+                                "field": "cases-comments.references.id",
+                              },
+                            },
+                            "max": Object {
+                              "max_bucket": Object {
+                                "buckets_path": "ids._count",
+                              },
+                            },
+                          },
+                          "filter": Object {
+                            "term": Object {
+                              "cases-comments.references.type": "cases",
+                            },
+                          },
+                        },
+                      },
+                      "nested": Object {
+                        "path": "cases-comments.references",
+                      },
+                    },
+                  },
+                  "terms": Object {
+                    "field": "cases-comments.attributes.persistableStateAttachmentTypeId",
+                  },
+                },
+              },
+              "filter": Object {
+                "term": Object {
+                  "cases-comments.attributes.owner": "securitySolution",
+                },
+              },
             },
           },
-        },
-        page: 0,
-        perPage: 0,
-        type: 'cases-comments',
-      });
+          "page": 0,
+          "perPage": 0,
+          "type": "cases-comments",
+        }
+      `);
 
       expect(savedObjectsClient.find.mock.calls[2][0]).toEqual({
         aggs: {
@@ -582,6 +1015,78 @@ describe('getCasesTelemetryData', () => {
           type: 'cases',
         });
       }
+
+      expect(savedObjectsClient.find.mock.calls[7][0]).toMatchInlineSnapshot(`
+        Object {
+          "aggs": Object {
+            "averageSize": Object {
+              "avg": Object {
+                "field": "file.attributes.size",
+              },
+            },
+            "cases": Object {
+              "aggs": Object {
+                "averageSize": Object {
+                  "avg": Object {
+                    "field": "file.attributes.size",
+                  },
+                },
+              },
+              "filter": Object {
+                "term": Object {
+                  "file.attributes.Meta.owner": "cases",
+                },
+              },
+            },
+            "observability": Object {
+              "aggs": Object {
+                "averageSize": Object {
+                  "avg": Object {
+                    "field": "file.attributes.size",
+                  },
+                },
+              },
+              "filter": Object {
+                "term": Object {
+                  "file.attributes.Meta.owner": "observability",
+                },
+              },
+            },
+            "securitySolution": Object {
+              "aggs": Object {
+                "averageSize": Object {
+                  "avg": Object {
+                    "field": "file.attributes.size",
+                  },
+                },
+              },
+              "filter": Object {
+                "term": Object {
+                  "file.attributes.Meta.owner": "securitySolution",
+                },
+              },
+            },
+          },
+          "filter": Object {
+            "arguments": Array [
+              Object {
+                "isQuoted": false,
+                "type": "literal",
+                "value": "file.attributes.Meta.caseId",
+              },
+              Object {
+                "type": "wildcard",
+                "value": "@kuery-wildcard@",
+              },
+            ],
+            "function": "is",
+            "type": "function",
+          },
+          "page": 0,
+          "perPage": 0,
+          "type": "file",
+        }
+      `);
     });
   });
 });
diff --git a/x-pack/plugins/cases/server/telemetry/queries/cases.ts b/x-pack/plugins/cases/server/telemetry/queries/cases.ts
index 128c0a09b555..0e999721ae10 100644
--- a/x-pack/plugins/cases/server/telemetry/queries/cases.ts
+++ b/x-pack/plugins/cases/server/telemetry/queries/cases.ts
@@ -5,28 +5,33 @@
  * 2.0.
  */
 
+import type { ISavedObjectsRepository, SavedObjectsFindResponse } from '@kbn/core/server';
+import { FILE_SO_TYPE } from '@kbn/files-plugin/common';
+import { fromKueryExpression } from '@kbn/es-query';
 import {
   CASE_COMMENT_SAVED_OBJECT,
   CASE_SAVED_OBJECT,
   CASE_USER_ACTION_SAVED_OBJECT,
+  OWNERS,
 } from '../../../common/constants';
 import { ESCaseStatus } from '../../services/cases/types';
 import type { ESCaseAttributes } from '../../services/cases/types';
-import { OWNERS } from '../constants';
 import type {
   CollectTelemetryDataParams,
-  Buckets,
   CasesTelemetry,
-  Cardinality,
   ReferencesAggregation,
   LatestDates,
   CaseAggregationResult,
+  AttachmentAggregationResult,
+  FileAttachmentAggregationResult,
 } from '../types';
 import {
   findValueInBuckets,
   getAggregationsBuckets,
+  getAttachmentsFrameworkStats,
   getCountsAggregationQuery,
   getCountsFromBuckets,
+  getMaxBucketOnCaseAggregationQuery,
   getOnlyAlertsCommentsFilter,
   getOnlyConnectorsFilter,
   getReferencesAggregationQuery,
@@ -52,9 +57,9 @@ export const getLatestCasesDates = async ({
   ]);
 
   return {
-    createdAt: savedObjects?.[0].saved_objects?.[0].attributes?.created_at ?? null,
-    updatedAt: savedObjects?.[1].saved_objects?.[0].attributes?.updated_at ?? null,
-    closedAt: savedObjects?.[2].saved_objects?.[0].attributes?.closed_at ?? null,
+    createdAt: savedObjects?.[0]?.saved_objects?.[0]?.attributes?.created_at ?? '',
+    updatedAt: savedObjects?.[1]?.saved_objects?.[0]?.attributes?.updated_at ?? '',
+    closedAt: savedObjects?.[2]?.saved_objects?.[0]?.attributes?.closed_at ?? '',
   };
 };
 
@@ -62,7 +67,84 @@ export const getCasesTelemetryData = async ({
   savedObjectsClient,
   logger,
 }: CollectTelemetryDataParams): Promise<CasesTelemetry['cases']> => {
-  const byOwnerAggregationQuery = OWNERS.reduce(
+  try {
+    const [casesRes, commentsRes, totalAlertsRes, totalConnectorsRes, latestDates, filesRes] =
+      await Promise.all([
+        getCasesSavedObjectTelemetry(savedObjectsClient),
+        getCommentsSavedObjectTelemetry(savedObjectsClient),
+        getAlertsTelemetry(savedObjectsClient),
+        getConnectorsTelemetry(savedObjectsClient),
+        getLatestCasesDates({ savedObjectsClient, logger }),
+        getFilesTelemetry(savedObjectsClient),
+      ]);
+
+    const aggregationsBuckets = getAggregationsBuckets({
+      aggs: casesRes.aggregations,
+      keys: ['counts', 'syncAlerts', 'status', 'users', 'totalAssignees'],
+    });
+
+    const allAttachmentFrameworkStats = getAttachmentsFrameworkStats({
+      attachmentAggregations: commentsRes.aggregations,
+      totalCasesForOwner: casesRes.total,
+      filesAggregations: filesRes.aggregations,
+    });
+
+    return {
+      all: {
+        total: casesRes.total,
+        ...getCountsFromBuckets(aggregationsBuckets.counts),
+        status: {
+          open: findValueInBuckets(aggregationsBuckets.status, ESCaseStatus.OPEN),
+          inProgress: findValueInBuckets(aggregationsBuckets.status, ESCaseStatus.IN_PROGRESS),
+          closed: findValueInBuckets(aggregationsBuckets.status, ESCaseStatus.CLOSED),
+        },
+        syncAlertsOn: findValueInBuckets(aggregationsBuckets.syncAlerts, 1),
+        syncAlertsOff: findValueInBuckets(aggregationsBuckets.syncAlerts, 0),
+        totalUsers: casesRes.aggregations?.users?.value ?? 0,
+        totalParticipants: commentsRes.aggregations?.participants?.value ?? 0,
+        totalTags: casesRes.aggregations?.tags?.value ?? 0,
+        totalWithAlerts:
+          totalAlertsRes.aggregations?.references?.referenceType?.referenceAgg?.value ?? 0,
+        totalWithConnectors:
+          totalConnectorsRes.aggregations?.references?.referenceType?.referenceAgg?.value ?? 0,
+        latestDates,
+        assignees: {
+          total: casesRes.aggregations?.totalAssignees.value ?? 0,
+          totalWithZero: casesRes.aggregations?.assigneeFilters.buckets.zero.doc_count ?? 0,
+          totalWithAtLeastOne:
+            casesRes.aggregations?.assigneeFilters.buckets.atLeastOne.doc_count ?? 0,
+        },
+        ...allAttachmentFrameworkStats,
+      },
+      sec: getSolutionValues({
+        caseAggregations: casesRes.aggregations,
+        attachmentAggregations: commentsRes.aggregations,
+        filesAggregations: filesRes.aggregations,
+        owner: 'securitySolution',
+      }),
+      obs: getSolutionValues({
+        caseAggregations: casesRes.aggregations,
+        attachmentAggregations: commentsRes.aggregations,
+        filesAggregations: filesRes.aggregations,
+        owner: 'observability',
+      }),
+      main: getSolutionValues({
+        caseAggregations: casesRes.aggregations,
+        attachmentAggregations: commentsRes.aggregations,
+        filesAggregations: filesRes.aggregations,
+        owner: 'cases',
+      }),
+    };
+  } catch (error) {
+    logger.error(`Cases telemetry failed with error: ${error}`);
+    throw error;
+  }
+};
+
+const getCasesSavedObjectTelemetry = async (
+  savedObjectsClient: ISavedObjectsRepository
+): Promise<SavedObjectsFindResponse<unknown, CaseAggregationResult>> => {
+  const caseByOwnerAggregationQuery = OWNERS.reduce(
     (aggQuery, owner) => ({
       ...aggQuery,
       [owner]: {
@@ -80,12 +162,12 @@ export const getCasesTelemetryData = async ({
     {}
   );
 
-  const casesRes = await savedObjectsClient.find<unknown, CaseAggregationResult>({
+  return savedObjectsClient.find<unknown, CaseAggregationResult>({
     page: 0,
     perPage: 0,
     type: CASE_SAVED_OBJECT,
     aggs: {
-      ...byOwnerAggregationQuery,
+      ...caseByOwnerAggregationQuery,
       ...getCountsAggregationQuery(CASE_SAVED_OBJECT),
       ...getAssigneesAggregations(),
       totalsByOwner: {
@@ -111,17 +193,86 @@ export const getCasesTelemetryData = async ({
       },
     },
   });
+};
+
+const getAssigneesAggregations = () => ({
+  totalAssignees: {
+    value_count: {
+      field: `${CASE_SAVED_OBJECT}.attributes.assignees.uid`,
+    },
+  },
+  assigneeFilters: {
+    filters: {
+      filters: {
+        zero: {
+          bool: {
+            must_not: {
+              exists: {
+                field: `${CASE_SAVED_OBJECT}.attributes.assignees.uid`,
+              },
+            },
+          },
+        },
+        atLeastOne: {
+          bool: {
+            filter: {
+              exists: {
+                field: `${CASE_SAVED_OBJECT}.attributes.assignees.uid`,
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+});
+
+const getCommentsSavedObjectTelemetry = async (
+  savedObjectsClient: ISavedObjectsRepository
+): Promise<SavedObjectsFindResponse<unknown, AttachmentAggregationResult>> => {
+  const attachmentRegistries = () => ({
+    externalReferenceTypes: {
+      terms: {
+        field: `${CASE_COMMENT_SAVED_OBJECT}.attributes.externalReferenceAttachmentTypeId`,
+      },
+      aggs: {
+        ...getMaxBucketOnCaseAggregationQuery(CASE_COMMENT_SAVED_OBJECT),
+      },
+    },
+    persistableReferenceTypes: {
+      terms: {
+        field: `${CASE_COMMENT_SAVED_OBJECT}.attributes.persistableStateAttachmentTypeId`,
+      },
+      aggs: {
+        ...getMaxBucketOnCaseAggregationQuery(CASE_COMMENT_SAVED_OBJECT),
+      },
+    },
+  });
+
+  const attachmentsByOwnerAggregationQuery = OWNERS.reduce(
+    (aggQuery, owner) => ({
+      ...aggQuery,
+      [owner]: {
+        filter: {
+          term: {
+            [`${CASE_COMMENT_SAVED_OBJECT}.attributes.owner`]: owner,
+          },
+        },
+        aggs: {
+          ...attachmentRegistries(),
+        },
+      },
+    }),
+    {}
+  );
 
-  const commentsRes = await savedObjectsClient.find<
-    unknown,
-    Record<typeof OWNERS[number], { counts: Buckets }> & {
-      participants: Cardinality;
-    } & ReferencesAggregation
-  >({
+  return savedObjectsClient.find<unknown, AttachmentAggregationResult>({
     page: 0,
     perPage: 0,
     type: CASE_COMMENT_SAVED_OBJECT,
     aggs: {
+      ...attachmentsByOwnerAggregationQuery,
+      ...attachmentRegistries(),
       participants: {
         cardinality: {
           field: `${CASE_COMMENT_SAVED_OBJECT}.attributes.created_by.username`,
@@ -129,8 +280,51 @@ export const getCasesTelemetryData = async ({
       },
     },
   });
+};
+
+const getFilesTelemetry = async (
+  savedObjectsClient: ISavedObjectsRepository
+): Promise<SavedObjectsFindResponse<unknown, FileAttachmentAggregationResult>> => {
+  const averageSize = () => ({
+    averageSize: {
+      avg: {
+        field: `${FILE_SO_TYPE}.attributes.size`,
+      },
+    },
+  });
+
+  const filesByOwnerAggregationQuery = OWNERS.reduce(
+    (aggQuery, owner) => ({
+      ...aggQuery,
+      [owner]: {
+        filter: {
+          term: {
+            [`${FILE_SO_TYPE}.attributes.Meta.owner`]: owner,
+          },
+        },
+        aggs: {
+          ...averageSize(),
+        },
+      },
+    }),
+    {}
+  );
+
+  const filterCaseIdExists = fromKueryExpression(`${FILE_SO_TYPE}.attributes.Meta.caseId: *`);
 
-  const totalAlertsRes = await savedObjectsClient.find<unknown, ReferencesAggregation>({
+  return savedObjectsClient.find<unknown, FileAttachmentAggregationResult>({
+    page: 0,
+    perPage: 0,
+    type: FILE_SO_TYPE,
+    filter: filterCaseIdExists,
+    aggs: { ...filesByOwnerAggregationQuery, ...averageSize() },
+  });
+};
+
+const getAlertsTelemetry = async (
+  savedObjectsClient: ISavedObjectsRepository
+): Promise<SavedObjectsFindResponse<unknown, ReferencesAggregation>> => {
+  return savedObjectsClient.find<unknown, ReferencesAggregation>({
     page: 0,
     perPage: 0,
     type: CASE_COMMENT_SAVED_OBJECT,
@@ -143,8 +337,12 @@ export const getCasesTelemetryData = async ({
       }),
     },
   });
+};
 
-  const totalConnectorsRes = await savedObjectsClient.find<unknown, ReferencesAggregation>({
+const getConnectorsTelemetry = async (
+  savedObjectsClient: ISavedObjectsRepository
+): Promise<SavedObjectsFindResponse<unknown, ReferencesAggregation>> => {
+  return savedObjectsClient.find<unknown, ReferencesAggregation>({
     page: 0,
     perPage: 0,
     type: CASE_USER_ACTION_SAVED_OBJECT,
@@ -157,74 +355,4 @@ export const getCasesTelemetryData = async ({
       }),
     },
   });
-
-  const latestDates = await getLatestCasesDates({ savedObjectsClient, logger });
-
-  const aggregationsBuckets = getAggregationsBuckets({
-    aggs: casesRes.aggregations,
-    keys: ['counts', 'syncAlerts', 'status', 'users', 'totalAssignees'],
-  });
-
-  return {
-    all: {
-      total: casesRes.total,
-      ...getCountsFromBuckets(aggregationsBuckets.counts),
-      status: {
-        open: findValueInBuckets(aggregationsBuckets.status, ESCaseStatus.OPEN),
-        inProgress: findValueInBuckets(aggregationsBuckets.status, ESCaseStatus.IN_PROGRESS),
-        closed: findValueInBuckets(aggregationsBuckets.status, ESCaseStatus.CLOSED),
-      },
-      syncAlertsOn: findValueInBuckets(aggregationsBuckets.syncAlerts, 1),
-      syncAlertsOff: findValueInBuckets(aggregationsBuckets.syncAlerts, 0),
-      totalUsers: casesRes.aggregations?.users?.value ?? 0,
-      totalParticipants: commentsRes.aggregations?.participants?.value ?? 0,
-      totalTags: casesRes.aggregations?.tags?.value ?? 0,
-      totalWithAlerts:
-        totalAlertsRes.aggregations?.references?.referenceType?.referenceAgg?.value ?? 0,
-      totalWithConnectors:
-        totalConnectorsRes.aggregations?.references?.referenceType?.referenceAgg?.value ?? 0,
-      latestDates,
-      assignees: {
-        total: casesRes.aggregations?.totalAssignees.value ?? 0,
-        totalWithZero: casesRes.aggregations?.assigneeFilters.buckets.zero.doc_count ?? 0,
-        totalWithAtLeastOne:
-          casesRes.aggregations?.assigneeFilters.buckets.atLeastOne.doc_count ?? 0,
-      },
-    },
-    sec: getSolutionValues(casesRes.aggregations, 'securitySolution'),
-    obs: getSolutionValues(casesRes.aggregations, 'observability'),
-    main: getSolutionValues(casesRes.aggregations, 'cases'),
-  };
 };
-
-const getAssigneesAggregations = () => ({
-  totalAssignees: {
-    value_count: {
-      field: `${CASE_SAVED_OBJECT}.attributes.assignees.uid`,
-    },
-  },
-  assigneeFilters: {
-    filters: {
-      filters: {
-        zero: {
-          bool: {
-            must_not: {
-              exists: {
-                field: `${CASE_SAVED_OBJECT}.attributes.assignees.uid`,
-              },
-            },
-          },
-        },
-        atLeastOne: {
-          bool: {
-            filter: {
-              exists: {
-                field: `${CASE_SAVED_OBJECT}.attributes.assignees.uid`,
-              },
-            },
-          },
-        },
-      },
-    },
-  },
-});
diff --git a/x-pack/plugins/cases/server/telemetry/queries/utils.test.ts b/x-pack/plugins/cases/server/telemetry/queries/utils.test.ts
index e466ba597108..d7c6a0e9bf7b 100644
--- a/x-pack/plugins/cases/server/telemetry/queries/utils.test.ts
+++ b/x-pack/plugins/cases/server/telemetry/queries/utils.test.ts
@@ -6,10 +6,16 @@
  */
 
 import { savedObjectsRepositoryMock } from '@kbn/core/server/mocks';
-import type { CaseAggregationResult } from '../types';
+import type {
+  AttachmentAggregationResult,
+  AttachmentFrameworkAggsResult,
+  CaseAggregationResult,
+  FileAttachmentAggregationResult,
+} from '../types';
 import {
   findValueInBuckets,
   getAggregationsBuckets,
+  getAttachmentsFrameworkStats,
   getBucketFromAggregation,
   getConnectorsCardinalityAggregationQuery,
   getCountsAggregationQuery,
@@ -46,19 +52,19 @@ describe('utils', () => {
       totalAssignees: { value: 5 },
     };
 
-    const solutionValues = {
+    const caseSolutionValues = {
       counts,
       ...assignees,
     };
 
-    const aggsResult: CaseAggregationResult = {
+    const caseAggsResult: CaseAggregationResult = {
       users: { value: 1 },
       tags: { value: 2 },
       ...assignees,
       counts,
-      securitySolution: { ...solutionValues },
-      observability: { ...solutionValues },
-      cases: { ...solutionValues },
+      securitySolution: { ...caseSolutionValues },
+      observability: { ...caseSolutionValues },
+      cases: { ...caseSolutionValues },
       syncAlerts: {
         buckets: [
           {
@@ -87,7 +93,7 @@ describe('utils', () => {
           },
           {
             key: 'securitySolution',
-            doc_count: 1,
+            doc_count: 5,
           },
           {
             key: 'cases',
@@ -97,40 +103,247 @@ describe('utils', () => {
       },
     };
 
+    const attachmentFramework: AttachmentFrameworkAggsResult = {
+      externalReferenceTypes: {
+        buckets: [
+          {
+            doc_count: 5,
+            key: '.osquery',
+            references: {
+              cases: {
+                max: {
+                  value: 10,
+                },
+              },
+            },
+          },
+          {
+            doc_count: 5,
+            key: '.files',
+            references: {
+              cases: {
+                max: {
+                  value: 10,
+                },
+              },
+            },
+          },
+        ],
+      },
+      persistableReferenceTypes: {
+        buckets: [
+          {
+            doc_count: 5,
+            key: '.ml',
+            references: {
+              cases: {
+                max: {
+                  value: 10,
+                },
+              },
+            },
+          },
+          {
+            doc_count: 5,
+            key: '.files',
+            references: {
+              cases: {
+                max: {
+                  value: 10,
+                },
+              },
+            },
+          },
+        ],
+      },
+    };
+
+    const attachmentAggsResult: AttachmentAggregationResult = {
+      securitySolution: { ...attachmentFramework },
+      observability: { ...attachmentFramework },
+      cases: { ...attachmentFramework },
+      participants: {
+        value: 5,
+      },
+      ...attachmentFramework,
+    };
+
+    const filesRes: FileAttachmentAggregationResult = {
+      securitySolution: {
+        averageSize: 500,
+      },
+      observability: {
+        averageSize: 500,
+      },
+      cases: {
+        averageSize: 500,
+      },
+      averageSize: 500,
+    };
+
     it('constructs the solution values correctly', () => {
-      expect(getSolutionValues(aggsResult, 'securitySolution')).toMatchInlineSnapshot(`
+      expect(
+        getSolutionValues({
+          caseAggregations: caseAggsResult,
+          attachmentAggregations: attachmentAggsResult,
+          filesAggregations: filesRes,
+          owner: 'securitySolution',
+        })
+      ).toMatchInlineSnapshot(`
         Object {
           "assignees": Object {
             "total": 5,
             "totalWithAtLeastOne": 0,
             "totalWithZero": 100,
           },
+          "attachmentFramework": Object {
+            "externalAttachments": Array [
+              Object {
+                "average": 1,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".osquery",
+              },
+              Object {
+                "average": 1,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".files",
+              },
+            ],
+            "files": Object {
+              "average": 1,
+              "averageSize": 500,
+              "maxOnACase": 10,
+              "total": 5,
+            },
+            "persistableAttachments": Array [
+              Object {
+                "average": 1,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".ml",
+              },
+              Object {
+                "average": 1,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".files",
+              },
+            ],
+          },
           "daily": 3,
           "monthly": 1,
-          "total": 1,
+          "total": 5,
           "weekly": 2,
         }
       `);
-      expect(getSolutionValues(aggsResult, 'cases')).toMatchInlineSnapshot(`
+      expect(
+        getSolutionValues({
+          caseAggregations: caseAggsResult,
+          attachmentAggregations: attachmentAggsResult,
+          filesAggregations: filesRes,
+          owner: 'cases',
+        })
+      ).toMatchInlineSnapshot(`
         Object {
           "assignees": Object {
             "total": 5,
             "totalWithAtLeastOne": 0,
             "totalWithZero": 100,
           },
+          "attachmentFramework": Object {
+            "externalAttachments": Array [
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".osquery",
+              },
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".files",
+              },
+            ],
+            "files": Object {
+              "average": 5,
+              "averageSize": 500,
+              "maxOnACase": 10,
+              "total": 5,
+            },
+            "persistableAttachments": Array [
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".ml",
+              },
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".files",
+              },
+            ],
+          },
           "daily": 3,
           "monthly": 1,
           "total": 1,
           "weekly": 2,
         }
       `);
-      expect(getSolutionValues(aggsResult, 'observability')).toMatchInlineSnapshot(`
+      expect(
+        getSolutionValues({
+          caseAggregations: caseAggsResult,
+          attachmentAggregations: attachmentAggsResult,
+          filesAggregations: filesRes,
+          owner: 'observability',
+        })
+      ).toMatchInlineSnapshot(`
         Object {
           "assignees": Object {
             "total": 5,
             "totalWithAtLeastOne": 0,
             "totalWithZero": 100,
           },
+          "attachmentFramework": Object {
+            "externalAttachments": Array [
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".osquery",
+              },
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".files",
+              },
+            ],
+            "files": Object {
+              "average": 5,
+              "averageSize": 500,
+              "maxOnACase": 10,
+              "total": 5,
+            },
+            "persistableAttachments": Array [
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".ml",
+              },
+              Object {
+                "average": 5,
+                "maxOnACase": 10,
+                "total": 5,
+                "type": ".files",
+              },
+            ],
+          },
           "daily": 3,
           "monthly": 1,
           "total": 1,
@@ -140,6 +353,217 @@ describe('utils', () => {
     });
   });
 
+  describe('getAttachmentsFrameworkStats', () => {
+    it('returns empty stats if the aggregation is undefined', () => {
+      expect(getAttachmentsFrameworkStats({ totalCasesForOwner: 0 })).toMatchInlineSnapshot(`
+        Object {
+          "attachmentFramework": Object {
+            "externalAttachments": Array [],
+            "files": Object {
+              "average": 0,
+              "averageSize": 0,
+              "maxOnACase": 0,
+              "total": 0,
+            },
+            "persistableAttachments": Array [],
+          },
+        }
+      `);
+    });
+
+    describe('externalAttachments', () => {
+      const attachmentFramework: AttachmentFrameworkAggsResult = {
+        externalReferenceTypes: {
+          buckets: [
+            {
+              doc_count: 5,
+              key: '.osquery',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+            {
+              doc_count: 10,
+              key: '.files',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+          ],
+        },
+        persistableReferenceTypes: {
+          buckets: [],
+        },
+      };
+
+      it('populates the externalAttachments array', () => {
+        const stats = getAttachmentsFrameworkStats({
+          attachmentAggregations: attachmentFramework,
+          totalCasesForOwner: 5,
+        });
+
+        expect(stats.attachmentFramework.externalAttachments[0]).toEqual({
+          // the average is 5 from the aggs result / 5 from the function parameter
+          average: 1,
+          maxOnACase: 10,
+          total: 5,
+          type: '.osquery',
+        });
+
+        expect(stats.attachmentFramework.externalAttachments[1]).toEqual({
+          // the average is 10 from the aggs result / 5 from the function parameter
+          average: 2,
+          maxOnACase: 10,
+          total: 10,
+          type: '.files',
+        });
+      });
+    });
+
+    describe('persistableAttachments', () => {
+      const attachmentFramework: AttachmentFrameworkAggsResult = {
+        persistableReferenceTypes: {
+          buckets: [
+            {
+              doc_count: 5,
+              key: '.osquery',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+            {
+              doc_count: 10,
+              key: '.files',
+              references: {
+                cases: {
+                  max: {
+                    value: 10,
+                  },
+                },
+              },
+            },
+          ],
+        },
+        externalReferenceTypes: {
+          buckets: [],
+        },
+      };
+
+      it('populates the externalAttachments array', () => {
+        const stats = getAttachmentsFrameworkStats({
+          attachmentAggregations: attachmentFramework,
+          totalCasesForOwner: 5,
+        });
+
+        expect(stats.attachmentFramework.persistableAttachments[0]).toEqual({
+          // the average is 5 from the aggs result / 5 from the function parameter
+          average: 1,
+          maxOnACase: 10,
+          total: 5,
+          type: '.osquery',
+        });
+
+        expect(stats.attachmentFramework.persistableAttachments[1]).toEqual({
+          // the average is 10 from the aggs result / 5 from the function parameter
+          average: 2,
+          maxOnACase: 10,
+          total: 10,
+          type: '.files',
+        });
+      });
+    });
+
+    describe('files', () => {
+      it('sets the files stats to empty when it cannot find a files entry', () => {
+        const attachmentFramework: AttachmentFrameworkAggsResult = {
+          externalReferenceTypes: {
+            buckets: [
+              {
+                doc_count: 5,
+                key: '.osquery',
+                references: {
+                  cases: {
+                    max: {
+                      value: 10,
+                    },
+                  },
+                },
+              },
+            ],
+          },
+          persistableReferenceTypes: {
+            buckets: [],
+          },
+        };
+
+        expect(
+          getAttachmentsFrameworkStats({
+            attachmentAggregations: attachmentFramework,
+            totalCasesForOwner: 5,
+            filesAggregations: { averageSize: 500 },
+          }).attachmentFramework.files
+        ).toMatchInlineSnapshot(`
+          Object {
+            "average": 0,
+            "averageSize": 0,
+            "maxOnACase": 0,
+            "total": 0,
+          }
+        `);
+      });
+
+      it('sets the files stats when it finds a files entry', () => {
+        const attachmentFramework: AttachmentFrameworkAggsResult = {
+          externalReferenceTypes: {
+            buckets: [
+              {
+                doc_count: 5,
+                key: '.files',
+                references: {
+                  cases: {
+                    max: {
+                      value: 10,
+                    },
+                  },
+                },
+              },
+            ],
+          },
+          persistableReferenceTypes: {
+            buckets: [],
+          },
+        };
+
+        expect(
+          getAttachmentsFrameworkStats({
+            attachmentAggregations: attachmentFramework,
+            filesAggregations: { averageSize: 500 },
+            totalCasesForOwner: 5,
+          }).attachmentFramework.files
+        ).toMatchInlineSnapshot(`
+          Object {
+            "average": 1,
+            "averageSize": 500,
+            "maxOnACase": 10,
+            "total": 5,
+          }
+        `);
+      });
+    });
+  });
+
   describe('getCountsAggregationQuery', () => {
     it('returns the correct query', () => {
       expect(getCountsAggregationQuery('test')).toEqual({
diff --git a/x-pack/plugins/cases/server/telemetry/queries/utils.ts b/x-pack/plugins/cases/server/telemetry/queries/utils.ts
index 82bdef3ebe82..0c0a4f7bbf87 100644
--- a/x-pack/plugins/cases/server/telemetry/queries/utils.ts
+++ b/x-pack/plugins/cases/server/telemetry/queries/utils.ts
@@ -16,12 +16,20 @@ import {
 import type {
   CaseAggregationResult,
   Buckets,
-  CasesTelemetry,
   MaxBucketOnCaseAggregation,
   SolutionTelemetry,
+  AttachmentFramework,
+  AttachmentAggregationResult,
+  BucketsWithMaxOnCase,
+  AttachmentStats,
+  FileAttachmentStats,
+  FileAttachmentAggregationResult,
+  FileAttachmentAverageSize,
+  AttachmentFrameworkAggsResult,
 } from '../types';
 import { buildFilter } from '../../client/utils';
-import type { OWNERS } from '../constants';
+import type { Owner } from '../../../common/constants/types';
+import { FILE_ATTACHMENT_TYPE } from '../../../common/api';
 
 export const getCountsAggregationQuery = (savedObjectType: string) => ({
   counts: {
@@ -154,22 +162,39 @@ export const getBucketFromAggregation = ({
   aggs?: Record<string, unknown>;
 }): Buckets['buckets'] => (get(aggs, `${key}.buckets`) ?? []) as Buckets['buckets'];
 
-export const getSolutionValues = (
-  aggregations: CaseAggregationResult | undefined,
-  owner: typeof OWNERS[number]
-): SolutionTelemetry => {
+export const getSolutionValues = ({
+  caseAggregations,
+  attachmentAggregations,
+  filesAggregations,
+  owner,
+}: {
+  caseAggregations?: CaseAggregationResult;
+  attachmentAggregations?: AttachmentAggregationResult;
+  filesAggregations?: FileAttachmentAggregationResult;
+  owner: Owner;
+}): SolutionTelemetry => {
   const aggregationsBuckets = getAggregationsBuckets({
-    aggs: aggregations,
+    aggs: caseAggregations,
     keys: ['totalsByOwner', 'securitySolution.counts', 'observability.counts', 'cases.counts'],
   });
 
+  const totalCasesForOwner = findValueInBuckets(aggregationsBuckets.totalsByOwner, owner);
+  const attachmentsAggsForOwner = attachmentAggregations?.[owner];
+  const fileAttachmentsForOwner = filesAggregations?.[owner];
+
   return {
-    total: findValueInBuckets(aggregationsBuckets.totalsByOwner, owner),
+    total: totalCasesForOwner,
     ...getCountsFromBuckets(aggregationsBuckets[`${owner}.counts`]),
+    ...getAttachmentsFrameworkStats({
+      attachmentAggregations: attachmentsAggsForOwner,
+      filesAggregations: fileAttachmentsForOwner,
+      totalCasesForOwner,
+    }),
     assignees: {
-      total: aggregations?.[owner].totalAssignees.value ?? 0,
-      totalWithZero: aggregations?.[owner].assigneeFilters.buckets.zero.doc_count ?? 0,
-      totalWithAtLeastOne: aggregations?.[owner].assigneeFilters.buckets.atLeastOne.doc_count ?? 0,
+      total: caseAggregations?.[owner].totalAssignees.value ?? 0,
+      totalWithZero: caseAggregations?.[owner].assigneeFilters.buckets.zero.doc_count ?? 0,
+      totalWithAtLeastOne:
+        caseAggregations?.[owner].assigneeFilters.buckets.atLeastOne.doc_count ?? 0,
     },
   };
 };
@@ -192,6 +217,92 @@ export const getAggregationsBuckets = ({
     {}
   );
 
+export const getAttachmentsFrameworkStats = ({
+  attachmentAggregations,
+  filesAggregations,
+  totalCasesForOwner,
+}: {
+  attachmentAggregations?: AttachmentFrameworkAggsResult;
+  filesAggregations?: FileAttachmentAverageSize;
+  totalCasesForOwner: number;
+}): AttachmentFramework => {
+  if (!attachmentAggregations) {
+    return emptyAttachmentFramework();
+  }
+  const averageFileSize = filesAggregations?.averageSize;
+
+  return {
+    attachmentFramework: {
+      externalAttachments: getAttachmentRegistryStats(
+        attachmentAggregations.externalReferenceTypes,
+        totalCasesForOwner
+      ),
+      persistableAttachments: getAttachmentRegistryStats(
+        attachmentAggregations.persistableReferenceTypes,
+        totalCasesForOwner
+      ),
+      files: getFileAttachmentStats({
+        registryResults: attachmentAggregations.externalReferenceTypes,
+        averageFileSize,
+        totalCasesForOwner,
+      }),
+    },
+  };
+};
+
+const getAttachmentRegistryStats = (
+  registryResults: BucketsWithMaxOnCase,
+  totalCasesForOwner: number
+): AttachmentStats[] => {
+  const stats: AttachmentStats[] = [];
+
+  for (const bucket of registryResults.buckets) {
+    const commonFields = {
+      average: calculateTypePerCaseAverage(bucket.doc_count, totalCasesForOwner),
+      maxOnACase: bucket.references.cases.max.value,
+      total: bucket.doc_count,
+    };
+
+    stats.push({
+      type: bucket.key,
+      ...commonFields,
+    });
+  }
+
+  return stats;
+};
+
+const calculateTypePerCaseAverage = (typeDocCount: number, totalCases: number) => {
+  if (totalCases === 0) {
+    return 0;
+  }
+
+  return Math.round(typeDocCount / totalCases);
+};
+
+const getFileAttachmentStats = ({
+  registryResults,
+  averageFileSize,
+  totalCasesForOwner,
+}: {
+  registryResults: BucketsWithMaxOnCase;
+  averageFileSize?: number;
+  totalCasesForOwner: number;
+}): FileAttachmentStats => {
+  const fileBucket = registryResults.buckets.find((bucket) => bucket.key === FILE_ATTACHMENT_TYPE);
+
+  if (!fileBucket || averageFileSize == null) {
+    return emptyFileAttachment();
+  }
+
+  return {
+    averageSize: averageFileSize,
+    average: calculateTypePerCaseAverage(fileBucket.doc_count, totalCasesForOwner),
+    maxOnACase: fileBucket.references.cases.max.value,
+    total: fileBucket.doc_count,
+  };
+};
+
 export const getOnlyAlertsCommentsFilter = () =>
   buildFilter({
     filters: ['alert'],
@@ -208,81 +319,17 @@ export const getOnlyConnectorsFilter = () =>
     type: CASE_USER_ACTION_SAVED_OBJECT,
   });
 
-export const getTelemetryDataEmptyState = (): CasesTelemetry => ({
-  cases: {
-    all: {
-      assignees: {
-        total: 0,
-        totalWithZero: 0,
-        totalWithAtLeastOne: 0,
-      },
-      total: 0,
-      monthly: 0,
-      weekly: 0,
-      daily: 0,
-      status: {
-        open: 0,
-        inProgress: 0,
-        closed: 0,
-      },
-      syncAlertsOn: 0,
-      syncAlertsOff: 0,
-      totalUsers: 0,
-      totalParticipants: 0,
-      totalTags: 0,
-      totalWithAlerts: 0,
-      totalWithConnectors: 0,
-      latestDates: {
-        createdAt: null,
-        updatedAt: null,
-        closedAt: null,
-      },
-    },
-    sec: {
-      total: 0,
-      monthly: 0,
-      weekly: 0,
-      daily: 0,
-      assignees: { total: 0, totalWithAtLeastOne: 0, totalWithZero: 0 },
-    },
-    obs: {
-      total: 0,
-      monthly: 0,
-      weekly: 0,
-      daily: 0,
-      assignees: { total: 0, totalWithAtLeastOne: 0, totalWithZero: 0 },
-    },
-    main: {
-      total: 0,
-      monthly: 0,
-      weekly: 0,
-      daily: 0,
-      assignees: { total: 0, totalWithAtLeastOne: 0, totalWithZero: 0 },
-    },
-  },
-  userActions: { all: { total: 0, monthly: 0, weekly: 0, daily: 0, maxOnACase: 0 } },
-  comments: { all: { total: 0, monthly: 0, weekly: 0, daily: 0, maxOnACase: 0 } },
-  alerts: { all: { total: 0, monthly: 0, weekly: 0, daily: 0, maxOnACase: 0 } },
-  connectors: {
-    all: {
-      all: { totalAttached: 0 },
-      itsm: { totalAttached: 0 },
-      sir: { totalAttached: 0 },
-      jira: { totalAttached: 0 },
-      resilient: { totalAttached: 0 },
-      swimlane: { totalAttached: 0 },
-      maxAttachedToACase: 0,
-    },
-  },
-  pushes: {
-    all: { total: 0, maxOnACase: 0 },
-  },
-  configuration: {
-    all: {
-      closure: {
-        manually: 0,
-        automatic: 0,
-      },
-    },
+const emptyAttachmentFramework = (): AttachmentFramework => ({
+  attachmentFramework: {
+    persistableAttachments: [],
+    externalAttachments: [],
+    files: emptyFileAttachment(),
   },
 });
+
+const emptyFileAttachment = (): FileAttachmentStats => ({
+  average: 0,
+  averageSize: 0,
+  maxOnACase: 0,
+  total: 0,
+});
diff --git a/x-pack/plugins/cases/server/telemetry/schema.ts b/x-pack/plugins/cases/server/telemetry/schema.ts
index 1f51ca134b57..59506c932a51 100644
--- a/x-pack/plugins/cases/server/telemetry/schema.ts
+++ b/x-pack/plugins/cases/server/telemetry/schema.ts
@@ -14,6 +14,8 @@ import type {
   TypeString,
   SolutionTelemetrySchema,
   AssigneesSchema,
+  AttachmentFrameworkSchema,
+  AttachmentItemsSchema,
 } from './types';
 
 const long: TypeLong = { type: 'long' };
@@ -26,6 +28,32 @@ const countSchema: CountSchema = {
   daily: long,
 };
 
+interface AttachmentRegistrySchema {
+  type: 'array';
+  items: AttachmentItemsSchema;
+}
+
+const attachmentRegistrySchema: AttachmentRegistrySchema = {
+  type: 'array',
+  items: {
+    average: long,
+    maxOnACase: long,
+    total: long,
+    type: string,
+  },
+};
+
+const attachmentFrameworkSchema: AttachmentFrameworkSchema = {
+  persistableAttachments: attachmentRegistrySchema,
+  externalAttachments: attachmentRegistrySchema,
+  files: {
+    average: long,
+    averageSize: long,
+    maxOnACase: long,
+    total: long,
+  },
+};
+
 const assigneesSchema: AssigneesSchema = {
   total: long,
   totalWithZero: long,
@@ -35,6 +63,7 @@ const assigneesSchema: AssigneesSchema = {
 const solutionTelemetry: SolutionTelemetrySchema = {
   ...countSchema,
   assignees: assigneesSchema,
+  attachmentFramework: attachmentFrameworkSchema,
 };
 
 const statusSchema: StatusSchema = {
@@ -53,6 +82,7 @@ export const casesSchema: CasesTelemetrySchema = {
   cases: {
     all: {
       ...countSchema,
+      attachmentFramework: attachmentFrameworkSchema,
       assignees: assigneesSchema,
       status: statusSchema,
       syncAlertsOn: long,
diff --git a/x-pack/plugins/cases/server/telemetry/types.ts b/x-pack/plugins/cases/server/telemetry/types.ts
index 095b967d1add..e28c3abaf4d5 100644
--- a/x-pack/plugins/cases/server/telemetry/types.ts
+++ b/x-pack/plugins/cases/server/telemetry/types.ts
@@ -7,7 +7,7 @@
 
 import type { ISavedObjectsRepository, Logger } from '@kbn/core/server';
 import type { MakeSchemaFrom } from '@kbn/usage-collection-plugin/server';
-import type { OWNERS } from './constants';
+import type { Owner } from '../../common/constants/types';
 
 export interface Buckets {
   buckets: Array<{
@@ -57,8 +57,33 @@ export interface AssigneesFilters {
   };
 }
 
+export interface FileAttachmentAverageSize {
+  averageSize: number;
+}
+
+export type FileAttachmentAggregationResult = Record<Owner, FileAttachmentAverageSize> &
+  FileAttachmentAverageSize;
+
+export interface BucketsWithMaxOnCase {
+  buckets: Array<
+    {
+      doc_count: number;
+      key: string;
+    } & MaxBucketOnCaseAggregation
+  >;
+}
+
+export interface AttachmentFrameworkAggsResult {
+  externalReferenceTypes: BucketsWithMaxOnCase;
+  persistableReferenceTypes: BucketsWithMaxOnCase;
+}
+
+export type AttachmentAggregationResult = Record<Owner, AttachmentFrameworkAggsResult> & {
+  participants: Cardinality;
+} & AttachmentFrameworkAggsResult;
+
 export type CaseAggregationResult = Record<
-  typeof OWNERS[number],
+  Owner,
   {
     counts: Buckets;
     totalAssignees: ValueCount;
@@ -81,7 +106,29 @@ export interface Assignees {
   totalWithAtLeastOne: number;
 }
 
-export interface SolutionTelemetry extends Count {
+interface CommonAttachmentStats {
+  average: number;
+  maxOnACase: number;
+  total: number;
+}
+
+export interface AttachmentStats extends CommonAttachmentStats {
+  type: string;
+}
+
+export interface FileAttachmentStats extends CommonAttachmentStats {
+  averageSize: number;
+}
+
+export interface AttachmentFramework {
+  attachmentFramework: {
+    externalAttachments: AttachmentStats[];
+    persistableAttachments: AttachmentStats[];
+    files: FileAttachmentStats;
+  };
+}
+
+export interface SolutionTelemetry extends Count, AttachmentFramework {
   assignees: Assignees;
 }
 
@@ -92,25 +139,26 @@ export interface Status {
 }
 
 export interface LatestDates {
-  createdAt: string | null;
-  updatedAt: string | null;
-  closedAt: string | null;
+  createdAt: string;
+  updatedAt: string;
+  closedAt: string;
 }
 
 export interface CasesTelemetry {
   cases: {
-    all: Count & {
-      assignees: Assignees;
-      status: Status;
-      syncAlertsOn: number;
-      syncAlertsOff: number;
-      totalUsers: number;
-      totalParticipants: number;
-      totalTags: number;
-      totalWithAlerts: number;
-      totalWithConnectors: number;
-      latestDates: LatestDates;
-    };
+    all: Count &
+      AttachmentFramework & {
+        assignees: Assignees;
+        status: Status;
+        syncAlertsOn: number;
+        syncAlertsOff: number;
+        totalUsers: number;
+        totalParticipants: number;
+        totalTags: number;
+        totalWithAlerts: number;
+        totalWithConnectors: number;
+        latestDates: LatestDates;
+      };
     sec: SolutionTelemetry;
     obs: SolutionTelemetry;
     main: SolutionTelemetry;
@@ -147,4 +195,6 @@ export type StatusSchema = MakeSchemaFrom<Status>;
 export type LatestDatesSchema = MakeSchemaFrom<LatestDates>;
 export type CasesTelemetrySchema = MakeSchemaFrom<CasesTelemetry>;
 export type AssigneesSchema = MakeSchemaFrom<Assignees>;
+export type AttachmentFrameworkSchema = MakeSchemaFrom<AttachmentFramework['attachmentFramework']>;
+export type AttachmentItemsSchema = MakeSchemaFrom<AttachmentStats>;
 export type SolutionTelemetrySchema = MakeSchemaFrom<SolutionTelemetry>;
diff --git a/x-pack/plugins/cloud_defend/public/common/utils.test.ts b/x-pack/plugins/cloud_defend/public/common/utils.test.ts
index 1eb28e499165..f0342535d6d2 100644
--- a/x-pack/plugins/cloud_defend/public/common/utils.test.ts
+++ b/x-pack/plugins/cloud_defend/public/common/utils.test.ts
@@ -54,7 +54,7 @@ describe('getSelectorConditions', () => {
 
     // check that process specific conditions are not included
     expect(options.includes('processExecutable')).toBeFalsy();
-    expect(options.includes('processName')).toBeFalsy();
+    expect(options.includes('processUserId')).toBeFalsy();
   });
 
   it('grabs process conditions for process selectors', () => {
@@ -70,8 +70,6 @@ describe('getSelectorConditions', () => {
 
     // check that process specific conditions are not included
     expect(options.includes('processExecutable')).toBeTruthy();
-    expect(options.includes('processName')).toBeTruthy();
-    expect(options.includes('processUserName')).toBeTruthy();
     expect(options.includes('processUserId')).toBeTruthy();
     expect(options.includes('sessionLeaderInteractive')).toBeTruthy();
   });
diff --git a/x-pack/plugins/cloud_defend/public/common/utils.ts b/x-pack/plugins/cloud_defend/public/common/utils.ts
index 1a34c986a2d8..ea5ee1194d85 100644
--- a/x-pack/plugins/cloud_defend/public/common/utils.ts
+++ b/x-pack/plugins/cloud_defend/public/common/utils.ts
@@ -75,10 +75,10 @@ export function getSelectorConditions(type: SelectorType): SelectorCondition[] {
 export function getDefaultSelectorByType(type: SelectorType): Selector {
   switch (type) {
     case 'process':
-      return { ...DefaultProcessSelector };
+      return JSON.parse(JSON.stringify(DefaultProcessSelector));
     case 'file':
     default:
-      return { ...DefaultFileSelector };
+      return JSON.parse(JSON.stringify(DefaultFileSelector));
   }
 }
 
diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx
index dc58de3eaad5..5f53d7ede613 100644
--- a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx
+++ b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx
@@ -73,7 +73,7 @@ describe('<ControlGeneralView />', () => {
     }
   });
 
-  it('allows a user to add a new response', async () => {
+  it('allows a user to add a file response', async () => {
     const { getAllByTestId, getByTestId, rerender } = render(<WrappedComponent />);
 
     userEvent.click(getByTestId('cloud-defend-btnAddResponse'));
@@ -95,6 +95,28 @@ describe('<ControlGeneralView />', () => {
     }
   });
 
+  it('should prevent user from adding a process response if no there are no process selectors', async () => {
+    const testPolicy = `
+      file:
+        selectors:
+          - name: test
+            operation: ['createFile']
+        responses:
+          - match: [test]
+            actions: [alert, block]
+    `;
+
+    const { getByTestId } = render(
+      <WrappedComponent policy={getCloudDefendNewPolicyMock(testPolicy)} />
+    );
+
+    userEvent.click(getByTestId('cloud-defend-btnAddResponse'));
+    await waitFor(() => userEvent.click(getByTestId('cloud-defend-btnAddProcessResponse')));
+
+    expect(onChange.mock.calls.length).toBe(0);
+    expect(getByTestId('cloud-defend-btnAddProcessResponse')).toBeDisabled();
+  });
+
   it('updates selector name used in response.match, if its name is changed', async () => {
     const { getByTitle, getAllByTestId, rerender } = render(<WrappedComponent />);
 
diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx
index 7a8994dc6182..9eefe032f27f 100644
--- a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx
+++ b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx
@@ -33,12 +33,13 @@ import { ControlGeneralViewResponse } from '../control_general_view_response';
 interface AddSelectorButtonProps {
   type: 'Selector' | 'Response';
   onSelectType(type: SelectorType): void;
+  selectors: Selector[];
 }
 
 /**
  * dual purpose button for adding selectors and responses by type
  */
-const AddButton = ({ type, onSelectType }: AddSelectorButtonProps) => {
+const AddButton = ({ type, onSelectType, selectors }: AddSelectorButtonProps) => {
   const [isPopoverOpen, setPopover] = useState(false);
   const onButtonClick = () => {
     setPopover(!isPopoverOpen);
@@ -58,6 +59,24 @@ const AddButton = ({ type, onSelectType }: AddSelectorButtonProps) => {
     onSelectType('process');
   }, [onSelectType]);
 
+  const selectorCounts = useMemo(() => {
+    return selectors.reduce(
+      (cur, next) => {
+        if (next.type === 'file') {
+          cur.file++;
+        } else {
+          cur.process++;
+        }
+
+        return cur;
+      },
+      {
+        file: 0,
+        process: 0,
+      }
+    );
+  }, [selectors]);
+
   const isSelector = type === 'Selector';
 
   const items = [
@@ -65,6 +84,7 @@ const AddButton = ({ type, onSelectType }: AddSelectorButtonProps) => {
       key={`addFile${type}`}
       icon="document"
       onClick={addFile}
+      disabled={type === 'Response' && selectorCounts.file === 0}
       data-test-subj={`cloud-defend-btnAddFile${type}`}
     >
       {isSelector ? i18n.fileSelector : i18n.fileResponse}
@@ -73,6 +93,7 @@ const AddButton = ({ type, onSelectType }: AddSelectorButtonProps) => {
       key={`addProcess${type}`}
       icon="gear"
       onClick={addProcess}
+      disabled={type === 'Response' && selectorCounts.process === 0}
       data-test-subj={`cloud-defend-btnAddProcess${type}`}
     >
       {isSelector ? i18n.processSelector : i18n.processResponse}
@@ -322,7 +343,7 @@ export const ControlGeneralView = ({ policy, onChange, show }: ViewDeps) => {
         );
       })}
 
-      <AddButton type="Selector" onSelectType={onAddSelector} />
+      <AddButton type="Selector" onSelectType={onAddSelector} selectors={selectors} />
 
       <EuiSpacer size="m" />
 
@@ -350,7 +371,7 @@ export const ControlGeneralView = ({ policy, onChange, show }: ViewDeps) => {
           </EuiFlexItem>
         );
       })}
-      <AddButton type="Response" onSelectType={onAddResponse} />
+      <AddButton type="Response" onSelectType={onAddResponse} selectors={selectors} />
       <EuiSpacer size="m" />
     </EuiFlexGroup>
   );
diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view_response/index.tsx b/x-pack/plugins/cloud_defend/public/components/control_general_view_response/index.tsx
index fc29f0388457..88fed27c6145 100644
--- a/x-pack/plugins/cloud_defend/public/components/control_general_view_response/index.tsx
+++ b/x-pack/plugins/cloud_defend/public/components/control_general_view_response/index.tsx
@@ -38,6 +38,8 @@ import { getSelectorTypeIcon } from '../../common/utils';
 const titleThreshold = 4;
 const titleThresholdCollapsed = 2;
 
+const ACTION_ID_REGEX = /response_\d+_(.*)/;
+
 export const ControlGeneralViewResponse = ({
   response,
   selectors,
@@ -149,7 +151,7 @@ export const ControlGeneralViewResponse = ({
 
   const onToggleAction = useCallback(
     (e: ChangeEvent) => {
-      const action = e.currentTarget.id as ResponseAction;
+      const action = e.currentTarget?.id?.match(ACTION_ID_REGEX)?.[1] as ResponseAction;
       const updatedResponse = JSON.parse(JSON.stringify(response));
       const actionIndex = updatedResponse.actions.indexOf(action);
 
@@ -231,13 +233,15 @@ export const ControlGeneralViewResponse = ({
         <EuiFlexGroup alignItems="center" gutterSize="none" wrap={false}>
           {accordionState === 'closed' && (
             <EuiText color="subdued" css={selectorStyles.conditionsBadge} size="xs">
-              <b>{i18n.exclude}: </b>
               {response?.exclude?.length && (
-                <EuiBadge title={response.exclude.join(',')} color="hollow">
-                  {response.exclude.length}
-                </EuiBadge>
+                <>
+                  <b>{i18n.exclude}: </b>
+                  <EuiBadge title={response.exclude.join(',')} color="hollow">
+                    {response.exclude.length}
+                  </EuiBadge>
+                  <div css={selectorStyles.verticalDivider} />
+                </>
               )}
-              <div css={selectorStyles.verticalDivider} />
               <b>{i18n.actions}: </b>
               {response.actions.map((action, i) => (
                 <span key={action}>
@@ -333,7 +337,7 @@ export const ControlGeneralViewResponse = ({
           <EuiFlexGroup direction="row" gutterSize="l">
             <EuiFlexItem grow={false}>
               <EuiCheckbox
-                id="log"
+                id={`response_${index}_log`}
                 data-test-subj="cloud-defend-chklogaction"
                 label={i18n.actionLog}
                 checked={logSelected}
@@ -342,7 +346,7 @@ export const ControlGeneralViewResponse = ({
             </EuiFlexItem>
             <EuiFlexItem grow={false}>
               <EuiCheckbox
-                id="alert"
+                id={`response_${index}_alert`}
                 data-test-subj="cloud-defend-chkalertaction"
                 label={i18n.actionAlert}
                 checked={alertSelected}
@@ -353,7 +357,7 @@ export const ControlGeneralViewResponse = ({
               <EuiFlexItem grow={false}>
                 <EuiToolTip content={i18n.actionBlockHelp}>
                   <EuiCheckbox
-                    id="block"
+                    id={`response_${index}_block`}
                     data-test-subj="cloud-defend-chkblockaction"
                     label={i18n.actionBlock}
                     checked={blockSelected}
diff --git a/x-pack/plugins/cloud_defend/public/components/control_yaml_view/hooks/policy_schema.json b/x-pack/plugins/cloud_defend/public/components/control_yaml_view/hooks/policy_schema.json
index 0194676d7046..30d431f6e012 100644
--- a/x-pack/plugins/cloud_defend/public/components/control_yaml_view/hooks/policy_schema.json
+++ b/x-pack/plugins/cloud_defend/public/components/control_yaml_view/hooks/policy_schema.json
@@ -71,9 +71,6 @@
         {
           "required": ["containerImageTag"]
         },
-        {
-          "required": ["targetFilePath"]
-        },
         {
           "required": ["orchestratorClusterId"]
         },
@@ -89,9 +86,15 @@
         {
           "required": ["orchestratorResourceName"]
         },
+        {
+          "required": ["orchestratorResourceType"]
+        },
         {
           "required": ["orchestratorType"]
         },
+        {
+          "required": ["targetFilePath"]
+        },
         {
           "required": ["ignoreVolumeMounts"]
         },
@@ -161,6 +164,13 @@
             "type": "string"
           }
         },
+        "orchestratorResourceType": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "enum": ["node", "pod"]
+          }
+        },
         "orchestratorType": {
           "type": "array",
           "minItems": 1,
@@ -242,6 +252,9 @@
         {
           "required": ["orchestratorResourceName"]
         },
+        {
+          "required": ["orchestratorResourceType"]
+        },
         {
           "required": ["orchestratorType"]
         },
@@ -251,14 +264,14 @@
         {
           "required": ["processName"]
         },
-        {
-          "required": ["processUserName"]
-        },
         {
           "required": ["processUserId"]
         },
         {
           "required": ["sessionLeaderInteractive"]
+        },
+        {
+          "required": ["sessionLeaderName"]
         }
       ],
       "properties": {
@@ -323,6 +336,13 @@
             "type": "string"
           }
         },
+        "orchestratorResourceType": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "enum": ["node", "pod"]
+          }
+        },
         "orchestratorType": {
           "type": "array",
           "minItems": 1,
@@ -367,6 +387,13 @@
         },
         "sessionLeaderInteractive": {
           "type": "boolean"
+        },
+        "sessionLeaderName": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string"
+          }
         }
       },
       "dependencies": {
diff --git a/x-pack/plugins/cloud_defend/public/types.ts b/x-pack/plugins/cloud_defend/public/types.ts
index 302a8b78ed67..ef33efcb789f 100755
--- a/x-pack/plugins/cloud_defend/public/types.ts
+++ b/x-pack/plugins/cloud_defend/public/types.ts
@@ -72,7 +72,6 @@ export type SelectorCondition =
   | 'orchestratorResourceLabel'
   | 'orchestratorResourceName'
   | 'orchestratorResourceType'
-  | 'orchestratorResourceLabel'
   | 'orchestratorType'
   | 'targetFilePath'
   | 'ignoreVolumeFiles'
@@ -80,11 +79,9 @@ export type SelectorCondition =
   | 'operation'
   | 'processExecutable'
   | 'processName'
-  | 'processUserName'
   | 'processUserId'
   | 'sessionLeaderInteractive'
-  | 'sessionLeaderExecutable'
-  | 'operation';
+  | 'sessionLeaderName';
 
 export interface SelectorConditionOptions {
   type: SelectorConditionType;
@@ -115,7 +112,7 @@ export const SelectorConditionsMap: SelectorConditionsMapProps = {
   orchestratorNamespace: { type: 'stringArray' },
   orchestratorResourceLabel: { type: 'stringArray' },
   orchestratorResourceName: { type: 'stringArray' },
-  orchestratorResourceType: { type: 'stringArray' },
+  orchestratorResourceType: { type: 'stringArray', values: ['node', 'pod'] },
   orchestratorType: { type: 'stringArray', values: ['kubernetes'] },
   operation: {
     type: 'stringArray',
@@ -129,10 +126,9 @@ export const SelectorConditionsMap: SelectorConditionsMapProps = {
   ignoreVolumeMounts: { selectorType: 'file', type: 'flag', not: ['ignoreVolumeFiles'] },
   processExecutable: { selectorType: 'process', type: 'stringArray', not: ['processName'] },
   processName: { selectorType: 'process', type: 'stringArray', not: ['processExecutable'] },
-  processUserName: { selectorType: 'process', type: 'stringArray' },
   processUserId: { selectorType: 'process', type: 'stringArray' },
   sessionLeaderInteractive: { selectorType: 'process', type: 'boolean' },
-  sessionLeaderExecutable: { selectorType: 'process', type: 'stringArray' },
+  sessionLeaderName: { selectorType: 'process', type: 'stringArray' },
 };
 
 export type ResponseAction = 'log' | 'alert' | 'block';
@@ -158,9 +154,9 @@ export interface Selector {
   // process selector properties
   processExecutable?: string[];
   processName?: string[];
-  processUserName?: string[];
   processUserId?: string[];
   sessionLeaderInteractive?: string[];
+  sessionLeaderName?: string[];
 
   // non yaml fields
   type: SelectorType;
diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/empty_engines_prompt.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/empty_engines_prompt.tsx
index d3b4f1fc2b5f..fa9c5238ea08 100644
--- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/empty_engines_prompt.tsx
+++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/empty_engines_prompt.tsx
@@ -18,7 +18,7 @@ export const EmptyEnginesPrompt: React.FC = ({ children }) => {
         <h2>
           <FormattedMessage
             id="xpack.enterpriseSearch.content.engines.enginesList.empty.title"
-            defaultMessage="Create your first engine"
+            defaultMessage="Create your first Search Application"
           />
         </h2>
       }
@@ -26,7 +26,7 @@ export const EmptyEnginesPrompt: React.FC = ({ children }) => {
         <p>
           <FormattedMessage
             id="xpack.enterpriseSearch.content.engines.enginesList.empty.description"
-            defaultMessage="Let's walk you through creating your first engine."
+            defaultMessage="Let's walk you through creating your first Search Application."
           />
         </p>
       }
diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.test.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.test.tsx
index aa1f4214628b..6022bd7c987c 100644
--- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.test.tsx
+++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.test.tsx
@@ -15,9 +15,11 @@ import { Status } from '../../../../../common/types/api';
 
 import { EnterpriseSearchEnginesPageTemplate } from '../layout/engines_page_template';
 
+import { LicensingCallout } from '../shared/licensing_callout/licensing_callout';
+
 import { EmptyEnginesPrompt } from './components/empty_engines_prompt';
 import { EnginesListTable } from './components/tables/engines_table';
-import { EnginesList } from './engines_list';
+import { EnginesList, CreateEngineButton } from './engines_list';
 import { DEFAULT_META } from './types';
 
 const DEFAULT_VALUES = {
@@ -27,6 +29,10 @@ const DEFAULT_VALUES = {
   parameters: { meta: DEFAULT_META },
   results: [],
   status: Status.IDLE,
+  // LicensingLogic
+  hasPlatinumLicense: true,
+  // KibanaLogic
+  isCloud: false,
 };
 const mockValues = {
   ...DEFAULT_VALUES,
@@ -68,6 +74,8 @@ describe('EnginesList', () => {
 
     expect(wrapper.find(EmptyEnginesPrompt)).toHaveLength(1);
     expect(wrapper.find(EnginesListTable)).toHaveLength(0);
+    expect(wrapper.find(CreateEngineButton)).toHaveLength(1);
+    expect(wrapper.find(CreateEngineButton).prop('disabled')).toBeFalsy();
   });
 
   it('renders with Engines data ', async () => {
@@ -78,5 +86,34 @@ describe('EnginesList', () => {
 
     expect(wrapper.find(EnginesListTable)).toHaveLength(1);
     expect(wrapper.find(EmptyEnginesPrompt)).toHaveLength(0);
+    expect(wrapper.find(CreateEngineButton)).toHaveLength(0);
+  });
+
+  it('renders Platinum license callout when not Cloud or Platinum', async () => {
+    setMockValues({
+      ...DEFAULT_VALUES,
+      hasPlatinumLicense: false,
+      isCloud: false,
+    });
+    setMockActions(mockActions);
+    const wrapper = shallow(<EnginesList />);
+
+    expect(wrapper.find(EnginesListTable)).toHaveLength(0);
+    expect(wrapper.find(EmptyEnginesPrompt)).toHaveLength(1);
+    expect(wrapper.find(LicensingCallout)).toHaveLength(1);
+    expect(wrapper.find(CreateEngineButton)).toHaveLength(1);
+    expect(wrapper.find(CreateEngineButton).prop('disabled')).toBeTruthy();
+  });
+
+  it('Does not render Platinum license callout when Cloud', async () => {
+    setMockValues({
+      ...DEFAULT_VALUES,
+      hasPlatinumLicense: false,
+      isCloud: true,
+    });
+    setMockActions(mockActions);
+    const wrapper = shallow(<EnginesList />);
+
+    expect(wrapper.find(LicensingCallout)).toHaveLength(0);
   });
 });
diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx
index b927e499ff06..292f8244a174 100644
--- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx
+++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx
@@ -10,7 +10,7 @@ import React, { useEffect } from 'react';
 import { useActions, useValues } from 'kea';
 import useThrottle from 'react-use/lib/useThrottle';
 
-import { EuiButton, EuiFieldSearch, EuiLink, EuiSpacer, EuiText } from '@elastic/eui';
+import { EuiButton, EuiFlexItem, EuiFieldSearch, EuiLink, EuiSpacer, EuiText } from '@elastic/eui';
 
 import { i18n } from '@kbn/i18n';
 import { FormattedMessage, FormattedNumber } from '@kbn/i18n-react';
@@ -18,8 +18,12 @@ import { FormattedMessage, FormattedNumber } from '@kbn/i18n-react';
 import { INPUT_THROTTLE_DELAY_MS } from '../../../shared/constants/timers';
 import { docLinks } from '../../../shared/doc_links';
 
+import { KibanaLogic } from '../../../shared/kibana';
+import { LicensingLogic } from '../../../shared/licensing';
 import { EnterpriseSearchEnginesPageTemplate } from '../layout/engines_page_template';
 
+import { LicensingCallout, LICENSING_FEATURE } from '../shared/licensing_callout/licensing_callout';
+
 import { EmptyEnginesPrompt } from './components/empty_engines_prompt';
 import { EnginesListTable } from './components/tables/engines_table';
 import { CreateEngineFlyout } from './create_engine_flyout';
@@ -28,7 +32,7 @@ import { EngineListIndicesFlyout } from './engines_list_flyout';
 import { EnginesListFlyoutLogic } from './engines_list_flyout_logic';
 import { EnginesListLogic } from './engines_list_logic';
 
-const CreateButton: React.FC = () => {
+export const CreateEngineButton: React.FC<{ disabled: boolean }> = ({ disabled }) => {
   const { openEngineCreate } = useActions(EnginesListLogic);
   return (
     <EuiButton
@@ -36,10 +40,11 @@ const CreateButton: React.FC = () => {
       iconType="plusInCircle"
       data-test-subj="enterprise-search-content-engines-creation-button"
       data-telemetry-id="entSearchContent-engines-list-createEngine"
+      disabled={disabled}
       onClick={openEngineCreate}
     >
       {i18n.translate('xpack.enterpriseSearch.content.engines.createEngineButtonLabel', {
-        defaultMessage: 'Create engine',
+        defaultMessage: 'Create Search Application',
       })}
     </EuiButton>
   );
@@ -58,6 +63,11 @@ export const EnginesList: React.FC = () => {
 
   const { openFetchEngineFlyout } = useActions(EnginesListFlyoutLogic);
 
+  const { isCloud } = useValues(KibanaLogic);
+  const { hasPlatinumLicense } = useValues(LicensingLogic);
+
+  const isGated = !isCloud && !hasPlatinumLicense;
+
   const {
     createEngineFlyoutOpen,
     deleteModalEngineName,
@@ -91,14 +101,14 @@ export const EnginesList: React.FC = () => {
       <EnterpriseSearchEnginesPageTemplate
         pageChrome={[
           i18n.translate('xpack.enterpriseSearch.content.engines.breadcrumb', {
-            defaultMessage: 'Engines',
+            defaultMessage: 'Search Applications',
           }),
         ]}
         pageHeader={{
           description: (
             <FormattedMessage
               id="xpack.enterpriseSearch.content.engines.description"
-              defaultMessage="Engines allow you to query indexed data with a complete set of relevance, analytics and personalization tools. To learn more about how engines work in Enterprise search {documentationUrl}"
+              defaultMessage="Search Applications allow you to query indexed data with a complete set of relevance, analytics and personalization tools. To learn more about how engines work in Enterprise search {documentationUrl}"
               values={{
                 documentationUrl: (
                   <EuiLink
@@ -108,7 +118,7 @@ export const EnginesList: React.FC = () => {
                     data-telemetry-id="entSearchContent-engines-documentation-viewDocumentaion"
                   >
                     {i18n.translate('xpack.enterpriseSearch.content.engines.documentation', {
-                      defaultMessage: 'explore our Engines documentation',
+                      defaultMessage: 'explore our Search Applications documentation',
                     })}
                   </EuiLink>
                 ),
@@ -116,14 +126,24 @@ export const EnginesList: React.FC = () => {
             />
           ),
           pageTitle: i18n.translate('xpack.enterpriseSearch.content.engines.title', {
-            defaultMessage: 'Engines',
+            defaultMessage: 'Search Applications',
           }),
-          rightSideItems: isLoading ? [] : !hasNoEngines ? [<CreateButton />] : [],
+          rightSideItems: isLoading
+            ? []
+            : !hasNoEngines
+            ? [<CreateEngineButton disabled={isGated} />]
+            : [],
         }}
         pageViewTelemetry="Engines"
         isLoading={isLoading}
       >
-        {!hasNoEngines ? (
+        {isGated && (
+          <EuiFlexItem>
+            <LicensingCallout feature={LICENSING_FEATURE.SEARCH_APPLICATIONS} />
+          </EuiFlexItem>
+        )}
+
+        {!hasNoEngines && !isGated ? (
           <>
             <div>
               <EuiFieldSearch
@@ -188,7 +208,7 @@ export const EnginesList: React.FC = () => {
           </>
         ) : (
           <EmptyEnginesPrompt>
-            <CreateButton />
+            <CreateEngineButton disabled={isGated} />
           </EmptyEnginesPrompt>
         )}
 
diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_connector/method_connector.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_connector/method_connector.tsx
index d978817459ec..522465e1c695 100644
--- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_connector/method_connector.tsx
+++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_connector/method_connector.tsx
@@ -31,7 +31,10 @@ import { LicensingLogic } from '../../../../shared/licensing';
 import { AddConnectorApiLogic } from '../../../api/connector/add_connector_api_logic';
 
 import { FetchCloudHealthApiLogic } from '../../../api/stats/fetch_cloud_health_api_logic';
-import { LicensingCallout, LICENSING_FEATURE } from '../licensing_callout';
+import {
+  LicensingCallout,
+  LICENSING_FEATURE,
+} from '../../shared/licensing_callout/licensing_callout';
 import { CREATE_ELASTICSEARCH_INDEX_STEP, BUILD_SEARCH_EXPERIENCE_STEP } from '../method_steps';
 import { NewSearchIndexLogic } from '../new_search_index_logic';
 import { NewSearchIndexTemplate } from '../new_search_index_template';
diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_crawler/method_crawler.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_crawler/method_crawler.tsx
index b96afab404e6..2adbee1515d4 100644
--- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_crawler/method_crawler.tsx
+++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/method_crawler/method_crawler.tsx
@@ -18,7 +18,10 @@ import { docLinks } from '../../../../shared/doc_links';
 import { KibanaLogic } from '../../../../shared/kibana';
 import { LicensingLogic } from '../../../../shared/licensing';
 import { CreateCrawlerIndexApiLogic } from '../../../api/crawler/create_crawler_index_api_logic';
-import { LicensingCallout, LICENSING_FEATURE } from '../licensing_callout';
+import {
+  LicensingCallout,
+  LICENSING_FEATURE,
+} from '../../shared/licensing_callout/licensing_callout';
 import { CREATE_ELASTICSEARCH_INDEX_STEP, BUILD_SEARCH_EXPERIENCE_STEP } from '../method_steps';
 import { NewSearchIndexTemplate } from '../new_search_index_template';
 
diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/licensing_callout.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/shared/licensing_callout/licensing_callout.tsx
similarity index 81%
rename from x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/licensing_callout.tsx
rename to x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/shared/licensing_callout/licensing_callout.tsx
index 15ab34aba175..c6a6e8f9cd96 100644
--- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/new_index/licensing_callout.tsx
+++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/shared/licensing_callout/licensing_callout.tsx
@@ -10,12 +10,13 @@ import React from 'react';
 import { EuiCallOut, EuiFlexGroup, EuiFlexItem, EuiLink } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
 
-import { docLinks } from '../../../shared/doc_links/doc_links';
+import { docLinks } from '../../../../shared/doc_links/doc_links';
 
 export enum LICENSING_FEATURE {
   NATIVE_CONNECTOR = 'nativeConnector',
   CRAWLER = 'crawler',
   INFERENCE = 'inference',
+  SEARCH_APPLICATIONS = 'searchApplications',
 }
 
 type ContentBlock = Record<LICENSING_FEATURE, string>;
@@ -43,6 +44,13 @@ export const LicensingCallout: React.FC<{ feature: LICENSING_FEATURE }> = ({ fea
           'Inference processors require a Platinum license or higher and are not available to Standard license self-managed deployments. You need to upgrade to use this feature.',
       }
     ),
+    [LICENSING_FEATURE.SEARCH_APPLICATIONS]: i18n.translate(
+      'xpack.enterpriseSearch.content.licensingCallout.searchApplications.contentOne',
+      {
+        defaultMessage:
+          'Search Applications require a Platinum license or higher and are not available to Standard license self-managed deployments. You need to upgrade to use this feature.',
+      }
+    ),
   };
 
   const secondContentBlock: ContentBlock = {
@@ -67,6 +75,13 @@ export const LicensingCallout: React.FC<{ feature: LICENSING_FEATURE }> = ({ fea
           "Did you know that inference processors are available with a Standard Elastic Cloud license? Elastic Cloud gives you the flexibility to run where you want. Deploy our managed service on Google Cloud, Microsoft Azure, or Amazon Web Services, and we'll handle the maintenance and upkeep for you.",
       }
     ),
+    [LICENSING_FEATURE.SEARCH_APPLICATIONS]: i18n.translate(
+      'xpack.enterpriseSearch.content.licensingCallout.searchApplications.contentTwo',
+      {
+        defaultMessage:
+          "Did you know that Search Applications are available with a Standard Elastic Cloud license? Elastic Cloud gives you the flexibility to run where you want. Deploy our managed service on Google Cloud, Microsoft Azure, or Amazon Web Services and we'll handle the maintenance and upkeep for you.",
+      }
+    ),
   };
 
   return (
diff --git a/x-pack/plugins/fleet/server/services/elastic_agent_manifest.ts b/x-pack/plugins/fleet/server/services/elastic_agent_manifest.ts
index 093dc20e2be5..77344640c50b 100644
--- a/x-pack/plugins/fleet/server/services/elastic_agent_manifest.ts
+++ b/x-pack/plugins/fleet/server/services/elastic_agent_manifest.ts
@@ -49,10 +49,7 @@ spec:
       containers:
         - name: elastic-agent
           image: docker.elastic.co/beats/elastic-agent:VERSION
-          args: [
-            "-c", "/etc/elastic-agent/agent.yml",
-            "-e",
-          ]
+          args: ["-c", "/etc/elastic-agent/agent.yml", "-e"]
           env:
             # The basic authentication username used to connect to Elasticsearch
             # This user needs the privileges required to publish events to Elasticsearch.
@@ -75,11 +72,11 @@ spec:
             runAsUser: 0
             capabilities:
               add:
-              # The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
-              # If you are not using this integration, then these capabilites can be removed.
+                # The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
+                # If you are not using this integration, then these capabilites can be removed.
                 - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
                 - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
-                - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by Defend for Containers to modify rlimit_memlock
+                - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for containers' to modify 'rlimit_memlock'
           resources:
             limits:
               memory: 700Mi
@@ -370,11 +367,11 @@ spec:
             runAsUser: 0
             capabilities:
               add:
-              # The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
-              # If you are not using this integration, then these capabilites can be removed.
+                # The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
+                # If you are not using this integration, then these capabilites can be removed.
                 - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
                 - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
-                - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by Defend for Containers to modify rlimit_memlock
+                - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
           resources:
             limits:
               memory: 700Mi
diff --git a/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx b/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx
index 42729337993e..f06335145877 100644
--- a/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx
+++ b/x-pack/plugins/infra/public/alerting/inventory/components/expression.tsx
@@ -30,6 +30,7 @@ import {
 } from '@kbn/triggers-actions-ui-plugin/public';
 import { debounce, omit } from 'lodash';
 import React, { ChangeEvent, useCallback, useEffect, useMemo, useState } from 'react';
+import useToggle from 'react-use/lib/useToggle';
 import {
   Comparator,
   FilterQuery,
@@ -433,8 +434,7 @@ const StyledHealth = euiStyled(EuiHealth)`
 `;
 
 export const ExpressionRow: React.FC<ExpressionRowProps> = (props) => {
-  const [isExpanded, setRowState] = useState(true);
-  const toggleRowState = useCallback(() => setRowState(!isExpanded), [isExpanded]);
+  const [isExpanded, toggle] = useToggle(true);
 
   const { children, setRuleParams, expression, errors, expressionId, remove, canDelete, fields } =
     props;
@@ -579,7 +579,7 @@ export const ExpressionRow: React.FC<ExpressionRowProps> = (props) => {
         <EuiFlexItem grow={false}>
           <EuiButtonIcon
             iconType={isExpanded ? 'arrowDown' : 'arrowRight'}
-            onClick={toggleRowState}
+            onClick={toggle}
             aria-label={i18n.translate('xpack.infra.metrics.alertFlyout.expandRowLabel', {
               defaultMessage: 'Expand row.',
             })}
diff --git a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_row.tsx b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_row.tsx
index 19f518d85063..7d13109b9e7a 100644
--- a/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_row.tsx
+++ b/x-pack/plugins/infra/public/alerting/metric_threshold/components/expression_row.tsx
@@ -28,6 +28,7 @@ import {
   WhenExpression,
 } from '@kbn/triggers-actions-ui-plugin/public';
 import { DataViewBase } from '@kbn/es-query';
+import useToggle from 'react-use/lib/useToggle';
 import { Aggregators, Comparator } from '../../../../common/alerting/metrics';
 import { decimalToPct, pctToDecimal } from '../../../../common/utils/corrected_percent_convert';
 import { DerivedIndexPattern } from '../../../containers/metrics_source';
@@ -74,8 +75,8 @@ const StyledHealth = euiStyled(EuiHealth)`
 `;
 
 export const ExpressionRow: React.FC<ExpressionRowProps> = (props) => {
-  const [isExpanded, setRowState] = useState(true);
-  const toggleRowState = useCallback(() => setRowState(!isExpanded), [isExpanded]);
+  const [isExpanded, toggle] = useToggle(true);
+
   const {
     dataView,
     children,
@@ -224,7 +225,7 @@ export const ExpressionRow: React.FC<ExpressionRowProps> = (props) => {
         <EuiFlexItem grow={false}>
           <EuiButtonIcon
             iconType={isExpanded ? 'arrowDown' : 'arrowRight'}
-            onClick={toggleRowState}
+            onClick={toggle}
             aria-label={i18n.translate('xpack.infra.metrics.alertFlyout.expandRowLabel', {
               defaultMessage: 'Expand row.',
             })}
diff --git a/x-pack/plugins/infra/public/pages/metrics/hosts/components/host_details_flyout/metadata/table.tsx b/x-pack/plugins/infra/public/pages/metrics/hosts/components/host_details_flyout/metadata/table.tsx
index 91b048b72d88..dcc3aa8d67b2 100644
--- a/x-pack/plugins/infra/public/pages/metrics/hosts/components/host_details_flyout/metadata/table.tsx
+++ b/x-pack/plugins/infra/public/pages/metrics/hosts/components/host_details_flyout/metadata/table.tsx
@@ -7,7 +7,8 @@
 
 import { EuiText, EuiFlexGroup, EuiFlexItem, EuiLink, EuiBasicTable } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import React, { useCallback, useMemo, useState } from 'react';
+import React, { useMemo } from 'react';
+import useToggle from 'react-use/lib/useToggle';
 import { FormattedMessage } from '@kbn/i18n-react';
 
 interface Row {
@@ -60,14 +61,7 @@ interface ExpandableContentProps {
 }
 const ExpandableContent = (props: ExpandableContentProps) => {
   const { values } = props;
-  const [isExpanded, setIsExpanded] = useState(false);
-  const expand = useCallback(() => {
-    setIsExpanded(true);
-  }, []);
-
-  const collapse = useCallback(() => {
-    setIsExpanded(false);
-  }, []);
+  const [isExpanded, toggle] = useToggle(false);
 
   const list = Array.isArray(values) ? values : [values];
   const [first, ...others] = list;
@@ -87,7 +81,7 @@ const ExpandableContent = (props: ExpandableContentProps) => {
         {shouldShowMore && (
           <>
             {' ... '}
-            <EuiLink data-test-subj="infraExpandableContentCountMoreLink" onClick={expand}>
+            <EuiLink data-test-subj="infraExpandableContentCountMoreLink" onClick={toggle}>
               <FormattedMessage
                 id="xpack.infra.nodeDetails.tabs.metadata.seeMore"
                 defaultMessage="+{count} more"
@@ -102,7 +96,7 @@ const ExpandableContent = (props: ExpandableContentProps) => {
       {isExpanded && others.map((item) => <EuiFlexItem key={item}>{item}</EuiFlexItem>)}
       {hasOthers && isExpanded && (
         <EuiFlexItem>
-          <EuiLink data-test-subj="infraExpandableContentShowLessLink" onClick={collapse}>
+          <EuiLink data-test-subj="infraExpandableContentShowLessLink" onClick={toggle}>
             {i18n.translate('xpack.infra.nodeDetails.tabs.metadata.seeLess', {
               defaultMessage: 'Show less',
             })}
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx
index e552704fdb13..b5f660a12aea 100644
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/processes/process_row.tsx
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import React, { useState } from 'react';
+import React from 'react';
 import { i18n } from '@kbn/i18n';
 import {
   EuiTableRow,
@@ -22,6 +22,7 @@ import {
   EuiSpacer,
 } from '@elastic/eui';
 import { euiStyled } from '@kbn/kibana-react-plugin/common';
+import useToggle from 'react-use/lib/useToggle';
 import { AutoSizer } from '../../../../../../../components/auto_sizer';
 import { Process } from './types';
 import { ProcessRowCharts } from './process_row_charts';
@@ -32,7 +33,7 @@ interface Props {
 }
 
 export const ProcessRow = ({ cells, item }: Props) => {
-  const [isExpanded, setIsExpanded] = useState(false);
+  const [isExpanded, toggle] = useToggle(false);
 
   return (
     <>
@@ -42,7 +43,7 @@ export const ProcessRow = ({ cells, item }: Props) => {
             data-test-subj="infraProcessRowButton"
             iconType={isExpanded ? 'arrowDown' : 'arrowRight'}
             aria-expanded={isExpanded}
-            onClick={() => setIsExpanded(!isExpanded)}
+            onClick={toggle}
           />
         </EuiTableRowCell>
         {cells}
diff --git a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/properties/table.tsx b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/properties/table.tsx
index 8640eb87b97d..197e0ae1cb2a 100644
--- a/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/properties/table.tsx
+++ b/x-pack/plugins/infra/public/pages/metrics/inventory_view/components/node_details/tabs/properties/table.tsx
@@ -16,8 +16,9 @@ import {
   EuiSpacer,
 } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import React, { useCallback, useMemo, useState } from 'react';
+import React, { useMemo } from 'react';
 import { FormattedMessage } from '@kbn/i18n-react';
+import useToggle from 'react-use/lib/useToggle';
 
 interface Row {
   name: string;
@@ -118,14 +119,7 @@ interface ExpandableContentProps {
 
 const ExpandableContent = (props: ExpandableContentProps) => {
   const { values } = props;
-  const [isExpanded, setIsExpanded] = useState(false);
-  const expand = useCallback(() => {
-    setIsExpanded(true);
-  }, []);
-
-  const collapse = useCallback(() => {
-    setIsExpanded(false);
-  }, []);
+  const [isExpanded, toggle] = useToggle(false);
 
   const list = Array.isArray(values) ? values : [values];
   const [first, ...others] = list;
@@ -145,7 +139,7 @@ const ExpandableContent = (props: ExpandableContentProps) => {
         {shouldShowMore && (
           <>
             {' ... '}
-            <EuiLink data-test-subj="infraArrayValueCountMoreLink" onClick={expand}>
+            <EuiLink data-test-subj="infraArrayValueCountMoreLink" onClick={toggle}>
               <FormattedMessage
                 id="xpack.infra.nodeDetails.tabs.metadata.seeMore"
                 defaultMessage="+{count} more"
@@ -160,7 +154,7 @@ const ExpandableContent = (props: ExpandableContentProps) => {
       {isExpanded && others.map((item) => <EuiFlexItem key={item}>{item}</EuiFlexItem>)}
       {hasOthers && isExpanded && (
         <EuiFlexItem>
-          <EuiLink data-test-subj="infraArrayValueShowLessLink" onClick={collapse}>
+          <EuiLink data-test-subj="infraArrayValueShowLessLink" onClick={toggle}>
             {i18n.translate('xpack.infra.nodeDetails.tabs.metadata.seeLess', {
               defaultMessage: 'Show less',
             })}
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs.test.ts b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs.test.ts
index 5a8c08914f69..1451054fb882 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs.test.ts
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs.test.ts
@@ -6,21 +6,20 @@
  */
 
 import { renderHook } from '@testing-library/react-hooks';
-
 import { hasMlAdminPermissions } from '../../../../../common/machine_learning/has_ml_admin_permissions';
 import { hasMlLicense } from '../../../../../common/machine_learning/has_ml_license';
 import { useAppToasts } from '../../../hooks/use_app_toasts';
 import { useAppToastsMock } from '../../../hooks/use_app_toasts.mock';
+import { TestProviders } from '../../../mock';
 import { getJobsSummary } from '../../ml/api/get_jobs_summary';
 import { checkRecognizer, getModules } from '../api';
-import type { SecurityJob } from '../types';
 import {
-  mockJobsSummaryResponse,
-  mockGetModuleResponse,
   checkRecognizerSuccess,
+  mockGetModuleResponse,
+  mockJobsSummaryResponse,
 } from '../api.mock';
+import type { SecurityJob } from '../types';
 import { useSecurityJobs } from './use_security_jobs';
-import { TestProviders } from '../../../mock';
 
 jest.mock('../../../../../common/machine_learning/has_ml_admin_permissions');
 jest.mock('../../../../../common/machine_learning/has_ml_license');
@@ -30,8 +29,7 @@ jest.mock('../../ml/hooks/use_ml_capabilities');
 jest.mock('../../ml/api/get_jobs_summary');
 jest.mock('../api');
 
-// FLAKY: https://github.com/elastic/kibana/issues/153550
-describe.skip('useSecurityJobs', () => {
+describe('useSecurityJobs', () => {
   let appToastsMock: jest.Mocked<ReturnType<typeof useAppToastsMock.create>>;
 
   beforeEach(() => {
@@ -94,13 +92,16 @@ describe.skip('useSecurityJobs', () => {
 
     it('renders a toast error if an ML call fails', async () => {
       (getModules as jest.Mock).mockRejectedValue('whoops');
-      const { waitForNextUpdate } = renderHook(() => useSecurityJobs(), {
+      const { waitFor } = renderHook(() => useSecurityJobs(), {
         wrapper: TestProviders,
       });
-      await waitForNextUpdate();
 
-      expect(appToastsMock.addError).toHaveBeenCalledWith('whoops', {
-        title: 'Security job fetch failure',
+      // addError might be called after an arbitrary number of renders, so we
+      // need to use waitFor here instead of waitForNextUpdate
+      await waitFor(() => {
+        expect(appToastsMock.addError).toHaveBeenCalledWith('whoops', {
+          title: 'Security job fetch failure',
+        });
       });
     });
   });
diff --git a/x-pack/plugins/security_solution/public/resolver/models/process_event.ts b/x-pack/plugins/security_solution/public/resolver/models/process_event.ts
index 3d91cdd9a72a..1df497bf2a23 100644
--- a/x-pack/plugins/security_solution/public/resolver/models/process_event.ts
+++ b/x-pack/plugins/security_solution/public/resolver/models/process_event.ts
@@ -63,12 +63,13 @@ export function eventType(passedEvent: SafeResolverEvent): ResolverProcessType {
     const category = new Set(eventModel.eventCategory(passedEvent));
     const kind = new Set(eventModel.eventKind(passedEvent));
     if (category.has('process')) {
-      if (type.has('start') || type.has('change') || type.has('creation')) {
+      // checking for end event.type first as multiple values are possible (merged process events). e.g event.type: ['start', 'end']
+      if (type.has('end')) {
+        return 'processTerminated';
+      } else if (type.has('start') || type.has('change') || type.has('creation')) {
         return 'processCreated';
       } else if (type.has('info')) {
         return 'processRan';
-      } else if (type.has('end')) {
-        return 'processTerminated';
       } else {
         return 'unknownProcessEvent';
       }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/update_rules.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/update_rules.ts
index 625204efbe4f..d949fd63136e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/update_rules.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/update_rules.ts
@@ -66,12 +66,7 @@ export const updateRules = async ({
       references: ruleUpdate.references ?? [],
       namespace: ruleUpdate.namespace,
       note: ruleUpdate.note,
-      // Always use the version from the request if specified. If it isn't specified, leave immutable rules alone and
-      // increment the version of mutable rules by 1.
-      version:
-        ruleUpdate.version ?? existingRule.params.immutable
-          ? existingRule.params.version
-          : existingRule.params.version + 1,
+      version: ruleUpdate.version ?? existingRule.params.version,
       exceptionsList: ruleUpdate.exceptions_list ?? [],
       ...typeSpecificParams,
     },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts
index f5e17d2bff23..02ab66460204 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { convertPatchAPIToInternalSchema, patchTypeSpecificSnakeToCamel } from './rule_converters';
+import { patchTypeSpecificSnakeToCamel } from './rule_converters';
 import {
   getEqlRuleParams,
   getMlRuleParams,
@@ -15,7 +15,6 @@ import {
   getThreatRuleParams,
   getThresholdRuleParams,
 } from '../../rule_schema/mocks';
-import { getRuleMock } from '../../routes/__mocks__/request_responses';
 
 describe('rule_converters', () => {
   describe('patchTypeSpecificSnakeToCamel', () => {
@@ -204,79 +203,4 @@ describe('rule_converters', () => {
       );
     });
   });
-
-  describe('convertPatchAPIToInternalSchema', () => {
-    test('should set version to one specified in next params for custom rules', () => {
-      const nextParams = {
-        index: ['new-test-index'],
-        language: 'lucene',
-        version: 3,
-      };
-      const existingRule = getRuleMock({ ...getQueryRuleParams(), version: 1 });
-      const patchedParams = convertPatchAPIToInternalSchema(nextParams, existingRule);
-      expect(patchedParams).toEqual(
-        expect.objectContaining({
-          params: expect.objectContaining({ version: 3 }),
-        })
-      );
-    });
-
-    test('should set version to one specified in next params for immutable rules', () => {
-      const nextParams = {
-        index: ['new-test-index'],
-        language: 'lucene',
-        version: 3,
-      };
-      const existingRule = getRuleMock({ ...getQueryRuleParams(), version: 1, immutable: true });
-      const patchedParams = convertPatchAPIToInternalSchema(nextParams, existingRule);
-      expect(patchedParams).toEqual(
-        expect.objectContaining({
-          params: expect.objectContaining({ version: 3 }),
-        })
-      );
-    });
-
-    test('should not increment version for immutable rules if it is not specified in next params', () => {
-      const nextParams = {
-        index: ['new-test-index'],
-        language: 'lucene',
-      };
-      const existingRule = getRuleMock({ ...getQueryRuleParams(), version: 1, immutable: true });
-      const patchedParams = convertPatchAPIToInternalSchema(nextParams, existingRule);
-      expect(patchedParams).toEqual(
-        expect.objectContaining({
-          params: expect.objectContaining({ version: 1 }),
-        })
-      );
-    });
-
-    test('should increment version for custom rules if it is not specified in next params', () => {
-      const nextParams = {
-        index: ['new-test-index'],
-        language: 'lucene',
-      };
-      const existingRule = getRuleMock({ ...getQueryRuleParams(), version: 1 });
-      const patchedParams = convertPatchAPIToInternalSchema(nextParams, existingRule);
-      expect(patchedParams).toEqual(
-        expect.objectContaining({
-          params: expect.objectContaining({ version: 2 }),
-        })
-      );
-    });
-
-    test('should not increment version due to enabled, id, or rule_id, ', () => {
-      const nextParams = {
-        enabled: false,
-        id: 'some-id',
-        rule_id: 'some-rule-id',
-      };
-      const existingRule = getRuleMock({ ...getQueryRuleParams(), version: 1 });
-      const patchedParams = convertPatchAPIToInternalSchema(nextParams, existingRule);
-      expect(patchedParams).toEqual(
-        expect.objectContaining({
-          params: expect.objectContaining({ version: 1 }),
-        })
-      );
-    });
-  });
 });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts
index b2554e4f957d..618514dfbab4 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts
@@ -390,27 +390,6 @@ export const patchTypeSpecificSnakeToCamel = (
   }
 };
 
-const versionExcludedKeys = ['enabled', 'id', 'rule_id'];
-const incrementVersion = (nextParams: PatchRuleRequestBody, existingRule: RuleParams) => {
-  // The the version from nextParams if it's provided
-  if (nextParams.version) {
-    return nextParams.version;
-  }
-
-  // If the rule is immutable, keep the current version
-  if (existingRule.immutable) {
-    return existingRule.version;
-  }
-
-  // For custom rules, check modified params to deicide whether version increment is needed
-  for (const key in nextParams) {
-    if (!versionExcludedKeys.includes(key)) {
-      return existingRule.version + 1;
-    }
-  }
-  return existingRule.version;
-};
-
 // eslint-disable-next-line complexity
 export const convertPatchAPIToInternalSchema = (
   nextParams: PatchRuleRequestBody & {
@@ -456,9 +435,7 @@ export const convertPatchAPIToInternalSchema = (
       references: nextParams.references ?? existingParams.references,
       namespace: nextParams.namespace ?? existingParams.namespace,
       note: nextParams.note ?? existingParams.note,
-      // Always use the version from the request if specified. If it isn't specified, leave immutable rules alone and
-      // increment the version of mutable rules by 1.
-      version: incrementVersion(nextParams, existingParams),
+      version: nextParams.version ?? existingParams.version,
       exceptionsList: nextParams.exceptions_list ?? existingParams.exceptionsList,
       ...typeSpecificParams,
     },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
index 7ff1366b8d94..25e971eadbea 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
@@ -136,8 +136,8 @@ export const previewRulesRoute = async (
           .atSpace(spaceId, {
             elasticsearch: {
               index: {
-                [`${DEFAULT_PREVIEW_INDEX}`]: ['read'],
-                [`.internal${DEFAULT_PREVIEW_INDEX}-`]: ['read'],
+                [`${DEFAULT_PREVIEW_INDEX}-${spaceId}`]: ['read'],
+                [`.internal${DEFAULT_PREVIEW_INDEX}-${spaceId}-*`]: ['read'],
               },
               cluster: [],
             },
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/__mocks__/timeline.ts b/x-pack/plugins/security_solution/server/lib/telemetry/__mocks__/timeline.ts
index 3f5dd8e1755a..3705204a10d9 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/__mocks__/timeline.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/__mocks__/timeline.ts
@@ -9,287 +9,265 @@ import moment from 'moment';
 import type { ResolverNode } from '../../../../common/endpoint/types';
 
 export const stubEndpointAlertResponse = () => {
-  return {
-    took: 0,
-    timed_out: false,
-    _shards: {
-      total: 1,
-      successful: 1,
-      skipped: 0,
-      failed: 0,
-    },
-    hits: {
-      total: {
-        value: 1,
-        relation: 'eq',
-      },
-      max_score: 0,
-      hits: [
-        {
-          _index: '.internal.alerts-security.alerts-default-000001',
-          _id: '2f4c790211998ec3369f581b778e9761ae5647d041edd7b1245f7311fba06f37',
-          _score: 0,
-          _source: {
-            'kibana.alert.rule.category': 'Custom Query Rule',
-            'kibana.alert.rule.consumer': 'siem',
-            'kibana.alert.rule.execution.uuid': 'c92c1a91-9981-4948-8dee-39b263d81f05',
-            'kibana.alert.rule.name': 'Endpoint Security',
-            'kibana.alert.rule.producer': 'siem',
-            'kibana.alert.rule.rule_type_id': 'siem.queryRule',
-            'kibana.alert.rule.uuid': 'b35e3af8-da87-11ec-ad90-353e53c6bd3e',
-            'kibana.space_ids': ['default'],
-            'kibana.alert.rule.tags': ['Elastic', 'Endpoint Security'],
-            '@timestamp': moment.now(),
-            registry: {
-              path: 'HKEY_USERS\\S-1-5-21-2460036010-3910878774-3458087990-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\chrome',
-              data: {
-                strings: 'C:/fake_behavior/explorer.exe',
-              },
-              value: 'explorer.exe',
-            },
-            agent: {
-              id: 'd2529c31-5415-492a-9c9b-87a77e8874d5',
-              type: 'endpoint',
-              version: '7.0.1',
-            },
-            process: {
-              Ext: {
-                ancestry: ['j0mdzksneq', 'up4f1f87wr'],
-                code_signature: [
-                  {
-                    trusted: false,
-                    subject_name: 'bad signer',
-                  },
-                ],
-                user: 'SYSTEM',
-                token: {
-                  integrity_level_name: 'high',
-                  elevation_level: 'full',
-                },
-              },
-              parent: {
-                pid: 1,
-                entity_id: 'j0mdzksneq',
-              },
-              group_leader: {
-                name: 'fake leader',
-                pid: 112,
-                entity_id: '3po060bfqd',
-              },
-              session_leader: {
-                name: 'fake session',
-                pid: 7,
-                entity_id: '3po060bfqd',
-              },
-              code_signature: {
-                subject_name: 'Microsoft Windows',
-                status: 'trusted',
-              },
-              entry_leader: {
-                name: 'fake entry',
-                pid: 139,
-                entity_id: '3po060bfqd',
-              },
-              name: 'explorer.exe',
-              pid: 2,
-              entity_id: 'p1dbx787xe',
-              executable: 'C:/fake_behavior/explorer.exe',
-            },
-            dll: [
-              {
-                Ext: {
-                  compile_time: 1534424710,
-                  malware_classification: {
-                    identifier: 'Whitelisted',
-                    score: 0,
-                    threshold: 0,
-                    version: '3.0.0',
-                  },
-                  mapped_address: 5362483200,
-                  mapped_size: 0,
-                },
-                path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
-                code_signature: {
-                  trusted: true,
-                  subject_name: 'Cybereason Inc',
-                },
-                pe: {
-                  architecture: 'x64',
-                },
-                hash: {
-                  sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
-                  sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
-                  md5: '1f2d082566b0fc5f2c238a5180db7451',
-                },
-              },
-            ],
-            destination: {
-              port: 443,
-              ip: '10.39.10.58',
-            },
-            rule: {
-              description: 'Behavior rule description',
-              id: 'e2d719cc-7044-4a46-b2ee-0a2993202096',
-            },
-            source: {
-              port: 59406,
-              ip: '10.199.40.10',
-            },
-            network: {
-              transport: 'tcp',
-              type: 'ipv4',
-              direction: 'outgoing',
-            },
-            file: {
-              path: 'C:/fake_behavior.exe',
-              name: 'fake_behavior.exe',
-            },
-            ecs: {
-              version: '1.6.0',
-            },
-            data_stream: {
-              namespace: 'default',
-              type: 'logs',
-              dataset: 'endpoint.alerts',
-            },
-            elastic: {
-              agent: {
-                id: 'd2529c31-5415-492a-9c9b-87a77e8874d5',
-              },
-            },
-            host: {
-              hostname: 'Host-uu8vmc2z8a',
-              os: {
-                Ext: {
-                  variant: 'Windows Server',
-                },
-                name: 'Windows',
-                family: 'windows',
-                version: '10.0',
-                platform: 'Windows',
-                full: 'Windows Server 2016',
-              },
-              ip: ['10.23.178.108'],
-              name: 'Host-uu8vmc2z8a',
-              id: 'c1e90e16-0130-46d4-88de-ee338f13fed7',
-              mac: ['ee-83-79-cf-1a-13', 'a7-79-da-62-9e-78'],
-              architecture: 'a4rwx2t7yu',
-            },
-            'event.agent_id_status': 'auth_metadata_missing',
-            'event.sequence': 15,
-            'event.ingested': '2022-05-23T11:02:53Z',
-            'event.code': 'behavior',
-            'event.kind': 'signal',
-            'event.module': 'endpoint',
-            'event.action': 'rule_detection',
-            'event.id': '962dba31-1306-4bb1-82c2-2a6d9ef8962d',
-            'event.category': 'behavior',
-            'event.type': 'info',
-            'event.dataset': 'endpoint.diagnostic.collection',
-            'kibana.alert.original_time': '2022-05-23T11:02:59.511Z',
-            'kibana.alert.ancestors': [
-              {
-                id: 'juKV8IABsphBWHn-nT4H',
-                type: 'event',
-                index: '.ds-logs-endpoint.alerts-default-2022.05.23-000001',
-                depth: 0,
-              },
-            ],
-            'kibana.alert.status': 'active',
-            'kibana.alert.workflow_status': 'open',
-            'kibana.alert.depth': 1,
-            'kibana.alert.reason':
-              'behavior event with process explorer.exe, file fake_behavior.exe,:59406,:443, on Host-uu8vmc2z8a created medium alert Endpoint Security.',
-            'kibana.alert.severity': 'medium',
-            'kibana.alert.risk_score': 47,
-            'kibana.alert.rule.actions': [],
-            'kibana.alert.rule.author': ['Elastic'],
-            'kibana.alert.rule.created_at': '2022-05-23T11:01:34.044Z',
-            'kibana.alert.rule.created_by': 'elastic',
-            'kibana.alert.rule.description':
-              'Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.',
-            'kibana.alert.rule.enabled': true,
-            'kibana.alert.rule.exceptions_list': [
-              {
-                id: 'endpoint_list',
-                list_id: 'endpoint_list',
-                namespace_type: 'agnostic',
-                type: 'endpoint',
-              },
-            ],
-            'kibana.alert.rule.false_positives': [],
-            'kibana.alert.rule.from': 'now-10m',
-            'kibana.alert.rule.immutable': true,
-            'kibana.alert.rule.interval': '5m',
-            'kibana.alert.rule.license': 'Elastic License v2',
-            'kibana.alert.rule.max_signals': 10000,
-            'kibana.alert.rule.references': [],
-            'kibana.alert.rule.risk_score_mapping': [
-              {
-                field: 'event.risk_score',
-                operator: 'equals',
-                value: '',
-              },
-            ],
-            'kibana.alert.rule.rule_id': '9a1a2dae-0b5f-4c3d-8305-a268d404c306',
-            'kibana.alert.rule.rule_name_override': 'message',
-            'kibana.alert.rule.severity_mapping': [
-              {
-                field: 'event.severity',
-                operator: 'equals',
-                severity: 'low',
-                value: '21',
-              },
-              {
-                field: 'event.severity',
-                operator: 'equals',
-                severity: 'medium',
-                value: '47',
-              },
-              {
-                field: 'event.severity',
-                operator: 'equals',
-                severity: 'high',
-                value: '73',
-              },
+  return [
+    {
+      _index: '.internal.alerts-security.alerts-default-000001',
+      _id: '2f4c790211998ec3369f581b778e9761ae5647d041edd7b1245f7311fba06f37',
+      _score: 0,
+      _source: {
+        'kibana.alert.rule.category': 'Custom Query Rule',
+        'kibana.alert.rule.consumer': 'siem',
+        'kibana.alert.rule.execution.uuid': 'c92c1a91-9981-4948-8dee-39b263d81f05',
+        'kibana.alert.rule.name': 'Endpoint Security',
+        'kibana.alert.rule.producer': 'siem',
+        'kibana.alert.rule.rule_type_id': 'siem.queryRule',
+        'kibana.alert.rule.uuid': 'b35e3af8-da87-11ec-ad90-353e53c6bd3e',
+        'kibana.space_ids': ['default'],
+        'kibana.alert.rule.tags': ['Elastic', 'Endpoint Security'],
+        '@timestamp': moment.now(),
+        registry: {
+          path: 'HKEY_USERS\\S-1-5-21-2460036010-3910878774-3458087990-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\chrome',
+          data: {
+            strings: 'C:/fake_behavior/explorer.exe',
+          },
+          value: 'explorer.exe',
+        },
+        agent: {
+          id: 'd2529c31-5415-492a-9c9b-87a77e8874d5',
+          type: 'endpoint',
+          version: '7.0.1',
+        },
+        process: {
+          Ext: {
+            ancestry: ['j0mdzksneq', 'up4f1f87wr'],
+            code_signature: [
               {
-                field: 'event.severity',
-                operator: 'equals',
-                severity: 'critical',
-                value: '99',
+                trusted: false,
+                subject_name: 'bad signer',
               },
             ],
-            'kibana.alert.rule.threat': [],
-            'kibana.alert.rule.timestamp_override': 'event.ingested',
-            'kibana.alert.rule.to': 'now',
-            'kibana.alert.rule.type': 'query',
-            'kibana.alert.rule.updated_at': '2022-05-23T11:01:34.044Z',
-            'kibana.alert.rule.updated_by': 'elastic',
-            'kibana.alert.rule.version': 3,
-            'kibana.alert.rule.risk_score': 47,
-            'kibana.alert.rule.severity': 'medium',
-            'kibana.alert.original_event.agent_id_status': 'auth_metadata_missing',
-            'kibana.alert.original_event.sequence': 15,
-            'kibana.alert.original_event.ingested': '2022-05-23T11:02:53Z',
-            'kibana.alert.original_event.code': 'behavior',
-            'kibana.alert.original_event.kind': 'alert',
-            'kibana.alert.original_event.module': 'endpoint',
-            'kibana.alert.original_event.action': 'rule_detection',
-            'kibana.alert.original_event.id': '962dba31-1306-4bb1-82c2-2a6d9ef8962d',
-            'kibana.alert.original_event.category': 'behavior',
-            'kibana.alert.original_event.type': 'info',
-            'kibana.alert.original_event.dataset': 'endpoint.diagnostic.collection',
-            'kibana.alert.uuid': '2f4c790211998ec3369f581b778e9761ae5647d041edd7b1245f7311fba06f37',
+            user: 'SYSTEM',
+            token: {
+              integrity_level_name: 'high',
+              elevation_level: 'full',
+            },
+          },
+          parent: {
+            pid: 1,
+            entity_id: 'j0mdzksneq',
+          },
+          group_leader: {
+            name: 'fake leader',
+            pid: 112,
+            entity_id: '3po060bfqd',
+          },
+          session_leader: {
+            name: 'fake session',
+            pid: 7,
+            entity_id: '3po060bfqd',
+          },
+          code_signature: {
+            subject_name: 'Microsoft Windows',
+            status: 'trusted',
+          },
+          entry_leader: {
+            name: 'fake entry',
+            pid: 139,
+            entity_id: '3po060bfqd',
           },
+          name: 'explorer.exe',
+          pid: 2,
+          entity_id: 'p1dbx787xe',
+          executable: 'C:/fake_behavior/explorer.exe',
         },
-      ],
-    },
-    aggregations: {
-      endpoint_alert_count: {
-        value: 1,
+        dll: [
+          {
+            Ext: {
+              compile_time: 1534424710,
+              malware_classification: {
+                identifier: 'Whitelisted',
+                score: 0,
+                threshold: 0,
+                version: '3.0.0',
+              },
+              mapped_address: 5362483200,
+              mapped_size: 0,
+            },
+            path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
+            code_signature: {
+              trusted: true,
+              subject_name: 'Cybereason Inc',
+            },
+            pe: {
+              architecture: 'x64',
+            },
+            hash: {
+              sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
+              sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
+              md5: '1f2d082566b0fc5f2c238a5180db7451',
+            },
+          },
+        ],
+        destination: {
+          port: 443,
+          ip: '10.39.10.58',
+        },
+        rule: {
+          description: 'Behavior rule description',
+          id: 'e2d719cc-7044-4a46-b2ee-0a2993202096',
+        },
+        source: {
+          port: 59406,
+          ip: '10.199.40.10',
+        },
+        network: {
+          transport: 'tcp',
+          type: 'ipv4',
+          direction: 'outgoing',
+        },
+        file: {
+          path: 'C:/fake_behavior.exe',
+          name: 'fake_behavior.exe',
+        },
+        ecs: {
+          version: '1.6.0',
+        },
+        data_stream: {
+          namespace: 'default',
+          type: 'logs',
+          dataset: 'endpoint.alerts',
+        },
+        elastic: {
+          agent: {
+            id: 'd2529c31-5415-492a-9c9b-87a77e8874d5',
+          },
+        },
+        host: {
+          hostname: 'Host-uu8vmc2z8a',
+          os: {
+            Ext: {
+              variant: 'Windows Server',
+            },
+            name: 'Windows',
+            family: 'windows',
+            version: '10.0',
+            platform: 'Windows',
+            full: 'Windows Server 2016',
+          },
+          ip: ['10.23.178.108'],
+          name: 'Host-uu8vmc2z8a',
+          id: 'c1e90e16-0130-46d4-88de-ee338f13fed7',
+          mac: ['ee-83-79-cf-1a-13', 'a7-79-da-62-9e-78'],
+          architecture: 'a4rwx2t7yu',
+        },
+        'event.agent_id_status': 'auth_metadata_missing',
+        'event.sequence': 15,
+        'event.ingested': '2022-05-23T11:02:53Z',
+        'event.code': 'behavior',
+        'event.kind': 'signal',
+        'event.module': 'endpoint',
+        'event.action': 'rule_detection',
+        'event.id': '962dba31-1306-4bb1-82c2-2a6d9ef8962d',
+        'event.category': 'behavior',
+        'event.type': 'info',
+        'event.dataset': 'endpoint.diagnostic.collection',
+        'kibana.alert.original_time': '2022-05-23T11:02:59.511Z',
+        'kibana.alert.ancestors': [
+          {
+            id: 'juKV8IABsphBWHn-nT4H',
+            type: 'event',
+            index: '.ds-logs-endpoint.alerts-default-2022.05.23-000001',
+            depth: 0,
+          },
+        ],
+        'kibana.alert.status': 'active',
+        'kibana.alert.workflow_status': 'open',
+        'kibana.alert.depth': 1,
+        'kibana.alert.reason':
+          'behavior event with process explorer.exe, file fake_behavior.exe,:59406,:443, on Host-uu8vmc2z8a created medium alert Endpoint Security.',
+        'kibana.alert.severity': 'medium',
+        'kibana.alert.risk_score': 47,
+        'kibana.alert.rule.actions': [],
+        'kibana.alert.rule.author': ['Elastic'],
+        'kibana.alert.rule.created_at': '2022-05-23T11:01:34.044Z',
+        'kibana.alert.rule.created_by': 'elastic',
+        'kibana.alert.rule.description':
+          'Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.',
+        'kibana.alert.rule.enabled': true,
+        'kibana.alert.rule.exceptions_list': [
+          {
+            id: 'endpoint_list',
+            list_id: 'endpoint_list',
+            namespace_type: 'agnostic',
+            type: 'endpoint',
+          },
+        ],
+        'kibana.alert.rule.false_positives': [],
+        'kibana.alert.rule.from': 'now-10m',
+        'kibana.alert.rule.immutable': true,
+        'kibana.alert.rule.interval': '5m',
+        'kibana.alert.rule.license': 'Elastic License v2',
+        'kibana.alert.rule.max_signals': 10000,
+        'kibana.alert.rule.references': [],
+        'kibana.alert.rule.risk_score_mapping': [
+          {
+            field: 'event.risk_score',
+            operator: 'equals',
+            value: '',
+          },
+        ],
+        'kibana.alert.rule.rule_id': '9a1a2dae-0b5f-4c3d-8305-a268d404c306',
+        'kibana.alert.rule.rule_name_override': 'message',
+        'kibana.alert.rule.severity_mapping': [
+          {
+            field: 'event.severity',
+            operator: 'equals',
+            severity: 'low',
+            value: '21',
+          },
+          {
+            field: 'event.severity',
+            operator: 'equals',
+            severity: 'medium',
+            value: '47',
+          },
+          {
+            field: 'event.severity',
+            operator: 'equals',
+            severity: 'high',
+            value: '73',
+          },
+          {
+            field: 'event.severity',
+            operator: 'equals',
+            severity: 'critical',
+            value: '99',
+          },
+        ],
+        'kibana.alert.rule.threat': [],
+        'kibana.alert.rule.timestamp_override': 'event.ingested',
+        'kibana.alert.rule.to': 'now',
+        'kibana.alert.rule.type': 'query',
+        'kibana.alert.rule.updated_at': '2022-05-23T11:01:34.044Z',
+        'kibana.alert.rule.updated_by': 'elastic',
+        'kibana.alert.rule.version': 3,
+        'kibana.alert.rule.risk_score': 47,
+        'kibana.alert.rule.severity': 'medium',
+        'kibana.alert.original_event.agent_id_status': 'auth_metadata_missing',
+        'kibana.alert.original_event.sequence': 15,
+        'kibana.alert.original_event.ingested': '2022-05-23T11:02:53Z',
+        'kibana.alert.original_event.code': 'behavior',
+        'kibana.alert.original_event.kind': 'alert',
+        'kibana.alert.original_event.module': 'endpoint',
+        'kibana.alert.original_event.action': 'rule_detection',
+        'kibana.alert.original_event.id': '962dba31-1306-4bb1-82c2-2a6d9ef8962d',
+        'kibana.alert.original_event.category': 'behavior',
+        'kibana.alert.original_event.type': 'info',
+        'kibana.alert.original_event.dataset': 'endpoint.diagnostic.collection',
+        'kibana.alert.uuid': '2f4c790211998ec3369f581b778e9761ae5647d041edd7b1245f7311fba06f37',
       },
     },
-  };
+  ];
 };
 
 export const stubProcessTree = (): ResolverNode[] => [
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts
index 428dd82b4f43..e5a74153a8fd 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts
@@ -14,6 +14,7 @@ import type {
 } from '@kbn/core/server';
 import type {
   AggregationsAggregate,
+  OpenPointInTimeResponse,
   SearchRequest,
   SearchResponse,
 } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
@@ -28,6 +29,11 @@ import {
   SIGNALS_ID,
   THRESHOLD_RULE_TYPE_ID,
 } from '@kbn/securitysolution-rules';
+import type {
+  SearchHit,
+  SearchRequest as ESSearchRequest,
+  SortResults,
+} from '@elastic/elasticsearch/lib/api/types';
 import type { TransportResult } from '@elastic/elasticsearch';
 import type { Agent, AgentPolicy, Installation } from '@kbn/fleet-plugin/common';
 import type {
@@ -156,9 +162,7 @@ export interface ITelemetryReceiver {
 
   fetchPrebuiltRuleAlerts(): Promise<{ events: TelemetryEvent[]; count: number }>;
 
-  fetchTimelineEndpointAlerts(
-    interval: number
-  ): Promise<SearchResponse<EnhancedAlertEvent, Record<string, AggregationsAggregate>>>;
+  fetchTimelineEndpointAlerts(interval: number): Promise<Array<SearchHit<EnhancedAlertEvent>>>;
 
   buildProcessTree(
     entityId: string,
@@ -701,12 +705,22 @@ export class TelemetryReceiver implements ITelemetryReceiver {
       throw Error('elasticsearch client is unavailable: cannot retrieve cluster infomation');
     }
 
-    const query: SearchRequest = {
-      expand_wildcards: ['open' as const, 'hidden' as const],
-      index: `${this.alertsIndex}*`,
-      ignore_unavailable: true,
-      body: {
-        size: 30,
+    // default is from looking at Kibana saved objects and online documentation
+    const keepAlive = '5m';
+
+    // create and assign an initial point in time
+    let pitId: OpenPointInTimeResponse['id'] = (
+      await this.esClient.openPointInTime({
+        index: `${this.alertsIndex}*`,
+        keep_alive: keepAlive,
+      })
+    ).id;
+
+    let fetchMore = true;
+    let searchAfter: SortResults | undefined;
+    let alertsToReturn: Array<SearchHit<EnhancedAlertEvent>> = [];
+    while (fetchMore) {
+      const query: ESSearchRequest = {
         query: {
           bool: {
             filter: [
@@ -750,10 +764,53 @@ export class TelemetryReceiver implements ITelemetryReceiver {
             },
           },
         },
-      },
-    };
+        track_total_hits: false,
+        sort: [
+          { '@timestamp': { order: 'asc', format: 'strict_date_optional_time_nanos' } },
+          { _shard_doc: 'desc' },
+        ] as unknown as string[],
+        pit: { id: pitId },
+        search_after: searchAfter,
+        size: 1000,
+      };
+
+      tlog(this.logger, `Getting alerts with point in time (PIT) query: ${JSON.stringify(query)}`);
+
+      let response = null;
+      try {
+        response = await this.esClient.search<EnhancedAlertEvent>(query);
+        const numOfHits = response?.hits.hits.length;
+
+        if (numOfHits > 0) {
+          const lastHit = response?.hits.hits[numOfHits - 1];
+          searchAfter = lastHit?.sort;
+        }
+
+        fetchMore = numOfHits > 0;
+      } catch (e) {
+        tlog(this.logger, e);
+        fetchMore = false;
+      }
+
+      const alerts = response?.hits.hits;
+      alertsToReturn = alertsToReturn.concat(alerts ?? []);
+
+      if (response?.pit_id != null) {
+        pitId = response?.pit_id;
+      }
+    }
+
+    try {
+      await this.esClient.closePointInTime({ id: pitId });
+    } catch (error) {
+      tlog(
+        this.logger,
+        `Error trying to close point in time: "${pitId}", it will expire within "${keepAlive}". Error is: "${error}"`
+      );
+    }
 
-    return this.esClient.search<EnhancedAlertEvent>(query);
+    tlog(this.logger, `Timeline alerts to return: ${alertsToReturn.length}`);
+    return alertsToReturn;
   }
 
   public async buildProcessTree(
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/timelines.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/timelines.ts
index 4fdfc4a726a3..b6f7a4426f0c 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/timelines.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/timelines.ts
@@ -72,21 +72,8 @@ export function createTelemetryTimelineTaskConfig() {
 
         const endpointAlerts = await receiver.fetchTimelineEndpointAlerts(3);
 
-        const aggregations = endpointAlerts?.aggregations as unknown as {
-          endpoint_alert_count: { value: number };
-        };
-        tlog(logger, `Endpoint alert count: ${aggregations?.endpoint_alert_count}`);
-        sender.getTelemetryUsageCluster()?.incrementCounter({
-          counterName: 'telemetry_endpoint_alert',
-          counterType: 'endpoint_alert_count',
-          incrementBy: aggregations?.endpoint_alert_count.value,
-        });
-
         // No EP Alerts -> Nothing to do
-        if (
-          endpointAlerts.hits.hits?.length === 0 ||
-          endpointAlerts.hits.hits?.length === undefined
-        ) {
+        if (endpointAlerts.length === 0 || endpointAlerts.length === undefined) {
           tlog(logger, 'no endpoint alerts received. exiting telemetry task.');
           await sender.sendOnDemand(TASK_METRICS_CHANNEL, [
             createTaskMetric(taskName, true, startTime),
@@ -96,7 +83,7 @@ export function createTelemetryTimelineTaskConfig() {
 
         // Build process tree for each EP Alert recieved
 
-        for (const alert of endpointAlerts.hits.hits) {
+        for (const alert of endpointAlerts) {
           const eventId = alert._source ? alert._source['event.id'] : 'unknown';
           const alertUUID = alert._source ? alert._source['kibana.alert.uuid'] : 'unknown';
 
diff --git a/x-pack/plugins/session_view/common/constants.ts b/x-pack/plugins/session_view/common/constants.ts
index f6b713f9283f..e0ad59c4accf 100644
--- a/x-pack/plugins/session_view/common/constants.ts
+++ b/x-pack/plugins/session_view/common/constants.ts
@@ -18,7 +18,10 @@ export const SECURITY_APP_ID = 'security';
 export const POLICIES_PAGE_PATH = '/administration/policy';
 
 // index patterns
-export const PROCESS_EVENTS_INDEX = '*:logs-endpoint.events.process*,logs-endpoint.events.process*'; // match on both cross cluster and local indices
+const ENDPOINT_PROCESS_EVENTS_INDEX =
+  '*:logs-endpoint.events.process*,logs-endpoint.events.process*';
+const CLOUD_DEFEND_PROCESS_EVENTS_INDEX = '*:logs-cloud_defend.process*,logs-cloud_defend.process*';
+export const PROCESS_EVENTS_INDEX = `${ENDPOINT_PROCESS_EVENTS_INDEX},${CLOUD_DEFEND_PROCESS_EVENTS_INDEX}`; // match on both cross cluster and local indices
 export const PREVIEW_ALERTS_INDEX = '.preview.alerts-security.alerts-default';
 
 // field properties
diff --git a/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts b/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts
index 5f1b5a25cc56..e82e4a2e54ea 100644
--- a/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts
+++ b/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts
@@ -211,6 +211,7 @@ export const mockEvents: ProcessEvent[] = [
           minor: 1,
         },
       },
+      previous: [{ args: ['bash'], args_count: 1, executable: '/usr/bin/bash' }],
       parent: {
         pid: 2442,
         user: {
@@ -354,6 +355,7 @@ export const mockEvents: ProcessEvent[] = [
           minor: 1,
         },
       },
+      previous: [{ args: ['bash'], args_count: 1, executable: '/usr/bin/bash' }],
       parent: {
         pid: 2442,
         user: {
@@ -513,6 +515,7 @@ export const mockEvents: ProcessEvent[] = [
           minor: 1,
         },
       },
+      previous: [{ args: ['bash'], args_count: 1, executable: '/usr/bin/bash' }],
       parent: {
         pid: 2442,
         user: {
@@ -673,7 +676,7 @@ export const mockAlerts: ProcessEvent[] = [
         reason: 'process event created low alert cmd test alert.',
         original_time: '2021-11-23T15:25:04.218Z',
         original_event: {
-          action: 'exec',
+          action: EventAction.exec,
         },
         uuid: '6bb22512e0e588d1a2449b61f164b216e366fba2de39e65d002ae734d71a6c38',
       },
@@ -859,7 +862,7 @@ export const mockAlerts: ProcessEvent[] = [
         reason: 'process event created low alert cmd test alert.',
         original_time: '2021-11-23T15:25:05.202Z',
         original_event: {
-          action: 'exit',
+          action: EventAction.end,
         },
         uuid: '2873463965b70d37ab9b2b3a90ac5a03b88e76e94ad33568285cadcefc38ed75',
       },
@@ -1048,7 +1051,7 @@ export const mockFileAlert = {
       reason: 'process event created low alert File telemetry.',
       original_time: '2021-11-23T15:25:05.202Z',
       original_event: {
-        action: 'exit',
+        action: EventAction.end,
       },
       uuid: '2873463965b70d37ab9b2b3a90ac5a03b88e76e94ad33568285cadcefc38ed75',
     },
@@ -1241,7 +1244,7 @@ export const mockNetworkAlert = {
       reason: 'process event created low alert File telemetry.',
       original_time: '2021-11-23T15:25:05.202Z',
       original_event: {
-        action: 'exit',
+        action: EventAction.end,
       },
       uuid: '2873463965b70d37ab9b2b3a90ac5a03b88e76e94ad33568285cadcefc38ed75',
     },
@@ -1737,7 +1740,6 @@ export const childProcessMock: Process = {
       },
     } as ProcessEvent),
   isUserEntered: () => false,
-  getMaxAlertLevel: () => null,
   getEndTime: () => '',
   isDescendantOf: () => false,
 };
@@ -1796,6 +1798,7 @@ export const processMock: Process = {
         id: '1000',
         name: 'vagrant',
       },
+      previous: [{ args: ['bash'], args_count: 1, executable: '/usr/bin/bash' }],
       process: {
         args: ['bash'],
         args_count: 1,
@@ -1840,7 +1843,7 @@ export const processMock: Process = {
               minor: 1,
             },
           },
-        } as ProcessFields,
+        },
         session_leader: {
           pid: 2442,
           user: {
@@ -1866,7 +1869,7 @@ export const processMock: Process = {
               minor: 1,
             },
           },
-        } as ProcessFields,
+        },
         entry_leader: {
           pid: 2442,
           user: {
@@ -1892,7 +1895,7 @@ export const processMock: Process = {
               minor: 1,
             },
           },
-        } as ProcessFields,
+        },
         group_leader: {
           pid: 2442,
           user: {
@@ -1918,11 +1921,10 @@ export const processMock: Process = {
               minor: 1,
             },
           },
-        } as ProcessFields,
+        },
       },
     } as ProcessEvent),
   isUserEntered: () => false,
-  getMaxAlertLevel: () => null,
   getEndTime: () => '',
   isDescendantOf: () => false,
 };
@@ -1970,7 +1972,6 @@ export const mockProcessMap = mockEvents.reduce(
       getOutput: () => '',
       getDetails: () => event,
       isUserEntered: () => false,
-      getMaxAlertLevel: () => null,
       isVerbose: () => true,
       getEndTime: () => '',
       isDescendantOf: () => false,
diff --git a/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events_merged.mock.ts b/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events_merged.mock.ts
new file mode 100644
index 000000000000..b92c144d33e3
--- /dev/null
+++ b/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events_merged.mock.ts
@@ -0,0 +1,424 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ProcessEventResults } from '../../types/process_tree';
+
+export const sessionViewProcessEventsMergedMock: ProcessEventResults = {
+  events: [
+    {
+      _index: 'cmd',
+      _id: 'H8UGTX0BGGlsPv9fp8F_',
+      _score: null,
+      _source: {
+        '@timestamp': '2021-11-23T13:40:21.392Z',
+        event: {
+          kind: 'event',
+          category: 'process',
+          action: ['fork', 'exec', 'end'],
+        },
+        host: {
+          architecture: 'x86_64',
+          hostname: 'james-fleet-714-2',
+          id: '48c1b3f1ac5da4e0057fc9f60f4d1d5d',
+          ip: ['127.0.0.1', '::1', '10.132.0.50', 'fe80::7d39:3147:4d9a:f809'],
+          mac: ['42:01:0a:84:00:32'],
+          name: 'james-fleet-714-2',
+          os: {
+            Ext: {
+              variant: 'CentOS',
+            },
+            family: 'centos',
+            full: 'CentOS 7.9.2009',
+            kernel: '3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021',
+            name: 'Linux',
+            platform: 'centos',
+            version: '7.9.2009',
+          },
+        },
+        user: {
+          id: '2',
+          name: 'kg',
+          real: {
+            id: '2',
+            name: 'kg',
+          },
+          saved: {
+            id: '2',
+            name: 'kg',
+          },
+        },
+        group: {
+          id: '1',
+          name: 'groupA',
+          real: {
+            id: '1',
+            name: 'groupA',
+          },
+          saved: {
+            id: '1',
+            name: 'groupA',
+          },
+          supplemental: [
+            {
+              id: '2',
+              name: 'groupB',
+            },
+            {
+              id: '3',
+              name: 'groupC',
+            },
+          ],
+        },
+        process: {
+          entity_id: '4321',
+          args: ['/bin/bash'],
+          args_count: 1,
+          command_line: 'bash',
+          executable: '/bin/bash',
+          name: 'bash',
+          interactive: true,
+          working_directory: '/home/kg',
+          pid: 3,
+          start: '2021-10-14T08:05:34.853Z',
+          end: '2021-10-14T10:05:34.853Z',
+          exit_code: 137,
+          previous: [{ args: ['/bin/sshd'], args_count: 1, executable: '/bin/sshd' }],
+          parent: {
+            entity_id: '4322',
+            args: ['/bin/sshd'],
+            args_count: 1,
+            command_line: 'sshd',
+            executable: '/bin/sshd',
+            name: 'sshd',
+            interactive: true,
+            working_directory: '/',
+            pid: 2,
+            start: '2021-10-14T08:05:34.853Z',
+            user: {
+              id: '0',
+              name: 'root',
+              real: {
+                id: '0',
+                name: 'root',
+              },
+              saved: {
+                id: '0',
+                name: 'root',
+              },
+            },
+            group: {
+              id: '1',
+              name: 'groupA',
+              real: {
+                id: '1',
+                name: 'groupA',
+              },
+              saved: {
+                id: '1',
+                name: 'groupA',
+              },
+              supplemental: [
+                {
+                  id: '2',
+                  name: 'groupB',
+                },
+                {
+                  id: '3',
+                  name: 'groupC',
+                },
+              ],
+            },
+            group_leader: {
+              entity_id: '0fe5f6a0-6f04-49a5-8faf-768445b38d16',
+              pid: 1234, // this directly replaces parent.pgid
+              start: '2021-10-14T08:05:34.853Z',
+            },
+            file_descriptions: [
+              {
+                descriptor: 0,
+                type: 'char_device',
+                char_device: {
+                  major: 8,
+                  minor: 1,
+                },
+              },
+            ],
+            tty: {
+              descriptor: 0,
+              type: 'char_device',
+              char_device: {
+                major: 8,
+                minor: 1,
+              },
+            },
+          },
+          group_leader: {
+            entity_id: '4321',
+            args: ['bash'],
+            args_count: 1,
+            command_line: 'bash',
+            executable: '/bin/bash',
+            name: 'bash',
+            interactive: true,
+            working_directory: '/home/kg',
+            pid: 3,
+            start: '2021-10-14T08:05:34.853Z',
+            user: {
+              id: '0',
+              name: 'root',
+              real: {
+                id: '0',
+                name: 'root',
+              },
+              saved: {
+                id: '0',
+                name: 'root',
+              },
+            },
+            group: {
+              id: '1',
+              name: 'groupA',
+              real: {
+                id: '1',
+                name: 'groupA',
+              },
+              saved: {
+                id: '1',
+                name: 'groupA',
+              },
+              supplemental: [
+                {
+                  id: '2',
+                  name: 'groupB',
+                },
+                {
+                  id: '3',
+                  name: 'groupC',
+                },
+              ],
+            },
+            file_descriptions: [
+              {
+                descriptor: 0,
+                type: 'char_device',
+                char_device: {
+                  major: 8,
+                  minor: 1,
+                },
+              },
+            ],
+            tty: {
+              descriptor: 0,
+              type: 'char_device',
+              char_device: {
+                major: 8,
+                minor: 1,
+              },
+            },
+          },
+          session_leader: {
+            entity_id: '4321',
+            args: ['bash'],
+            args_count: 1,
+            command_line: 'bash',
+            executable: '/bin/bash',
+            name: 'bash',
+            interactive: true,
+            working_directory: '/home/kg',
+            pid: 3,
+            start: '2021-10-14T08:05:34.853Z',
+            user: {
+              id: '0',
+              name: 'root',
+              real: {
+                id: '0',
+                name: 'root',
+              },
+              saved: {
+                id: '0',
+                name: 'root',
+              },
+            },
+            group: {
+              id: '1',
+              name: 'groupA',
+              real: {
+                id: '1',
+                name: 'groupA',
+              },
+              saved: {
+                id: '1',
+                name: 'groupA',
+              },
+              supplemental: [
+                {
+                  id: '2',
+                  name: 'groupB',
+                },
+                {
+                  id: '3',
+                  name: 'groupC',
+                },
+              ],
+            },
+            // parent: {
+            //   entity_id: '0fe5f6a0-6f04-49a5-8faf-768445b38d16',
+            //   pid: 2,
+            //   start: '2021-10-14T08:05:34.853Z',
+            //   session_leader: {
+            //     // used as a foreign key to the parent session of the session_leader
+            //     entity_id: '0fe5f6a0-6f04-49a5-8faf-768445b38d16',
+            //     pid: 4321,
+            //     start: '2021-10-14T08:05:34.853Z',
+            //   },
+            // },
+            file_descriptions: [
+              {
+                descriptor: 0,
+                type: 'char_device',
+                char_device: {
+                  major: 8,
+                  minor: 1,
+                },
+              },
+            ],
+            tty: {
+              descriptor: 0,
+              type: 'char_device',
+              char_device: {
+                major: 8,
+                minor: 1,
+              },
+            },
+          },
+          entry_leader: {
+            entity_id: '4321',
+            args: ['bash'],
+            args_count: 1,
+            command_line: 'bash',
+            executable: '/bin/bash',
+            name: 'bash',
+            interactive: true,
+            working_directory: '/home/kg',
+            pid: 3,
+            start: '2021-10-14T08:05:34.853Z',
+            user: {
+              id: '0',
+              name: 'root',
+              real: {
+                id: '0',
+                name: 'root',
+              },
+              saved: {
+                id: '0',
+                name: 'root',
+              },
+            },
+            group: {
+              id: '1',
+              name: 'groupA',
+              real: {
+                id: '1',
+                name: 'groupA',
+              },
+              saved: {
+                id: '1',
+                name: 'groupA',
+              },
+              supplemental: [
+                {
+                  id: '2',
+                  name: 'groupB',
+                },
+                {
+                  id: '3',
+                  name: 'groupC',
+                },
+              ],
+            },
+            // parent: {
+            //   entity_id: '0fe5f6a0-6f04-49a5-8faf-768445b38d16',
+            //   pid: 2,
+            //   start: '2021-10-14T08:05:34.853Z',
+            //   session_leader: {
+            //     // used as a foreign key to the parent session of the entry_leader
+            //     entity_id: '0fe5f6a0-6f04-49a5-8faf-768445b38d16',
+            //     pid: 4321,
+            //     start: '2021-10-14T08:05:34.853Z',
+            //   },
+            // },
+            entry_meta: {
+              type: 'sshd',
+              source: {
+                ip: '10.132.0.50',
+                geo: {
+                  city_name: 'Vancouver',
+                  continent_code: 'NA',
+                  continent_name: 'North America',
+                  country_iso_code: 'CA',
+                  country_name: 'Canada',
+                  location: {
+                    lon: -73.61483,
+                    lat: 45.505918,
+                  },
+                  postal_code: 'V9J1E3',
+                  region_iso_code: 'BC',
+                  region_name: 'British Columbia',
+                  timezone: 'America/Los_Angeles',
+                },
+              },
+            },
+            file_descriptions: [
+              {
+                descriptor: 0,
+                type: 'char_device',
+                char_device: {
+                  major: 8,
+                  minor: 1,
+                },
+              },
+            ],
+            tty: {
+              descriptor: 0,
+              type: 'char_device',
+              char_device: {
+                major: 8,
+                minor: 1,
+              },
+            },
+          },
+          file_descriptions: [
+            {
+              descriptor: 0,
+              type: 'char_device',
+              char_device: {
+                major: 8,
+                minor: 1,
+              },
+            },
+            {
+              descriptor: 1,
+              type: 'pipe',
+              pipe: {
+                inode: '6183207',
+              },
+            },
+          ],
+          tty: {
+            descriptor: 0,
+            type: 'char_device',
+            char_device: {
+              major: 8,
+              minor: 1,
+            },
+          },
+        },
+      },
+      sort: [1637674821392],
+    },
+  ],
+};
diff --git a/x-pack/plugins/session_view/common/types/process_tree/index.ts b/x-pack/plugins/session_view/common/types/process_tree/index.ts
index dadc656cc49a..4d8808d53999 100644
--- a/x-pack/plugins/session_view/common/types/process_tree/index.ts
+++ b/x-pack/plugins/session_view/common/types/process_tree/index.ts
@@ -123,6 +123,7 @@ export interface ProcessSelf extends ProcessFields {
   entry_leader?: ProcessFields;
   group_leader?: ProcessFields;
   io?: IOFields;
+  previous?: [{ args?: string[]; args_count?: number; executable?: string }];
 }
 
 export interface ProcessEventHost {
@@ -145,16 +146,21 @@ export interface ProcessEventHost {
   };
 }
 
+export interface ProcessEventAlertRuleParameters {
+  query?: string;
+}
+
 export interface ProcessEventAlertRule {
   category?: string;
   consumer?: string;
   description?: string;
   enabled?: boolean;
   name?: string;
-  query?: string;
   risk_score?: number;
   severity?: string;
   uuid?: string;
+  parameters?: ProcessEventAlertRuleParameters;
+  query?: string;
 }
 
 export interface ProcessEventAlert {
@@ -164,7 +170,7 @@ export interface ProcessEventAlert {
   status?: string;
   original_time?: string;
   original_event?: {
-    action?: string;
+    action?: EventAction | EventAction[];
   };
   rule?: ProcessEventAlertRule;
 }
@@ -186,7 +192,7 @@ export interface ProcessEvent {
   event?: {
     kind?: EventKind;
     category?: string[];
-    action?: EventAction;
+    action?: EventAction | EventAction[];
     id?: string;
   };
   file?: {
@@ -236,7 +242,6 @@ export interface Process {
   getOutput(): string;
   getDetails(): ProcessEvent;
   isUserEntered(): boolean;
-  getMaxAlertLevel(): number | null;
   getChildren(verboseMode: boolean): Process[];
   isVerbose(): boolean;
   getEndTime(): string;
diff --git a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.test.ts b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.test.ts
index a50c6e73e198..b7959a7c9df8 100644
--- a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.test.ts
+++ b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.test.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 import { DASH } from '../../constants';
-import { getProcessExecutableCopyText, formatProcessArgs, getIsInterativeString } from './helpers';
+import { getProcessExecutableCopyText, formatProcessArgs } from './helpers';
 
 describe('detail panel process tab helpers tests', () => {
   it('getProcessExecutableCopyText works with empty array', () => {
@@ -48,17 +48,4 @@ describe('detail panel process tab helpers tests', () => {
     result = formatProcessArgs(['ls', '--color=auto']);
     expect(result).toEqual("['ls', '--color=auto']");
   });
-
-  it('getIsInterativeString works', () => {
-    let result = getIsInterativeString(undefined);
-    expect(result).toBe('False');
-
-    result = getIsInterativeString({
-      char_device: {
-        major: 8,
-        minor: 1,
-      },
-    });
-    expect(result).toBe('True');
-  });
 });
diff --git a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.ts b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.ts
index 6acb5aba9dc0..56d702a8d141 100644
--- a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.ts
+++ b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/helpers.ts
@@ -5,20 +5,20 @@
  * 2.0.
  */
 
-import { EventAction, Process, ProcessFields, Teletype } from '../../../common/types/process_tree';
+import { EventAction, Process, ProcessFields } from '../../../common/types/process_tree';
 import { DetailPanelProcess, DetailPanelProcessLeader } from '../../types';
 import { DASH } from '../../constants';
 import { dataOrDash } from '../../utils/data_or_dash';
 
-const FILTER_FORKS_EXECS = [EventAction.fork, EventAction.exec];
-
 const DEFAULT_PROCESS_DATA: DetailPanelProcessLeader = {
   id: DASH,
   name: DASH,
   start: DASH,
   end: DASH,
   exitCode: DASH,
+  userId: DASH,
   userName: DASH,
+  groupId: DASH,
   groupName: DASH,
   workingDirectory: DASH,
   interactive: DASH,
@@ -60,15 +60,6 @@ export const getProcessExecutableCopyText = (executable: string[][]): string =>
 export const formatProcessArgs = (args: string[] | undefined): string =>
   args && args.length && args.map ? `[${args.map((arg) => `'${arg}'`).join(', ')}]` : DASH;
 
-/**
- * Get isInteractive boolean string from tty.
- *
- * @param  {Teletype | undefined} tty
- * @return {String} returns 'True' if tty exists, 'False' otherwise.
- */
-export const getIsInterativeString = (tty: Teletype | undefined): string =>
-  !!tty ? 'True' : 'False';
-
 const getDetailPanelProcessLeader = (
   leader: ProcessFields | undefined
 ): DetailPanelProcessLeader => ({
@@ -78,8 +69,10 @@ const getDetailPanelProcessLeader = (
   start: leader?.start ?? DEFAULT_PROCESS_DATA.start,
   end: leader?.end ?? DEFAULT_PROCESS_DATA.end,
   exitCode: leader?.exit_code?.toString() ?? DEFAULT_PROCESS_DATA.exitCode,
-  interactive: getIsInterativeString(leader?.tty),
+  interactive: leader?.interactive ? 'True' : 'False',
+  userId: leader?.user?.id ?? DEFAULT_PROCESS_DATA.userId,
   userName: leader?.user?.name ?? DEFAULT_PROCESS_DATA.userName,
+  groupId: leader?.group?.id ?? DEFAULT_PROCESS_DATA.groupId,
   groupName: leader?.group?.name ?? DEFAULT_PROCESS_DATA.groupName,
   workingDirectory: leader?.working_directory ?? DEFAULT_PROCESS_DATA.workingDirectory,
   args: formatProcessArgs(leader?.args) ?? DEFAULT_PROCESS_DATA.args,
@@ -97,6 +90,7 @@ export const getDetailPanelProcess = (process: Process | null): DetailPanelProce
     end: DEFAULT_PROCESS_DATA.end,
     exitCode: DEFAULT_PROCESS_DATA.exitCode,
     interactive: DEFAULT_PROCESS_DATA.interactive,
+    userId: DEFAULT_PROCESS_DATA.userId,
     userName: DEFAULT_PROCESS_DATA.userName,
     groupName: DEFAULT_PROCESS_DATA.groupName,
     args: DEFAULT_PROCESS_DATA.args,
@@ -118,8 +112,10 @@ export const getDetailPanelProcess = (process: Process | null): DetailPanelProce
   processData.start = `${dataOrDash(details.process?.start)}`;
   processData.end = `${dataOrDash(process.getEndTime())}`;
   processData.exitCode = `${dataOrDash(details.process?.exit_code)}`;
-  processData.interactive = getIsInterativeString(details.process?.tty);
+  processData.interactive = details.process?.interactive ? 'True' : 'False';
+  processData.userId = `${dataOrDash(details.process?.user?.id)}`;
   processData.userName = `${dataOrDash(details.process?.user?.name)}`;
+  processData.groupId = `${dataOrDash(details.process?.group?.id)}`;
   processData.groupName = `${dataOrDash(details.process?.group?.name)}`;
   processData.pid = `${dataOrDash(details.process?.pid)}`;
   processData.workingDirectory = `${dataOrDash(details.process?.working_directory)}`;
@@ -130,27 +126,17 @@ export const getDetailPanelProcess = (process: Process | null): DetailPanelProce
   // we grab the executable from each process lifecycle event to give an indication
   // of the processes journey. Processes can sometimes exec multiple times, so it's good
   // information to have.
-  processData.executable = [];
-  process.events.forEach((event) => {
-    if (
-      event.process?.executable &&
-      event.event?.action &&
-      FILTER_FORKS_EXECS.includes(event.event.action)
-    ) {
-      processData.executable.push([event.process.executable, `(${event.event.action})`]);
-    }
-  });
-  if (!processData.executable.length) {
-    // if there were no forks, execs (due to bad data), check if we at least have an executable for some event
-    const executable = process.getDetails().process?.executable;
-
-    if (executable) {
-      processData.executable.push([executable]);
-    } else {
-      processData.executable = DEFAULT_PROCESS_DATA.executable;
-    }
+  const executables = details.process?.previous?.map((exe) => exe?.executable || '') || [];
+  if (details.process?.executable) {
+    executables.push(details.process.executable);
   }
 
+  processData.executable = executables.map((exe, i) => {
+    const action = i === 0 ? EventAction.fork : EventAction.exec;
+
+    return [exe, `(${action})`];
+  });
+
   processData.entryLeader = getDetailPanelProcessLeader(details?.process?.entry_leader);
   processData.sessionLeader = getDetailPanelProcessLeader(details?.process?.session_leader);
   processData.groupLeader = getDetailPanelProcessLeader(details?.process?.group_leader);
diff --git a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.test.tsx b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.test.tsx
index 488d83ca9880..5b914e6d984d 100644
--- a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.test.tsx
+++ b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.test.tsx
@@ -42,10 +42,7 @@ describe('DetailPanelProcessTab component', () => {
         5
       );
       expect(renderResult.queryByText(`['bash']`)).toBeVisible();
-      expect(renderResult.queryAllByText('/usr/bin/bash')).toHaveLength(5);
-      expect(renderResult.queryByText('/usr/bin/vi')).toBeVisible();
       expect(renderResult.queryByText('(fork)')).toBeVisible();
-      expect(renderResult.queryByText('(exec)')).toBeVisible();
       expect(renderResult.queryByText(processDetail!.process!.pid!)).toBeVisible();
 
       // Process tab accordions rendered correctly
diff --git a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.tsx b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.tsx
index f62c6188203a..ded1f20aef49 100644
--- a/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.tsx
+++ b/x-pack/plugins/session_view/public/components/detail_panel_process_tab/index.tsx
@@ -111,7 +111,9 @@ export const DetailPanelProcessTab = ({ selectedProcess }: DetailPanelProcessTab
       args,
       executable,
       pid,
+      userId,
       userName,
+      groupId,
       groupName,
       entryMetaSourceIp,
     } = leader;
@@ -227,6 +229,17 @@ export const DetailPanelProcessTab = ({ selectedProcess }: DetailPanelProcessTab
           </DetailPanelCopy>
         ),
       },
+      {
+        title: <DetailPanelListItem>user.id</DetailPanelListItem>,
+        description: (
+          <DetailPanelCopy
+            textToCopy={`${LEADER_FIELD_PREFIX[idx]}.user.id: "${userId}"`}
+            tooltipContent={userId}
+          >
+            {userId}
+          </DetailPanelCopy>
+        ),
+      },
       {
         title: <DetailPanelListItem>user.name</DetailPanelListItem>,
         description: (
@@ -238,6 +251,17 @@ export const DetailPanelProcessTab = ({ selectedProcess }: DetailPanelProcessTab
           </DetailPanelCopy>
         ),
       },
+      {
+        title: <DetailPanelListItem>group.id</DetailPanelListItem>,
+        description: (
+          <DetailPanelCopy
+            textToCopy={`${LEADER_FIELD_PREFIX[idx]}.group.id: "${groupId}"`}
+            tooltipContent={groupId}
+          >
+            {groupId}
+          </DetailPanelCopy>
+        ),
+      },
       {
         title: <DetailPanelListItem>group.name</DetailPanelListItem>,
         description: (
@@ -296,7 +320,9 @@ export const DetailPanelProcessTab = ({ selectedProcess }: DetailPanelProcessTab
     pid,
     workingDirectory,
     interactive,
+    userId,
     userName,
+    groupId,
     groupName,
     args,
   } = processDetail;
@@ -416,6 +442,28 @@ export const DetailPanelProcessTab = ({ selectedProcess }: DetailPanelProcessTab
               </DetailPanelCopy>
             ),
           },
+          {
+            title: <DetailPanelListItem>user.id</DetailPanelListItem>,
+            description: (
+              <DetailPanelCopy
+                textToCopy={`${PROCESS_FIELD_PREFIX}.user.id: "${userId}"`}
+                tooltipContent={userId}
+              >
+                {userId}
+              </DetailPanelCopy>
+            ),
+          },
+          {
+            title: <DetailPanelListItem>user.id</DetailPanelListItem>,
+            description: (
+              <DetailPanelCopy
+                textToCopy={`${PROCESS_FIELD_PREFIX}.user.id: "${userId}"`}
+                tooltipContent={userId}
+              >
+                {userId}
+              </DetailPanelCopy>
+            ),
+          },
           {
             title: <DetailPanelListItem>user.name</DetailPanelListItem>,
             description: (
@@ -427,6 +475,17 @@ export const DetailPanelProcessTab = ({ selectedProcess }: DetailPanelProcessTab
               </DetailPanelCopy>
             ),
           },
+          {
+            title: <DetailPanelListItem>group.id</DetailPanelListItem>,
+            description: (
+              <DetailPanelCopy
+                textToCopy={`${PROCESS_FIELD_PREFIX}.group.id: "${groupId}"`}
+                tooltipContent={groupId}
+              >
+                {groupId}
+              </DetailPanelCopy>
+            ),
+          },
           {
             title: <DetailPanelListItem>group.name</DetailPanelListItem>,
             description: (
diff --git a/x-pack/plugins/session_view/public/components/process_tree/hooks.ts b/x-pack/plugins/session_view/public/components/process_tree/hooks.ts
index 5369e6a3f282..f5a83ba4b370 100644
--- a/x-pack/plugins/session_view/public/components/process_tree/hooks.ts
+++ b/x-pack/plugins/session_view/public/components/process_tree/hooks.ts
@@ -214,13 +214,10 @@ export class ProcessImpl implements Process {
     return !!(sessionIsInteractive && parentIsASessionLeader && processIsAGroupLeader);
   }
 
-  getMaxAlertLevel() {
-    // TODO: as part of alerts details work + tie in with the new alert flyout
-    return null;
-  }
-
   findEventByAction = memoizeOne((events: ProcessEvent[], action: EventAction) => {
-    return events.find(({ event }) => event?.action === action);
+    return events.find(({ event }) => {
+      return event?.action?.includes(action);
+    });
   });
 
   findEventByKind = memoizeOne((events: ProcessEvent[], kind: EventKind) => {
@@ -228,7 +225,9 @@ export class ProcessImpl implements Process {
   });
 
   filterEventsByAction = memoizeOne((events: ProcessEvent[], action: EventAction) => {
-    return events.filter(({ event }) => event?.action === action);
+    return events.filter(({ event }) => {
+      return event?.action?.includes(action);
+    });
   });
 
   filterEventsByKind = memoizeOne((events: ProcessEvent[], kind: EventKind) => {
@@ -239,14 +238,14 @@ export class ProcessImpl implements Process {
   // to be used as a source for the most up to date details
   // on the processes lifecycle.
   getDetailsMemo = memoizeOne((events: ProcessEvent[]) => {
-    // TODO: add these to generator
-    const actionsToFind: Array<EventAction | undefined> = [
-      EventAction.fork,
-      EventAction.exec,
-      EventAction.end,
-    ];
     const filtered = events.filter((processEvent) => {
-      return actionsToFind.includes(processEvent.event?.action);
+      const action = processEvent?.event?.action;
+
+      return (
+        action?.includes(EventAction.fork) ||
+        action?.includes(EventAction.exec) ||
+        action?.includes(EventAction.end)
+      );
     });
 
     // there are some anomalous processes which are omitting event.action
diff --git a/x-pack/plugins/session_view/public/components/process_tree_alert/index.tsx b/x-pack/plugins/session_view/public/components/process_tree_alert/index.tsx
index a73265ddf37e..ad9ec5748867 100644
--- a/x-pack/plugins/session_view/public/components/process_tree_alert/index.tsx
+++ b/x-pack/plugins/session_view/public/components/process_tree_alert/index.tsx
@@ -4,7 +4,6 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-
 import React, { useEffect, useCallback, useMemo } from 'react';
 import {
   EuiFlexGroup,
@@ -47,7 +46,6 @@ export const ProcessTreeAlert = ({
   const styles = useStyles({ isInvestigated, isSelected });
 
   const { event } = alert;
-
   const { uuid, rule, workflow_status: status } = alert.kibana?.alert || {};
   const category = event?.category?.[0];
   const alertIconType = useMemo(() => {
diff --git a/x-pack/plugins/session_view/public/components/process_tree_node/index.tsx b/x-pack/plugins/session_view/public/components/process_tree_node/index.tsx
index 8994f01790bf..fa5c16bee19b 100644
--- a/x-pack/plugins/session_view/public/components/process_tree_node/index.tsx
+++ b/x-pack/plugins/session_view/public/components/process_tree_node/index.tsx
@@ -246,6 +246,8 @@ export function ProcessTreeNode({
 
   const timeStampsNormal = formatDate(start, dateFormat);
 
+  const promptText = `${workingDirectory ?? ''} ${args?.join(' ')}`;
+
   return (
     <div>
       <div
@@ -273,7 +275,7 @@ export function ProcessTreeNode({
               <Nbsp />
               <EuiIcon type="user" />
               <Nbsp />
-              <b css={styles.darkText}>{dataOrDash(user?.name)}</b>
+              <b css={styles.darkText}>{user?.name || 'ID: ' + user?.id}</b>
             </span>
           ) : (
             <>
@@ -287,7 +289,7 @@ export function ProcessTreeNode({
               </EuiToolTip>
               <span css={styles.textSection}>
                 <TextHighlight
-                  text={`${workingDirectory ?? ''} ${args?.join(' ')}`}
+                  text={promptText}
                   match={process.searchMatched}
                   highlightStyle={styles.searchHighlight}
                 >
diff --git a/x-pack/plugins/session_view/public/components/session_view/hooks.ts b/x-pack/plugins/session_view/public/components/session_view/hooks.ts
index 7d33b5bfbe95..2180228673fc 100644
--- a/x-pack/plugins/session_view/public/components/session_view/hooks.ts
+++ b/x-pack/plugins/session_view/public/components/session_view/hooks.ts
@@ -66,7 +66,12 @@ export const useFetchSessionViewProcessEvents = (
         if (isRefetch || lastPage.events.length >= PROCESS_EVENTS_PER_PAGE) {
           const filtered = lastPage.events.filter((event) => {
             const action = event.event?.action;
-            return action && [EventAction.fork, EventAction.exec, EventAction.end].includes(action);
+            return (
+              action &&
+              (action.includes(EventAction.fork) ||
+                action.includes(EventAction.exec) ||
+                action.includes(EventAction.end))
+            );
           });
 
           const cursor = filtered?.[filtered.length - 1]?.['@timestamp'];
@@ -82,7 +87,12 @@ export const useFetchSessionViewProcessEvents = (
       getPreviousPageParam: (firstPage, pages) => {
         const filtered = firstPage.events.filter((event) => {
           const action = event.event?.action;
-          return action && [EventAction.fork, EventAction.exec, EventAction.end].includes(action);
+          return (
+            action &&
+            (action.includes(EventAction.fork) ||
+              action.includes(EventAction.exec) ||
+              action.includes(EventAction.end))
+          );
         });
 
         const atBeginning = pages.length > 1 && filtered.length < PROCESS_EVENTS_PER_PAGE;
diff --git a/x-pack/plugins/session_view/public/components/session_view/index.test.tsx b/x-pack/plugins/session_view/public/components/session_view/index.test.tsx
index 80754d6ab8ba..542d546b3870 100644
--- a/x-pack/plugins/session_view/public/components/session_view/index.test.tsx
+++ b/x-pack/plugins/session_view/public/components/session_view/index.test.tsx
@@ -8,6 +8,7 @@
 import { waitFor, waitForElementToBeRemoved } from '@testing-library/react';
 import React from 'react';
 import { sessionViewProcessEventsMock } from '../../../common/mocks/responses/session_view_process_events.mock';
+import { sessionViewProcessEventsMergedMock } from '../../../common/mocks/responses/session_view_process_events_merged.mock';
 import { AppContextTestRender, createAppRootMockRenderer } from '../../test';
 import { SessionView } from '.';
 import userEvent from '@testing-library/user-event';
@@ -129,7 +130,7 @@ describe('SessionView component', () => {
         });
       });
 
-      it('should show items on the list, and auto selects session leader', async () => {
+      it('should show items on the list', async () => {
         render();
 
         await waitFor(() => {
@@ -172,6 +173,20 @@ describe('SessionView component', () => {
       });
     });
 
+    describe('And data contains merged process events', () => {
+      beforeEach(async () => {
+        mockedApi.mockResolvedValue(sessionViewProcessEventsMergedMock);
+      });
+
+      it('should show items on the list', async () => {
+        render();
+
+        await waitFor(() => {
+          expect(renderResult.getAllByTestId('sessionView:processTreeNode')).toBeTruthy();
+        });
+      });
+    });
+
     describe('TTYPlayer button', () => {
       it('should show tty player button, if session has output', async () => {
         mockedApi.mockImplementation(async (path: any) => {
diff --git a/x-pack/plugins/session_view/public/types.ts b/x-pack/plugins/session_view/public/types.ts
index fa5f9d1ebb04..06f2a6d06b56 100644
--- a/x-pack/plugins/session_view/public/types.ts
+++ b/x-pack/plugins/session_view/public/types.ts
@@ -44,7 +44,9 @@ export interface DetailPanelProcess {
   start: string;
   end: string;
   exitCode: string;
+  userId: string;
   userName: string;
+  groupId: string;
   groupName: string;
   args: string;
   executable: string[][];
@@ -63,7 +65,9 @@ export interface DetailPanelProcessLeader {
   start: string;
   end: string;
   exitCode: string;
+  userId: string;
   userName: string;
+  groupId: string;
   groupName: string;
   workingDirectory: string;
   interactive: string;
diff --git a/x-pack/plugins/session_view/server/routes/io_events_route.ts b/x-pack/plugins/session_view/server/routes/io_events_route.ts
index 790173511ff3..645617b6435c 100644
--- a/x-pack/plugins/session_view/server/routes/io_events_route.ts
+++ b/x-pack/plugins/session_view/server/routes/io_events_route.ts
@@ -88,43 +88,47 @@ export const searchProcessWithIOEvents = async (
       ]
     : [];
 
-  const search = await client.search({
-    index: [PROCESS_EVENTS_INDEX],
-    body: {
-      query: {
-        bool: {
-          must: [
-            { term: { [EVENT_ACTION]: 'text_output' } },
-            { term: { [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId } },
-            ...rangeFilter,
-          ],
+  try {
+    const search = await client.search({
+      index: [PROCESS_EVENTS_INDEX],
+      body: {
+        query: {
+          bool: {
+            must: [
+              { term: { [EVENT_ACTION]: 'text_output' } },
+              { term: { [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId } },
+              ...rangeFilter,
+            ],
+          },
         },
-      },
-      size: 0,
-      aggs: {
-        custom_agg: {
-          terms: {
-            field: PROCESS_ENTITY_ID_PROPERTY,
-            size: PROCESS_EVENTS_PER_PAGE,
+        size: 0,
+        aggs: {
+          custom_agg: {
+            terms: {
+              field: PROCESS_ENTITY_ID_PROPERTY,
+              size: PROCESS_EVENTS_PER_PAGE,
+            },
           },
         },
       },
-    },
-  });
+    });
 
-  const agg: any = search.aggregations?.custom_agg;
-  const buckets: Aggregate[] = agg?.buckets || [];
+    const agg: any = search.aggregations?.custom_agg;
+    const buckets: Aggregate[] = agg?.buckets || [];
 
-  return buckets.map((bucket) => ({
-    _source: {
-      event: {
-        kind: EventKind.event,
-        action: EventAction.text_output,
-        id: bucket.key,
-      },
-      process: {
-        entity_id: bucket.key,
+    return buckets.map((bucket) => ({
+      _source: {
+        event: {
+          kind: EventKind.event,
+          action: EventAction.text_output,
+          id: bucket.key,
+        },
+        process: {
+          entity_id: bucket.key,
+        },
       },
-    },
-  }));
+    }));
+  } catch (err) {
+    return [];
+  }
 };
diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.test.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.test.tsx
index 7f3442027da8..90e4d457764c 100644
--- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.test.tsx
+++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.test.tsx
@@ -8,6 +8,7 @@
 import 'jest-canvas-mock';
 
 import React, { useState, useCallback } from 'react';
+import userEvent from '@testing-library/user-event';
 import { fireEvent, waitFor } from '@testing-library/react';
 import { render } from '../../../utils/testing/rtl_helpers';
 import { RequestBodyField } from './request_body_field';
@@ -29,6 +30,7 @@ jest.mock('@kbn/kibana-react-plugin/public', () => {
         onChange={(e: any) => {
           props.onChange(e.jsonContent);
         }}
+        readOnly={props.readOnly}
       />
     ),
   };
@@ -37,7 +39,7 @@ jest.mock('@kbn/kibana-react-plugin/public', () => {
 describe('<RequestBodyField />', () => {
   const defaultMode = Mode.PLAINTEXT;
   const defaultValue = 'sample value';
-  const WrappedComponent = () => {
+  const WrappedComponent = ({ readOnly }: { readOnly?: boolean }) => {
     const [config, setConfig] = useState({
       type: defaultMode,
       value: defaultValue,
@@ -53,6 +55,7 @@ describe('<RequestBodyField />', () => {
           (code) => setConfig({ type: code.type as Mode, value: code.value }),
           [setConfig]
         )}
+        readOnly={readOnly}
       />
     );
   };
@@ -85,4 +88,79 @@ describe('<RequestBodyField />', () => {
       expect(queryByLabelText('Text code editor')).not.toBeInTheDocument();
     });
   });
+
+  it('handles updating input', async () => {
+    const { getByText, getByRole, getAllByRole, getByLabelText } = render(<WrappedComponent />);
+
+    expect(getByLabelText('Text code editor')).toBeInTheDocument();
+    const textbox = getByRole('textbox');
+    userEvent.type(textbox, 'text');
+    expect(textbox).toHaveValue('text');
+
+    const xmlButton = getByText('XML').closest('button');
+    if (xmlButton) {
+      fireEvent.click(xmlButton);
+    }
+
+    expect(xmlButton).toHaveAttribute('aria-selected', 'true');
+    userEvent.type(textbox, 'xml');
+    expect(textbox).toHaveValue('textxml');
+
+    const jsonButton = getByText('JSON').closest('button');
+    if (jsonButton) {
+      fireEvent.click(jsonButton);
+    }
+
+    expect(jsonButton).toHaveAttribute('aria-selected', 'true');
+    userEvent.type(textbox, 'json');
+    expect(textbox).toHaveValue('textxmljson');
+
+    const formButton = getByText('Form').closest('button');
+    if (formButton) {
+      fireEvent.click(formButton);
+    }
+
+    expect(formButton).toHaveAttribute('aria-selected', 'true');
+    userEvent.click(getByText('Add form field'));
+    expect(getByText('Key')).toBeInTheDocument();
+    expect(getByText('Value')).toBeInTheDocument();
+    const keyValueTextBox = getAllByRole('textbox')[0];
+    userEvent.type(keyValueTextBox, 'formfield');
+    expect(keyValueTextBox).toHaveValue('formfield');
+  });
+
+  it('handles read only', async () => {
+    const { getByText, getByRole, getByLabelText } = render(<WrappedComponent readOnly={true} />);
+
+    expect(getByLabelText('Text code editor')).toBeInTheDocument();
+    const textbox = getByRole('textbox');
+    userEvent.type(textbox, 'text');
+    expect(textbox).toHaveValue('');
+
+    const xmlButton = getByText('XML').closest('button');
+    if (xmlButton) {
+      fireEvent.click(xmlButton);
+    }
+
+    expect(xmlButton).toHaveAttribute('aria-selected', 'true');
+    userEvent.type(textbox, 'xml');
+    expect(textbox).toHaveValue('');
+
+    const jsonButton = getByText('JSON').closest('button');
+    if (jsonButton) {
+      fireEvent.click(jsonButton);
+    }
+
+    expect(jsonButton).toHaveAttribute('aria-selected', 'true');
+    userEvent.type(textbox, 'json');
+    expect(textbox).toHaveValue('');
+
+    const formButton = getByText('Form').closest('button');
+    if (formButton) {
+      fireEvent.click(formButton);
+    }
+
+    expect(formButton).toHaveAttribute('aria-selected', 'true');
+    expect(getByRole('button', { name: 'Add form field' })).toBeDisabled();
+  });
 });
diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.tsx
index 6d731f0e34ce..fe117a4703ff 100644
--- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.tsx
+++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_add_edit/fields/request_body_field.tsx
@@ -107,7 +107,7 @@ export const RequestBodyField = ({
             onBlur?.();
           }}
           value={values[ResponseBodyType.CODE]}
-          readOnly
+          readOnly={readOnly}
         />
       ),
     },
@@ -130,7 +130,7 @@ export const RequestBodyField = ({
             onBlur?.();
           }}
           value={values[ResponseBodyType.CODE]}
-          readOnly
+          readOnly={readOnly}
         />
       ),
     },
@@ -153,7 +153,7 @@ export const RequestBodyField = ({
             onBlur?.();
           }}
           value={values[ResponseBodyType.CODE]}
-          readOnly
+          readOnly={readOnly}
         />
       ),
     },
@@ -169,10 +169,11 @@ export const RequestBodyField = ({
               defaultMessage="Add form field"
             />
           }
+          data-test-subj={'syntheticsFormField'}
           defaultPairs={defaultFormPairs}
           onChange={onChangeFormFields}
           onBlur={() => onBlur?.()}
-          readOnly
+          readOnly={readOnly}
         />
       ),
     },
diff --git a/x-pack/plugins/task_manager/server/task_pool.ts b/x-pack/plugins/task_manager/server/task_pool.ts
index e73af74bc73e..11b79b6d570d 100644
--- a/x-pack/plugins/task_manager/server/task_pool.ts
+++ b/x-pack/plugins/task_manager/server/task_pool.ts
@@ -168,7 +168,7 @@ export class TaskPool {
         // we asssume the underlying task has been deleted while it was running
         // so we will log this as a debug, rather than a warn
         const errorLogLine = `Task ${taskRunner.toString()} failed in attempt to run: ${
-          err.message
+          err.message || err.error.message
         }`;
         if (isTaskSavedObjectNotFoundError(err, taskRunner.id)) {
           this.logger.debug(errorLogLine);
diff --git a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json
index 99e466ebbb35..fc3f0ac44d7f 100644
--- a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json
+++ b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json
@@ -4783,6 +4783,64 @@
                 "daily": {
                   "type": "long"
                 },
+                "attachmentFramework": {
+                  "properties": {
+                    "persistableAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "externalAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "files": {
+                      "properties": {
+                        "average": {
+                          "type": "long"
+                        },
+                        "averageSize": {
+                          "type": "long"
+                        },
+                        "maxOnACase": {
+                          "type": "long"
+                        },
+                        "total": {
+                          "type": "long"
+                        }
+                      }
+                    }
+                  }
+                },
                 "assignees": {
                   "properties": {
                     "total": {
@@ -4871,6 +4929,64 @@
                       "type": "long"
                     }
                   }
+                },
+                "attachmentFramework": {
+                  "properties": {
+                    "persistableAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "externalAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "files": {
+                      "properties": {
+                        "average": {
+                          "type": "long"
+                        },
+                        "averageSize": {
+                          "type": "long"
+                        },
+                        "maxOnACase": {
+                          "type": "long"
+                        },
+                        "total": {
+                          "type": "long"
+                        }
+                      }
+                    }
+                  }
                 }
               }
             },
@@ -4900,6 +5016,64 @@
                       "type": "long"
                     }
                   }
+                },
+                "attachmentFramework": {
+                  "properties": {
+                    "persistableAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "externalAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "files": {
+                      "properties": {
+                        "average": {
+                          "type": "long"
+                        },
+                        "averageSize": {
+                          "type": "long"
+                        },
+                        "maxOnACase": {
+                          "type": "long"
+                        },
+                        "total": {
+                          "type": "long"
+                        }
+                      }
+                    }
+                  }
                 }
               }
             },
@@ -4929,6 +5103,64 @@
                       "type": "long"
                     }
                   }
+                },
+                "attachmentFramework": {
+                  "properties": {
+                    "persistableAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "externalAttachments": {
+                      "type": "array",
+                      "items": {
+                        "properties": {
+                          "average": {
+                            "type": "long"
+                          },
+                          "maxOnACase": {
+                            "type": "long"
+                          },
+                          "total": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    },
+                    "files": {
+                      "properties": {
+                        "average": {
+                          "type": "long"
+                        },
+                        "averageSize": {
+                          "type": "long"
+                        },
+                        "maxOnACase": {
+                          "type": "long"
+                        },
+                        "total": {
+                          "type": "long"
+                        }
+                      }
+                    }
+                  }
                 }
               }
             }
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/rbac_legacy.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/rbac_legacy.ts
index 8ce682ac0099..1bc45581cf3f 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/rbac_legacy.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/rbac_legacy.ts
@@ -56,8 +56,7 @@ export default function alertTests({ getService }: FtrProviderContext) {
     ),
   };
 
-  // FLAKY: https://github.com/elastic/kibana/issues/140867
-  describe.skip('alerts', () => {
+  describe('alerts', () => {
     const authorizationIndex = '.kibana-test-authorization';
     const objectRemover = new ObjectRemover(supertest);
 
@@ -103,21 +102,27 @@ export default function alertTests({ getService }: FtrProviderContext) {
               // these cases were invalid pre 7.10.0 and remain invalid post 7.10.0
               break;
             case 'space_1_all at space1':
-            case 'superuser at space1':
             case 'space_1_all_with_restricted_fixture at space1':
+            case 'superuser at space1':
               await resetTaskStatus(migratedAlertId);
               await ensureLegacyAlertHasBeenMigrated(migratedAlertId);
 
               await updateMigratedAlertToUseApiKeyOfCurrentUser(migratedAlertId);
+              await rescheduleTask(migratedAlertId);
 
-              await ensureAlertIsRunning();
-
+              await alertUtils.disable(migratedAlertId);
               await updateAlertSoThatItIsNoLongerLegacy(migratedAlertId);
 
               // update alert as user with privileges - so it is no longer a legacy alert
-              const updatedKeyResponse = await alertUtils.getUpdateApiKeyRequest(migratedAlertId);
-              expect(updatedKeyResponse.statusCode).to.eql(204);
-
+              await retry.try(async () => {
+                const updatedKeyResponse = await alertUtils.getUpdateApiKeyRequest(migratedAlertId);
+                expect(updatedKeyResponse.statusCode).to.eql(204);
+              });
+              // As we update the task multiple times in this test case, we might be updating the one already picked up by the task manager.
+              // To avoid 409 conflict error, we disable the rule above before updating and wait for 3 seconds
+              // after updating it to be sure that one task manager cycle is done. So we are not updating a task that is in progress.
+              await new Promise((resolve) => setTimeout(resolve, 3000));
+              await alertUtils.enable(migratedAlertId);
               await ensureAlertIsRunning();
               break;
             case 'global_read at space1':
@@ -125,6 +130,7 @@ export default function alertTests({ getService }: FtrProviderContext) {
               await ensureLegacyAlertHasBeenMigrated(migratedAlertId);
 
               await updateMigratedAlertToUseApiKeyOfCurrentUser(migratedAlertId);
+              await rescheduleTask(migratedAlertId);
 
               await ensureAlertIsRunning();
 
@@ -148,9 +154,9 @@ export default function alertTests({ getService }: FtrProviderContext) {
               await ensureLegacyAlertHasBeenMigrated(migratedAlertId);
 
               await updateMigratedAlertToUseApiKeyOfCurrentUser(migratedAlertId);
+              await rescheduleTask(migratedAlertId);
 
               await ensureAlertIsRunning();
-
               await updateAlertSoThatItIsNoLongerLegacy(migratedAlertId);
 
               // attempt to update alert as user with no Actions privileges - as it is no longer a legacy alert
@@ -202,7 +208,9 @@ export default function alertTests({ getService }: FtrProviderContext) {
             expect(swapResponse.body.attributes.meta.versionApiKeyLastmodified).to.eql(
               'pre-7.10.0'
             );
+          }
 
+          async function rescheduleTask(alertId: string) {
             // Get scheduled task id
             const getResponse = await supertestWithoutAuth
               .get(`${getUrlPrefix(space.id)}/api/alerting/rule/${alertId}`)
@@ -267,16 +275,20 @@ export default function alertTests({ getService }: FtrProviderContext) {
 
           async function updateAlertSoThatItIsNoLongerLegacy(alertId: string) {
             // update the alert as super user (to avoid privilege limitations) so that it is no longer a legacy alert
-            await alertUtils.updateAlwaysFiringAction({
-              alertId,
-              actionId: MIGRATED_ACTION_ID,
-              user: Superuser,
-              reference,
-              overwrites: {
-                name: 'Updated Alert',
-                schedule: { interval: '2s' },
-                throttle: '2s',
-              },
+            await retry.try(async () => {
+              const response = await alertUtils.updateAlwaysFiringAction({
+                alertId,
+                actionId: MIGRATED_ACTION_ID,
+                user: Superuser,
+                reference,
+                overwrites: {
+                  name: 'Updated Alert',
+                  schedule: { interval: '2s' },
+                  throttle: '2s',
+                },
+              });
+
+              expect(response.statusCode).to.eql(200);
             });
           }
         });
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/import_rules.ts b/x-pack/test/detection_engine_api_integration/basic/tests/import_rules.ts
index 5b8508ffe480..d57b793cd1bc 100644
--- a/x-pack/test/detection_engine_api_integration/basic/tests/import_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/import_rules.ts
@@ -360,7 +360,6 @@ export default ({ getService }: FtrProviderContext): void => {
           output_index: '',
         };
         ruleOutput.name = 'some other name';
-        ruleOutput.version = 2;
         ruleOutput.revision = 0;
         expect(bodyToCompare).to.eql(ruleOutput);
       });
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules.ts b/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules.ts
index 31dd7b0dbc99..1ca83b8ed1fa 100644
--- a/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules.ts
@@ -49,7 +49,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -86,7 +85,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutputWithoutRuleId();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedPropertiesIncludingRuleId(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -104,13 +102,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should not change the version of a rule when it patches only enabled', async () => {
+      it('should not change the revision of a rule when it patches only enabled', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false
@@ -127,7 +124,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it patches enabled and another property', async () => {
+      it('should change the revision of a rule when it patches enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false and another property
@@ -140,7 +137,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
@@ -168,7 +164,6 @@ export default ({ getService }: FtrProviderContext) => {
         outputRule.name = 'some other name';
         outputRule.timeline_title = 'some title';
         outputRule.timeline_id = 'some id';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules_bulk.ts b/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules_bulk.ts
index 21715fb7901b..f0c135a9cd77 100644
--- a/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules_bulk.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/patch_rules_bulk.ts
@@ -49,7 +49,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -71,12 +70,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutput();
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutput('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedProperties(body[0]);
@@ -97,7 +94,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -119,12 +115,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutputWithoutRuleId('rule-1');
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutputWithoutRuleId('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedPropertiesIncludingRuleId(body[0]);
@@ -145,13 +139,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should not change the version of a rule when it patches only enabled', async () => {
+      it('should not change the revision of a rule when it patches only enabled', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false
@@ -168,7 +161,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it patches enabled and another property', async () => {
+      it('should change the revision of a rule when it patches enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false and another property
@@ -181,7 +174,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -209,7 +201,6 @@ export default ({ getService }: FtrProviderContext) => {
         outputRule.name = 'some other name';
         outputRule.timeline_title = 'some title';
         outputRule.timeline_id = 'some id';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -264,7 +255,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -295,7 +285,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/update_rules.ts b/x-pack/test/detection_engine_api_integration/basic/tests/update_rules.ts
index 4270e70d68f0..5d5f90c36c23 100644
--- a/x-pack/test/detection_engine_api_integration/basic/tests/update_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/update_rules.ts
@@ -56,7 +56,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -102,7 +101,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutputWithoutRuleId();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedPropertiesIncludingRuleId(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -125,13 +123,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it updates enabled and another property', async () => {
+      it('should change the revision of a rule when it updates enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // update a simple rule's enabled to false and another property
@@ -148,7 +145,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
@@ -181,7 +177,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/update_rules_bulk.ts b/x-pack/test/detection_engine_api_integration/basic/tests/update_rules_bulk.ts
index 0cc2cee2066b..8fa2f82da0e2 100644
--- a/x-pack/test/detection_engine_api_integration/basic/tests/update_rules_bulk.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/update_rules_bulk.ts
@@ -56,7 +56,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -87,12 +86,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutput();
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutput('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedProperties(body[0]);
@@ -118,7 +115,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -147,12 +143,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutputWithoutRuleId('rule-1');
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutputWithoutRuleId('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedPropertiesIncludingRuleId(body[0]);
@@ -178,13 +172,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it updates enabled and another property', async () => {
+      it('should change the revision of a rule when it updates enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // update a simple rule's enabled to false and another property
@@ -201,7 +194,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -234,7 +226,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -302,7 +293,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -340,7 +330,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/update_actions.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/update_actions.ts
index 61e25772c1d4..471272a82e8a 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/update_actions.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/update_actions.ts
@@ -75,8 +75,7 @@ export default ({ getService }: FtrProviderContext) => {
             `${bodyToCompare.actions?.[0].id}`,
             `${bodyToCompare.actions?.[0].uuid}`
           ),
-          revision: 1, // version bump is required since this is an updated rule and this is part of the testing that we do bump the version number on update
-          version: 2, // version bump is required since this is an updated rule and this is part of the testing that we do bump the version number on update
+          revision: 1, // revision bump is required since this is an updated rule and this is part of the testing that we do bump the revision number on update
         };
         expect(bodyToCompare).to.eql(expected);
       });
@@ -91,8 +90,7 @@ export default ({ getService }: FtrProviderContext) => {
         const bodyToCompare = removeServerGeneratedProperties(ruleAfterActionRemoved);
         const expected = {
           ...getSimpleRuleOutput(),
-          revision: 2, // version bump is required since this is an updated rule and this is part of the testing that we do bump the version number on update
-          version: 3, // version bump is required since this is an updated rule and this is part of the testing that we do bump the version number on update
+          revision: 2, // revision bump is required since this is an updated rule and this is part of the testing that we do bump the revision number on update
         };
         expect(bodyToCompare).to.eql(expected);
       });
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts
index 849c2a9858aa..7672153845e0 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts
@@ -714,7 +714,6 @@ export default ({ getService }: FtrProviderContext): void => {
           output_index: '',
         };
         ruleOutput.name = 'some other name';
-        ruleOutput.version = 2;
         ruleOutput.revision = 0;
         expect(bodyToCompare).to.eql(ruleOutput);
       });
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules.ts
index e8df71ca61a4..1fcd78582024 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules.ts
@@ -53,7 +53,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -70,10 +69,6 @@ export default ({ getService }: FtrProviderContext) => {
           .expect(200);
 
         const outputRule = getSimpleMlRuleOutput();
-        outputRule.version = 2;
-        // TODO: Followup to #147398
-        // NOTE: Once we remove `version` increment, revision will not be updated as `machine_learning_job_id` value doesn't actually change
-        outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
       });
@@ -90,7 +85,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleMlRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -110,7 +104,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutputWithoutRuleId();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedPropertiesIncludingRuleId(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -128,13 +121,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should not change the version of a rule when it patches only enabled', async () => {
+      it('should not change the revision of a rule when it patches only enabled', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false
@@ -151,7 +143,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it patches enabled and another property', async () => {
+      it('should change the revision of a rule when it patches enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false and another property
@@ -164,7 +156,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
@@ -192,7 +183,6 @@ export default ({ getService }: FtrProviderContext) => {
         outputRule.name = 'some other name';
         outputRule.timeline_title = 'some title';
         outputRule.timeline_id = 'some id';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules_bulk.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules_bulk.ts
index 48ea36153658..e7437f91bc69 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules_bulk.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/patch_rules_bulk.ts
@@ -72,7 +72,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -94,12 +93,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutput();
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutput('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedProperties(body[0]);
@@ -120,7 +117,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -142,12 +138,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutputWithoutRuleId('rule-1');
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutputWithoutRuleId('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedPropertiesIncludingRuleId(body[0]);
@@ -219,13 +213,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should not change the version of a rule when it patches only enabled', async () => {
+      it('should not change the revision of a rule when it patches only enabled', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false
@@ -242,7 +235,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it patches enabled and another property', async () => {
+      it('should change the revision of a rule when it patches enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // patch a simple rule's enabled to false and another property
@@ -255,7 +248,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -283,7 +275,6 @@ export default ({ getService }: FtrProviderContext) => {
         outputRule.name = 'some other name';
         outputRule.timeline_title = 'some title';
         outputRule.timeline_id = 'some id';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -338,7 +329,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -369,7 +359,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules.ts
index 52f6613100e2..f48562b991b6 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules.ts
@@ -62,7 +62,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -86,7 +85,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleMlRuleOutput();
         // @ts-expect-error type narrowing is lost due to Omit<>
         outputRule.machine_learning_job_id = ['legacy_job_id'];
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -109,7 +107,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleMlRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -134,7 +131,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutputWithoutRuleId();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedPropertiesIncludingRuleId(body);
         expect(bodyToCompare).to.eql(outputRule);
@@ -184,7 +180,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutputWithoutRuleId();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         // Expect an empty array
         outputRule.actions = [];
@@ -238,7 +233,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutputWithoutRuleId();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 2; // Migration of action results in additional revision increment (change to `notifyWhen`), so expected revision is 2
         outputRule.actions = [
           {
@@ -274,13 +268,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it updates enabled and another property', async () => {
+      it('should change the revision of a rule when it updates enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // update a simple rule's enabled to false and another property
@@ -297,7 +290,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
@@ -330,7 +322,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body);
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules_bulk.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules_bulk.ts
index 2148b9b13d79..8c32cf71874a 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules_bulk.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/update_rules_bulk.ts
@@ -78,7 +78,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -109,12 +108,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutput();
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutput('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedProperties(body[0]);
@@ -172,7 +169,6 @@ export default ({ getService }: FtrProviderContext) => {
           const bodyToCompare = removeServerGeneratedProperties(response);
           const outputRule = getSimpleRuleOutput(response.rule_id);
           outputRule.name = 'some other name';
-          outputRule.version = 2;
           outputRule.revision = 2;
           outputRule.actions = [
             {
@@ -236,7 +232,6 @@ export default ({ getService }: FtrProviderContext) => {
         body.forEach((response) => {
           const outputRule = getSimpleRuleOutput(response.rule_id);
           outputRule.name = 'some other name';
-          outputRule.version = 2;
           outputRule.revision = 2;
           outputRule.actions = [];
           outputRule.throttle = 'no_actions';
@@ -262,7 +257,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
@@ -291,12 +285,10 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule1 = getSimpleRuleOutput('rule-1');
         outputRule1.name = 'some other name';
-        outputRule1.version = 2;
         outputRule1.revision = 1;
 
         const outputRule2 = getSimpleRuleOutput('rule-2');
         outputRule2.name = 'some other name';
-        outputRule2.version = 2;
         outputRule2.revision = 1;
 
         const bodyToCompare1 = removeServerGeneratedProperties(body[0]);
@@ -322,13 +314,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompare).to.eql(outputRule);
       });
 
-      it('should change the version of a rule when it updates enabled and another property', async () => {
+      it('should change the revision of a rule when it updates enabled and another property', async () => {
         await createRule(supertest, log, getSimpleRule('rule-1'));
 
         // update a simple rule's enabled to false and another property
@@ -345,7 +336,6 @@ export default ({ getService }: FtrProviderContext) => {
         const outputRule = getSimpleRuleOutput();
         outputRule.enabled = false;
         outputRule.severity = 'low';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -378,7 +368,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 3;
         outputRule.revision = 2;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -446,7 +435,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
@@ -484,7 +472,6 @@ export default ({ getService }: FtrProviderContext) => {
 
         const outputRule = getSimpleRuleOutput();
         outputRule.name = 'some other name';
-        outputRule.version = 2;
         outputRule.revision = 1;
 
         const bodyToCompare = removeServerGeneratedProperties(body[0]);
diff --git a/x-pack/test/fleet_api_integration/apis/epm/get.ts b/x-pack/test/fleet_api_integration/apis/epm/get.ts
index 96bd1e01b69b..71cd0f9d411d 100644
--- a/x-pack/test/fleet_api_integration/apis/epm/get.ts
+++ b/x-pack/test/fleet_api_integration/apis/epm/get.ts
@@ -38,8 +38,7 @@ export default function (providerContext: FtrProviderContext) {
     '../fixtures/direct_upload_packages/apache_0.1.4.zip'
   );
 
-  // Failing: See https://github.com/elastic/kibana/issues/149794
-  describe.skip('EPM - get', () => {
+  describe('EPM - get', () => {
     skipIfNoDockerRegistry(providerContext);
     setupFleetAndAgents(providerContext);
 
@@ -215,7 +214,7 @@ export default function (providerContext: FtrProviderContext) {
       const pkgVersion = '8.6.0';
       await installPackage(pkg, pkgVersion);
       const response = await supertestWithoutAuth
-        .get(`/api/fleet/epm/packages/${pkg}`)
+        .get(`/api/fleet/epm/packages/${pkg}/${pkgVersion}`)
         .auth(
           testUsers.endpoint_integr_read_only_fleet_none.username,
           testUsers.endpoint_integr_read_only_fleet_none.password
diff --git a/x-pack/test/functional/apps/transform/creation/index_pattern/creation_index_pattern.ts b/x-pack/test/functional/apps/transform/creation/index_pattern/creation_index_pattern.ts
index 017d2466fb90..e5319cb4d60a 100644
--- a/x-pack/test/functional/apps/transform/creation/index_pattern/creation_index_pattern.ts
+++ b/x-pack/test/functional/apps/transform/creation/index_pattern/creation_index_pattern.ts
@@ -22,7 +22,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
   const transform = getService('transform');
   const pageObjects = getPageObjects(['discover']);
 
-  describe('creation_index_pattern', function () {
+  // Failing: See https://github.com/elastic/kibana/issues/151889
+  describe.skip('creation_index_pattern', function () {
     before(async () => {
       await esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/ml/ecommerce');
       await transform.testResources.createIndexPatternIfNeeded('ft_ecommerce', 'order_date');
diff --git a/x-pack/test/functional/es_archives/session_view/process_events_merged/data.json b/x-pack/test/functional/es_archives/session_view/process_events_merged/data.json
new file mode 100644
index 000000000000..9894feecf7ad
--- /dev/null
+++ b/x-pack/test/functional/es_archives/session_view/process_events_merged/data.json
@@ -0,0 +1,30630 @@
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Pwo",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.17Z",
+          "pid": 52058,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU4LTEzMjk2NDkxMDQwLjE3MDAwMDAwMA==",
+          "executable": "/usr/bin/locale-check",
+          "args": ["/usr/bin/locale-check", "C.UTF-8"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "locale-check",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "/usr/bin/locale-check C.UTF-8",
+          "hash": {
+            "sha1": "56c5c51fb2373bd231f169077f678fc5f9491dce",
+            "sha256": "64e3cbb7bfec9e8b2ff7c8df28a8ef1f8632c536bece778f36cbed49110c81ca",
+            "md5": "01be354a5242b9062ebd23a77ad08d07"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.4949685Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304485,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.4949685Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Pwo",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2PxS",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.2Z",
+          "pid": 52059,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU5LTEzMjk2NDkxMDQwLjIwMDAwMDAwMA==",
+          "executable": "/usr/bin/locale",
+          "args": ["locale"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "locale",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "locale",
+          "hash": {
+            "sha1": "0b5dbc2d0d3bfed240c2c1c4536411a928c02fbd",
+            "sha256": "4c1dc7fd70ca258add37f57cfc57dbf2dc50bb936881e066dca18678f35a1739",
+            "md5": "9f166243bd8e4f278e40e90586bcaf38"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.5377122Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304493,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.5377122Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2PxS",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2PxT",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.2Z",
+          "pid": 52060,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYwLTEzMjk2NDkxMDQwLjIwMDAwMDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.5383159Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304495,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.5383159Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2PxT",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Pxo",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.22Z",
+            "pid": 52061,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==",
+            "executable": "/usr/bin/lesspipe",
+            "args": ["/bin/sh", "/usr/bin/lesspipe"],
+            "name": "lesspipe",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 2,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "/bin/sh /usr/bin/lesspipe",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/bin/lesspipe"],
+              "args_count": 0,
+              "executable": "/usr/bin/lesspipe"
+            }
+          ],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.22Z",
+          "pid": 52062,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYyLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==",
+          "executable": "/usr/bin/basename",
+          "args": ["basename", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "basename",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "basename /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "7d9ae620c87e83d32c386c9f14fef6712b66015f",
+            "sha256": "e68a585b826a73a8ce53b97294ee032ef32ea2fc0444d4812a3a3ebd6407e6c6",
+            "md5": "5b7a516879f08529158df61f78eaf6c8"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.5502309Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304505,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.5502309Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Pxo",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Pxy",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.23Z",
+            "pid": 52063,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==",
+            "executable": "/usr/bin/lesspipe",
+            "args": ["/bin/sh", "/usr/bin/lesspipe"],
+            "name": "lesspipe",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "/bin/sh /usr/bin/lesspipe",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/bin/lesspipe"],
+              "args_count": 0,
+              "executable": "/usr/bin/lesspipe"
+            }
+          ],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.23Z",
+          "pid": 52064,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY0LTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==",
+          "executable": "/usr/bin/dirname",
+          "args": ["dirname", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dirname",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "dirname /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "4168981e10cdff533d2fb1f5e62042ff9f90885b",
+            "sha256": "da721955d589437242d4fa318003040944f0f873fa0979d6ef04f54859abf3bd",
+            "md5": "d931e16f92c41411c623c0fa44ed863a"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.5543292Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304513,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.5543292Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Pxy",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Py+",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.22Z",
+            "pid": 52061,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==",
+            "executable": "/usr/bin/lesspipe",
+            "args": ["/bin/sh", "/usr/bin/lesspipe"],
+            "name": "lesspipe",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 2,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "/bin/sh /usr/bin/lesspipe",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.23Z",
+          "pid": 52063,
+          "working_directory": "/usr/bin",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==",
+          "executable": "/usr/bin/lesspipe",
+          "args": ["/bin/sh", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "lesspipe",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "/bin/sh /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "c8e141a2fda720059016219cf355f40e72657226",
+            "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb",
+            "md5": "7e39fdccee5fc42da4452461e0b2fe2d"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.5560454Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304515,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.5560454Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Py+",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Py/",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.22Z",
+          "pid": 52061,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==",
+          "executable": "/usr/bin/lesspipe",
+          "args": ["/bin/sh", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "lesspipe",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "/bin/sh /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "c8e141a2fda720059016219cf355f40e72657226",
+            "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb",
+            "md5": "7e39fdccee5fc42da4452461e0b2fe2d"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.5562389Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304517,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.5562389Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Py/",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Py8",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.24Z",
+          "pid": 52065,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY1LTEzMjk2NDkxMDQwLjI0MDAwMDAwMA==",
+          "executable": "/usr/bin/dircolors",
+          "args": ["dircolors", "-b"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dircolors",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "dircolors -b",
+          "hash": {
+            "sha1": "04cf29f2e04fa4cae48134732e2ed92468a8fc0d",
+            "sha256": "fa88babbb82377cd09f0bb371f752121e645245d5247ebfc39393a8798abe5c5",
+            "md5": "c60577bd54ca4b90624de46bd6f3be1a"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:22.5614244Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304523,
+          "ingested": "2022-05-10T20:38:26Z",
+          "created": "2022-05-10T20:38:22.5614244Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Py8",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q1Q",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:06.6Z",
+            "pid": 52066,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+            "executable": "/usr/bin/curl",
+            "args": [
+              "curl",
+              "-s",
+              "-f",
+              "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm"
+            ],
+            "name": "curl",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:06.6Z",
+          "pid": 52066,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+          "executable": "/usr/bin/curl",
+          "args": [
+            "curl",
+            "-s",
+            "-f",
+            "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "curl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "curl -s -f https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm",
+          "hash": {
+            "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2",
+            "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455",
+            "md5": "fd39da18fe71abe77532a98ed3539e1a"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:29.4345464Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304563,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:29.4345464Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q1Q",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q3T",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.76Z",
+          "pid": 52070,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcwLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==",
+          "executable": "/usr/bin/uname",
+          "args": ["uname", "-s"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "uname",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "uname -s",
+          "hash": {
+            "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0",
+            "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f",
+            "md5": "ab2c3332885647313dbc160a329fd0f5"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.0820438Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304581,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.0820438Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q3T",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q3e",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.76Z",
+          "pid": 52071,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcxLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==",
+          "executable": "/usr/bin/id",
+          "args": ["id", "-u"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "id",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "id -u",
+          "hash": {
+            "sha1": "02339fec9524a489db7f552ebd82a6130266e0db",
+            "sha256": "f0c0a70a1bd13ee3af1a82d85af8230e88ba27763caca91db44557c61ceaabb0",
+            "md5": "8aa4dbf8064d18cf9117cd9673f2d5ed"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.0866115Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304587,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.0866115Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q3e",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q3m",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.76Z",
+          "pid": 52072,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcyLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==",
+          "executable": "/usr/bin/uname",
+          "args": ["uname", "-r"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "uname",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "uname -r",
+          "hash": {
+            "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0",
+            "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f",
+            "md5": "ab2c3332885647313dbc160a329fd0f5"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.0908861Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304593,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.0908861Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q3m",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q41",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.78Z",
+            "pid": 52075,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.78Z",
+          "pid": 52076,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc2LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.112094Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304605,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.112094Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q41",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q47",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.78Z",
+            "pid": 52075,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.78Z",
+          "pid": 52077,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc3LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "A-Z", "a-z"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr A-Z a-z",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1141399Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304609,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1141399Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q47",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q48",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.78Z",
+            "pid": 52074,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.78Z",
+          "pid": 52075,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1147201Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304611,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1147201Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q48",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4F",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.79Z",
+            "pid": 52078,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:38:31.1209194Z",
+          "pid": 52079,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc5LTEzMjk2Njg4NzExLjEyMDkxOTQwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1252306Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304619,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1252306Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4F",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4L",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.79Z",
+            "pid": 52078,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.79Z",
+          "pid": 52080,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgwLTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "A-Z", "a-z"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr A-Z a-z",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1281556Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304623,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1281556Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4L",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4M",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.78Z",
+            "pid": 52074,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.79Z",
+          "pid": 52078,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1287455Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304625,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1287455Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4M",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4T",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.81Z",
+            "pid": 52081,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:38:31.1349547Z",
+          "pid": 52082,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgyLTEzMjk2Njg4NzExLjEzNDk1NDcwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1386328Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304633,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1386328Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4T",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4Z",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.81Z",
+            "pid": 52081,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.81Z",
+          "pid": 52083,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgzLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "A-Z", "a-z"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr A-Z a-z",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1407189Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304637,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1407189Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4Z",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4a",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.78Z",
+            "pid": 52074,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.81Z",
+          "pid": 52081,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1412435Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304639,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1412435Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4a",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4b",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.78Z",
+            "pid": 52073,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.78Z",
+          "pid": 52074,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1417547Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304641,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1417547Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4b",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q4c",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.78Z",
+          "pid": 52073,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1422544Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304643,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1422544Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q4c",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q54",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.82Z",
+            "pid": 52084,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.82Z",
+          "pid": 52085,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg1LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg",
+          "args": ["dpkg", "--print-architecture"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg --print-architecture",
+          "hash": {
+            "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9",
+            "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559",
+            "md5": "05979fd688347b3c5af19862d71d801a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1597395Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304651,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1597395Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q54",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q55",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.82Z",
+          "pid": 52084,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1603327Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304653,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1603327Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q55",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q5M",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.85Z",
+          "pid": 52086,
+          "working_directory": "/etc",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg2LTEzMjk2NDkxMDQ4Ljg1MDAwMDAwMA==",
+          "executable": "/usr/bin/mkdir",
+          "args": ["mkdir", "-p", "/etc/cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "mkdir",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "mkdir -p /etc/cmd",
+          "hash": {
+            "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8",
+            "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413",
+            "md5": "682f61cbbbd7a2a3820f79616eac9602"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.174287Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304659,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.174287Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q5M",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q5b",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.86Z",
+          "pid": 52087,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg3LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==",
+          "executable": "/usr/bin/cat",
+          "args": ["cat"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "cat",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "cat",
+          "hash": {
+            "sha1": "eecdba8e7def6c111a084ae6164ffe1697bf4397",
+            "sha256": "df954abca766aceddd79dd20429e4f222019018667446626d3a641d3c47c50fc",
+            "md5": "dec1edc9a903636853ed9097faf5bb33"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1817684Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304669,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1817684Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q5b",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q62",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.86Z",
+            "pid": 52088,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==",
+            "executable": "/usr/bin/find",
+            "args": ["find", "/etc/cmd", "-type", "d", "-exec", "chmod", "0700", "{}", ";"],
+            "name": "find",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 9,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["find", "/etc/cmd", "-type", "d", "-exec", "chmod", "0700", "{}", ";"],
+              "args_count": 0,
+              "executable": "/usr/bin/find"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.87Z",
+          "pid": 52089,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg5LTEzMjk2NDkxMDQ4Ljg3MDAwMDAwMA==",
+          "executable": "/usr/bin/chmod",
+          "args": ["chmod", "0700", "/etc/cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "chmod",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "chmod 0700 /etc/cmd",
+          "hash": {
+            "sha1": "f44efcf93d286c10450b4bc44053508620c372fd",
+            "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748",
+            "md5": "655ee67724359cc2d1d9c523ff284c2b"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.1991264Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304679,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.1991264Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q62",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q67",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.86Z",
+          "pid": 52088,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==",
+          "executable": "/usr/bin/find",
+          "args": ["find", "/etc/cmd", "-type", "d", "-exec", "chmod", "0700", "{}", ";"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "find",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;",
+          "hash": {
+            "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb",
+            "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422",
+            "md5": "7ca65add76f8b5bcbd7fccd558f65999"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.2016255Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304681,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.2016255Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q67",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q6X",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.88Z",
+            "pid": 52090,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==",
+            "executable": "/usr/bin/find",
+            "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+            "name": "find",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 9,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+              "args_count": 0,
+              "executable": "/usr/bin/find"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.89Z",
+          "pid": 52091,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkxLTEzMjk2NDkxMDQ4Ljg5MDAwMDAwMA==",
+          "executable": "/usr/bin/chmod",
+          "args": ["chmod", "0600", "/etc/cmd/config.ini"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "chmod",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "chmod 0600 /etc/cmd/config.ini",
+          "hash": {
+            "sha1": "f44efcf93d286c10450b4bc44053508620c372fd",
+            "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748",
+            "md5": "655ee67724359cc2d1d9c523ff284c2b"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.2182619Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304691,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.2182619Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q6X",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q6l",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.88Z",
+            "pid": 52090,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==",
+            "executable": "/usr/bin/find",
+            "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+            "name": "find",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 9,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+              "args_count": 0,
+              "executable": "/usr/bin/find"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.9Z",
+          "pid": 52092,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkyLTEzMjk2NDkxMDQ4LjkwMDAwMDAwMA==",
+          "executable": "/usr/bin/chmod",
+          "args": ["chmod", "0600", "/etc/cmd/cmd.prj"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "chmod",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "chmod 0600 /etc/cmd/cmd.prj",
+          "hash": {
+            "sha1": "f44efcf93d286c10450b4bc44053508620c372fd",
+            "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748",
+            "md5": "655ee67724359cc2d1d9c523ff284c2b"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.2258792Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304697,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.2258792Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q6l",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q6n",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.88Z",
+          "pid": 52090,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==",
+          "executable": "/usr/bin/find",
+          "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "find",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;",
+          "hash": {
+            "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb",
+            "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422",
+            "md5": "7ca65add76f8b5bcbd7fccd558f65999"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:31.2263558Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304699,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:31.2263558Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q6n",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Q93",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.92Z",
+          "pid": 52093,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkzLTEzMjk2NDkxMDQ4LjkyMDAwMDAwMA==",
+          "executable": "/usr/bin/curl",
+          "args": [
+            "curl",
+            "-s",
+            "-w",
+            "%{http_code}",
+            "-H",
+            "project-key: 9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e",
+            "https://sub3.c-app.cmd.com/download/cmd?architecture=amd64&format=deb",
+            "-o",
+            "/tmp/amd64.deb"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "curl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "curl -s -w %{http_code} -H project-key: 9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e https://sub3.c-app.cmd.com/download/cmd?architecture=amd64&format=deb -o /tmp/amd64.deb",
+          "hash": {
+            "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2",
+            "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455",
+            "md5": "fd39da18fe71abe77532a98ed3539e1a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:32.2596286Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304711,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:32.2596286Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Q93",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QAD",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.98Z",
+            "pid": 52098,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+            "executable": "/usr/lib/needrestart/dpkg-status",
+            "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+            "name": "dpkg-status",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 2,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+              "args_count": 0,
+              "executable": "/usr/lib/needrestart/dpkg-status"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:09.98Z",
+          "pid": 52099,
+          "working_directory": "/run",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk5LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+          "executable": "/usr/bin/mkdir",
+          "args": ["mkdir", "-p", "/run/needrestart"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "mkdir",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "mkdir -p /run/needrestart",
+          "hash": {
+            "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8",
+            "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413",
+            "md5": "682f61cbbbd7a2a3820f79616eac9602"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:32.3266413Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304733,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:32.3266413Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QAD",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QAk",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.95Z",
+            "pid": 52095,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.01Z",
+          "pid": 52100,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAwLTEzMjk2NDkxMDUwLjEwMDAwMDAw",
+          "executable": "/usr/bin/dpkg-split",
+          "args": ["dpkg-split", "-Qao", "/var/lib/dpkg/reassemble.deb", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "dpkg-split",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/amd64.deb",
+          "hash": {
+            "sha1": "1164d7ce3e863dfd2a08d525bee81913e977fb45",
+            "sha256": "5979bd01207b92168c1c5d4c892695baced753fd13b404e4cc4aff35acfcd646",
+            "md5": "64f52dbd8518a6785de7296d9e76ce72"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:32.350006Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304739,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:32.350006Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QAk",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QB0",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.03Z",
+            "pid": 52101,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 4,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.04Z",
+          "pid": 52102,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAyLTEzMjk2NDkxMDUwLjQwMDAwMDAw",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:32.3773898Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304751,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:32.3773898Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QB0",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QBO",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.03Z",
+            "pid": 52101,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 4,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.04Z",
+          "pid": 52103,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAzLTEzMjk2NDkxMDUwLjQwMDAwMDAw",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:32.3815406Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304755,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:32.3815406Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QBO",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QBm",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.03Z",
+            "pid": 52101,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 4,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg-deb"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.04Z",
+          "pid": 52104,
+          "working_directory": "/var/lib/dpkg/tmp.ci",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA0LTEzMjk2NDkxMDUwLjQwMDAwMDAw",
+          "executable": "/usr/bin/tar",
+          "args": ["tar", "-x", "-f", "-", "--warning=no-timestamp"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tar",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tar -x -f - --warning=no-timestamp",
+          "hash": {
+            "sha1": "18c40bff8f913e7a8cf46c9d0ff489335bd3d3aa",
+            "sha256": "a6b2054c8231d8973f2626ef66c2f9681cb0a27c5fc616df49eb0436a93399dd",
+            "md5": "083e87381a0b156ad66758ff2ba87f57"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:32.3937668Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304767,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:32.3937668Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QBm",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QC+",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.95Z",
+            "pid": 52095,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.03Z",
+          "pid": 52101,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:32.3985228Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304769,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:32.3985228Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QC+",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QZd",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.64Z",
+            "pid": 52105,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.65Z",
+          "pid": 52106,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA2LTEzMjk2NDkxMDUwLjY1MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.0692338Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304787,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.0692338Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QZd",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QZu",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.64Z",
+            "pid": 52105,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.65Z",
+          "pid": 52107,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA3LTEzMjk2NDkxMDUwLjY1MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.0866795Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304797,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.0866795Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QZu",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QZx",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.95Z",
+            "pid": 52095,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.64Z",
+          "pid": 52105,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.089086Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304799,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.089086Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QZx",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qaq",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.98Z",
+            "pid": 52098,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+            "executable": "/usr/lib/needrestart/dpkg-status",
+            "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+            "name": "dpkg-status",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 2,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+              "args_count": 0,
+              "executable": "/usr/lib/needrestart/dpkg-status"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.8Z",
+          "pid": 52108,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA4LTEzMjk2NDkxMDUwLjgwMDAwMDAwMA==",
+          "executable": "/usr/bin/touch",
+          "args": ["touch", "/run/needrestart/unpacked"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "touch",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "touch /run/needrestart/unpacked",
+          "hash": {
+            "sha1": "2fbc3bb2cf887bd8edcb9177d40e9576c55f5719",
+            "sha256": "a7558a34447cbcbe7af2951d3c435d3b65bfdd5e9225df1a99970a592378fab0",
+            "md5": "6942c7b2fccc8bedf025b6f4a59d7242"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.1366171Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304835,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.1366171Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qaq",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QbQ",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.95Z",
+            "pid": 52095,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.83Z",
+          "pid": 52109,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA5LTEzMjk2NDkxMDUwLjgzMDAwMDAwMA==",
+          "executable": "/usr/bin/rm",
+          "args": ["rm", "-rf", "--", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "rm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "rm -rf -- /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a",
+            "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2",
+            "md5": "293c386a9257f691787b3baa83876321"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.1589496Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304851,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.1589496Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QbQ",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qcb",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.95Z",
+            "pid": 52095,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.89Z",
+          "pid": 52110,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEwLTEzMjk2NDkxMDUwLjg5MDAwMDAwMA==",
+          "executable": "/var/lib/dpkg/info/cmd.postinst",
+          "args": ["/bin/sh", "/var/lib/dpkg/info/cmd.postinst", "configure", ""],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "cmd.postinst",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/sh /var/lib/dpkg/info/cmd.postinst configure ",
+          "hash": {
+            "sha1": "dd8c652bab9cfd7c2a81796014e7223277c48281",
+            "sha256": "2f9581444bd16ae4436f37cd3f995193778a055b953082e02c0f62c8d146ccb0",
+            "md5": "01bd3f90082b37dc6c16ec39f6d71f90"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2199347Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304883,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2199347Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qcb",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qd/",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:09.95Z",
+          "pid": 52095,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg",
+          "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg -i /tmp/amd64.deb",
+          "hash": {
+            "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9",
+            "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559",
+            "md5": "05979fd688347b3c5af19862d71d801a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2534032Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304915,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2534032Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qd/",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qd0",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.98Z",
+            "pid": 52097,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+            "executable": "/usr/bin/sh",
+            "args": [
+              "sh",
+              "-c",
+              "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+            ],
+            "name": "sh",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": [
+                "sh",
+                "-c",
+                "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+              ],
+              "args_count": 0,
+              "executable": "/usr/bin/sh"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:09.98Z",
+          "pid": 52098,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+          "executable": "/usr/lib/needrestart/dpkg-status",
+          "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-status",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+          "hash": {
+            "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668",
+            "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946",
+            "md5": "3e3cfb98f92e89c90e99876ce72415b5"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2537046Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304917,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2537046Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qd0",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qd2",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.96Z",
+            "pid": 52096,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==",
+            "executable": "/usr/bin/sh",
+            "args": [
+              "sh",
+              "-c",
+              "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+            ],
+            "name": "sh",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:09.98Z",
+          "pid": 52097,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==",
+          "executable": "/usr/bin/sh",
+          "args": [
+            "sh",
+            "-c",
+            "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sh",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+          "hash": {
+            "sha1": "7505998e3f5909ee10b0f639b570383881444afd",
+            "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb",
+            "md5": "6f0fd9cced2852bc85a2722750ab7d64"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2575084Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304921,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2575084Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qd2",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qd4",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:09.95Z",
+            "pid": 52095,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:09.96Z",
+          "pid": 52096,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==",
+          "executable": "/usr/bin/sh",
+          "args": [
+            "sh",
+            "-c",
+            "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sh",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+          "hash": {
+            "sha1": "7505998e3f5909ee10b0f639b570383881444afd",
+            "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb",
+            "md5": "6f0fd9cced2852bc85a2722750ab7d64"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2577396Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304923,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2577396Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qd4",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2QdE",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.93Z",
+          "pid": 52111,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTExLTEzMjk2NDkxMDUwLjkzMDAwMDAwMA==",
+          "executable": "/usr/bin/rm",
+          "args": ["rm", "-f", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "rm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "rm -f /tmp/amd64.deb",
+          "hash": {
+            "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a",
+            "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2",
+            "md5": "293c386a9257f691787b3baa83876321"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2615295Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304929,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2615295Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2QdE",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qdb",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.94Z",
+          "pid": 52112,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEyLTEzMjk2NDkxMDUwLjk0MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2730833Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304933,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2730833Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qdb",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qdo",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.96Z",
+            "pid": 52113,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.96Z",
+          "pid": 52114,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE0LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+          "executable": "/usr/bin/readlink",
+          "args": ["readlink", "/proc/1/exe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "readlink",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "readlink /proc/1/exe",
+          "hash": {
+            "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3",
+            "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8",
+            "md5": "5eaeababd7dc6bb9348867431cf32f35"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.283867Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304941,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.283867Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qdo",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qdt",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.96Z",
+            "pid": 52113,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:38:33.2842357Z",
+          "pid": 52115,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE1LTEzMjk2Njg4NzEzLjI4NDIzNTcwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2933773Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304947,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2933773Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qdt",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qdz",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:10.96Z",
+            "pid": 52113,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.96Z",
+          "pid": 52116,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE2LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "[A-Z]", "[a-z]"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr [A-Z] [a-z]",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.2962121Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304951,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.2962121Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qdz",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Qe+",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.96Z",
+          "pid": 52113,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:33.296459Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 304953,
+          "ingested": "2022-05-10T20:38:36Z",
+          "created": "2022-05-10T20:38:33.296459Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Qe+",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2SpY",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:10.98Z",
+          "pid": 52117,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE3LTEzMjk2NDkxMDUwLjk4MDAwMDAwMA==",
+          "executable": "/usr/bin/systemctl",
+          "args": ["systemctl", "enable", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "systemctl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "systemctl enable cmd",
+          "hash": {
+            "sha1": "cea82eefca581ac4029313b72216b470b8ac741e",
+            "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622",
+            "md5": "c4462083c2ee42c852b994a9f8c5ff79"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:42.7605179Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305207,
+          "ingested": "2022-05-10T20:38:47Z",
+          "created": "2022-05-10T20:38:42.7605179Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2SpY",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2SsI",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:08.71Z",
+            "pid": 52069,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:20.44Z",
+          "pid": 52151,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTUxLTEzMjk2NDkxMDYwLjQ0MDAwMDAwMA==",
+          "executable": "/usr/bin/systemctl",
+          "args": ["systemctl", "start", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "systemctl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "systemctl start cmd",
+          "hash": {
+            "sha1": "cea82eefca581ac4029313b72216b470b8ac741e",
+            "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622",
+            "md5": "c4462083c2ee42c852b994a9f8c5ff79"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:42.8719189Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305219,
+          "ingested": "2022-05-10T20:38:47Z",
+          "created": "2022-05-10T20:38:42.8719189Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2SsI",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Ssa",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:06.6Z",
+            "pid": 52067,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "bash"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sudo bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            { "args": ["sudo", "bash"], "args_count": 0, "executable": "/usr/bin/sudo" }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:08.71Z",
+          "pid": 52069,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:42.9286657Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305221,
+          "ingested": "2022-05-10T20:38:47Z",
+          "created": "2022-05-10T20:38:42.9286657Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Ssa",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Ssr",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:06.6Z",
+          "pid": 52067,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==",
+          "executable": "/usr/bin/sudo",
+          "args": ["sudo", "bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sudo",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sudo bash",
+          "hash": {
+            "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493",
+            "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7",
+            "md5": "b18ff8646681c8d244d5118197592907"
+          },
+          "group": { "name": "root", "id": 0 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:42.9688053Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305229,
+          "ingested": "2022-05-10T20:38:47Z",
+          "created": "2022-05-10T20:38:42.9688053Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Ssr",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2TUl",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:23.77Z",
+            "pid": 52162,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==",
+            "executable": "/usr/bin/ps",
+            "args": ["ps", "aux"],
+            "name": "ps",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:23.77Z",
+          "pid": 52162,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==",
+          "executable": "/usr/bin/ps",
+          "args": ["ps", "aux"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "ps",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "ps aux",
+          "hash": {
+            "sha1": "76f7135d070445f53d96804413ee29026b96c57b",
+            "sha256": "94391ba36b39a425b349b1ffa7cda195b888e25b8016c8a41fea345ac8c1959f",
+            "md5": "97b92a84ef38a9298054e3eaeacb42a5"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:46.2830771Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305389,
+          "ingested": "2022-05-10T20:38:57Z",
+          "created": "2022-05-10T20:38:46.2830771Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2TUl",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2TUm",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:23.77Z",
+          "pid": 52163,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYzLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==",
+          "executable": "/usr/bin/grep",
+          "args": ["grep", "--color=auto", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "grep",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "grep --color=auto cmd",
+          "hash": {
+            "sha1": "b9cedf6bbf2cd89ddaf5e2b7e8c8bddc98b4b037",
+            "sha256": "2674a998b9a1969477fa71f7d01bebf450733c418a13b52b5b64e758297c72dd",
+            "md5": "0b1b0e3205c1b31d339a6959c73d5035"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:46.2834922Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305391,
+          "ingested": "2022-05-10T20:38:57Z",
+          "created": "2022-05-10T20:38:46.2834922Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2TUm",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2TVI",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:26.32Z",
+            "pid": 52166,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==",
+            "executable": "/usr/sbin/cmd",
+            "args": ["cmd"],
+            "name": "cmd",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:26.32Z",
+          "pid": 52166,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==",
+          "executable": "/usr/sbin/cmd",
+          "args": ["cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "cmd",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "cmd",
+          "hash": {
+            "sha1": "3f70742de7ef38ae88f4320eb9590b04f0093cbc",
+            "sha256": "c1966b7c8f2caa8bbd885ca04cea21ff42c0b0600ca9976150d7fbd00734c7ea",
+            "md5": "715f0b95075ad39f940c9ee9dc7cd9a7"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:48.6691569Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305397,
+          "ingested": "2022-05-10T20:38:57Z",
+          "created": "2022-05-10T20:38:48.6691569Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2TVI",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2TaL",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-10T20:38:59.5413511Z",
+            "pid": 52168,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==",
+            "executable": "/usr/bin/systemctl",
+            "args": ["systemctl", "start", "cmd"],
+            "name": "systemctl",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "systemctl start cmd",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:36.76Z",
+            "pid": 52167,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "start", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["systemctl", "start", "cmd"],
+              "args_count": 0,
+              "executable": "/usr/bin/systemctl"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:38:59.5420968Z",
+          "pid": 52169,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY5LTEzMjk2Njg4NzM5LjU0MjA5NjgwMA==",
+          "executable": "/bin/systemd-tty-ask-password-agent",
+          "args": ["/bin/systemd-tty-ask-password-agent", "--watch"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "systemd-tty-ask-password-agent",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/systemd-tty-ask-password-agent --watch",
+          "hash": {
+            "sha1": "16da89959976150cc95ea58b33ebc35c2419ffe6",
+            "sha256": "a184188e6d947634a98a9667ad4281e556670cbacff7e0beb57c7e9cb69e7a89",
+            "md5": "3607fd619b6534f4dc5c8ee071ea30e4"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:59.5449442Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305451,
+          "ingested": "2022-05-10T20:39:08Z",
+          "created": "2022-05-10T20:38:59.5449442Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2TaL",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2TaN",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:36.76Z",
+            "pid": 52167,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "start", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sudo systemctl start cmd",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:36.76Z",
+            "pid": 52167,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "start", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["sudo", "systemctl", "start", "cmd"],
+              "args_count": 0,
+              "executable": "/usr/bin/sudo"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:38:59.5413511Z",
+          "pid": 52168,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==",
+          "executable": "/usr/bin/systemctl",
+          "args": ["systemctl", "start", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "systemctl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "systemctl start cmd",
+          "hash": {
+            "sha1": "cea82eefca581ac4029313b72216b470b8ac741e",
+            "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622",
+            "md5": "c4462083c2ee42c852b994a9f8c5ff79"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:59.5456283Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305453,
+          "ingested": "2022-05-10T20:39:08Z",
+          "created": "2022-05-10T20:38:59.5456283Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2TaN",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Tad",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:36.76Z",
+            "pid": 52167,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "start", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:36.76Z",
+          "pid": 52167,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==",
+          "executable": "/usr/bin/sudo",
+          "args": ["sudo", "systemctl", "start", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sudo",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sudo systemctl start cmd",
+          "hash": {
+            "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493",
+            "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7",
+            "md5": "b18ff8646681c8d244d5118197592907"
+          },
+          "group": { "name": "root", "id": 0 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:38:59.5463972Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305457,
+          "ingested": "2022-05-10T20:39:08Z",
+          "created": "2022-05-10T20:38:59.5463972Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Tad",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UAi",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:40.42Z",
+            "pid": 52184,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==",
+            "executable": "/usr/bin/systemctl",
+            "args": ["systemctl", "status", "cmd"],
+            "name": "systemctl",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "systemctl status cmd",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:40.32Z",
+            "pid": 52183,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "status", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["systemctl", "status", "cmd"],
+              "args_count": 0,
+              "executable": "/usr/bin/systemctl"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:40.45Z",
+          "pid": 52185,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg1LTEzMjk2NDkxMDgwLjQ1MDAwMDAwMA==",
+          "executable": "/usr/bin/less",
+          "args": ["less"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "less",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "less",
+          "hash": {
+            "sha1": "680102c9406f1428555fcf616a9ef7ec9963105e",
+            "sha256": "f4a8397e52c63c1cd7d941f277d869a7f9c231dfd6a1333dad172b8b11b1b606",
+            "md5": "135efaf1026ea9e8ae7f731357fe6b9f"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:02.8606345Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305643,
+          "ingested": "2022-05-10T20:39:08Z",
+          "created": "2022-05-10T20:39:02.8606345Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UAi",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UAj",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:40.32Z",
+            "pid": 52183,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "status", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sudo systemctl status cmd",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:40.32Z",
+            "pid": 52183,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "status", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["sudo", "systemctl", "status", "cmd"],
+              "args_count": 0,
+              "executable": "/usr/bin/sudo"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:40.42Z",
+          "pid": 52184,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==",
+          "executable": "/usr/bin/systemctl",
+          "args": ["systemctl", "status", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 3,
+          "name": "systemctl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "systemctl status cmd",
+          "hash": {
+            "sha1": "cea82eefca581ac4029313b72216b470b8ac741e",
+            "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622",
+            "md5": "c4462083c2ee42c852b994a9f8c5ff79"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:02.8610262Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305645,
+          "ingested": "2022-05-10T20:39:08Z",
+          "created": "2022-05-10T20:39:02.8610262Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UAj",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UAp",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:40.32Z",
+            "pid": 52183,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "systemctl", "status", "cmd"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:40.32Z",
+          "pid": 52183,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==",
+          "executable": "/usr/bin/sudo",
+          "args": ["sudo", "systemctl", "status", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 3,
+          "name": "sudo",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sudo systemctl status cmd",
+          "hash": {
+            "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493",
+            "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7",
+            "md5": "b18ff8646681c8d244d5118197592907"
+          },
+          "group": { "name": "root", "id": 0 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:02.8738434Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305647,
+          "ingested": "2022-05-10T20:39:08Z",
+          "created": "2022-05-10T20:39:02.8738434Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UAp",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UBl",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:53.8Z",
+          "pid": 52186,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg2LTEzMjk2NDkxMDkzLjgwMDAwMDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:16.1206117Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305651,
+          "ingested": "2022-05-10T20:39:18Z",
+          "created": "2022-05-10T20:39:16.1206117Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UBl",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UBp",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:53.8Z",
+          "pid": 52187,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg3LTEzMjk2NDkxMDkzLjgwMDAwMDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:16.1223276Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305655,
+          "ingested": "2022-05-10T20:39:18Z",
+          "created": "2022-05-10T20:39:16.1223276Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UBp",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UCE",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:54.23Z",
+          "pid": 52188,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg4LTEzMjk2NDkxMDk0LjIzMDAwMDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:16.5497862Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305659,
+          "ingested": "2022-05-10T20:39:18Z",
+          "created": "2022-05-10T20:39:16.5497862Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UCE",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UCJ",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-10T20:39:16.5506041Z",
+          "pid": 52189,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg5LTEzMjk2Njg4NzU2LjU1MDYwNDEwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:16.5509111Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305663,
+          "ingested": "2022-05-10T20:39:18Z",
+          "created": "2022-05-10T20:39:16.5509111Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UCJ",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UCj",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:55.46Z",
+          "pid": 52190,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkwLTEzMjk2NDkxMDk1LjQ2MDAwMDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:17.7867897Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305667,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:17.7867897Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UCj",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UCo",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-10T20:39:17.787694Z",
+          "pid": 52191,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkxLTEzMjk2Njg4NzU3Ljc4NzY5NDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:17.7904206Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305671,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:17.7904206Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UCo",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UI+",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.81Z",
+          "pid": 52195,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk1LTEzMjk2NDkxMDk3LjgxMDAwMDAwMA==",
+          "executable": "/usr/bin/groups",
+          "args": ["groups"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "groups",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "groups",
+          "hash": {
+            "sha1": "57c250ff52f634e05ada5e104d9ed3776d660cc7",
+            "sha256": "d9b14ee17f963ab9997154ef929cc2e42d0b5d56d94678b01bed0060bb1d90d2",
+            "md5": "c9e1747d4fdb38d3d030980456c1500c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:20.1410736Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305723,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:20.1410736Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UI+",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UIG",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.82Z",
+            "pid": 52196,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==",
+            "executable": "/usr/bin/lesspipe",
+            "args": ["/bin/sh", "/usr/bin/lesspipe"],
+            "name": "lesspipe",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 2,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/bin/lesspipe",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/bin/lesspipe"],
+              "args_count": 0,
+              "executable": "/usr/bin/lesspipe"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.83Z",
+          "pid": 52197,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk3LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==",
+          "executable": "/usr/bin/basename",
+          "args": ["basename", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "basename",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "basename /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "7d9ae620c87e83d32c386c9f14fef6712b66015f",
+            "sha256": "e68a585b826a73a8ce53b97294ee032ef32ea2fc0444d4812a3a3ebd6407e6c6",
+            "md5": "5b7a516879f08529158df61f78eaf6c8"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:20.1509786Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305733,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:20.1509786Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UIG",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UIQ",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.83Z",
+            "pid": 52198,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==",
+            "executable": "/usr/bin/lesspipe",
+            "args": ["/bin/sh", "/usr/bin/lesspipe"],
+            "name": "lesspipe",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/bin/lesspipe",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/bin/lesspipe"],
+              "args_count": 0,
+              "executable": "/usr/bin/lesspipe"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.83Z",
+          "pid": 52199,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk5LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==",
+          "executable": "/usr/bin/dirname",
+          "args": ["dirname", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dirname",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dirname /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "4168981e10cdff533d2fb1f5e62042ff9f90885b",
+            "sha256": "da721955d589437242d4fa318003040944f0f873fa0979d6ef04f54859abf3bd",
+            "md5": "d931e16f92c41411c623c0fa44ed863a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:20.1560046Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305741,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:20.1560046Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UIQ",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UIS",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.82Z",
+            "pid": 52196,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==",
+            "executable": "/usr/bin/lesspipe",
+            "args": ["/bin/sh", "/usr/bin/lesspipe"],
+            "name": "lesspipe",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 2,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/bin/lesspipe",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.83Z",
+          "pid": 52198,
+          "working_directory": "/usr/bin",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==",
+          "executable": "/usr/bin/lesspipe",
+          "args": ["/bin/sh", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "lesspipe",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/sh /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "c8e141a2fda720059016219cf355f40e72657226",
+            "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb",
+            "md5": "7e39fdccee5fc42da4452461e0b2fe2d"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:20.1565282Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305743,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:20.1565282Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UIS",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UIT",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.82Z",
+          "pid": 52196,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==",
+          "executable": "/usr/bin/lesspipe",
+          "args": ["/bin/sh", "/usr/bin/lesspipe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "lesspipe",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/sh /usr/bin/lesspipe",
+          "hash": {
+            "sha1": "c8e141a2fda720059016219cf355f40e72657226",
+            "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb",
+            "md5": "7e39fdccee5fc42da4452461e0b2fe2d"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:20.1570144Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305745,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:20.1570144Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UIT",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UIc",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.84Z",
+          "pid": 52200,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAwLTEzMjk2NDkxMDk3Ljg0MDAwMDAwMA==",
+          "executable": "/usr/bin/dircolors",
+          "args": ["dircolors", "-b"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dircolors",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dircolors -b",
+          "hash": {
+            "sha1": "04cf29f2e04fa4cae48134732e2ed92468a8fc0d",
+            "sha256": "fa88babbb82377cd09f0bb371f752121e645245d5247ebfc39393a8798abe5c5",
+            "md5": "c60577bd54ca4b90624de46bd6f3be1a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:20.1611731Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305751,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:20.1611731Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UIc",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UJd",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:45:01.35Z",
+            "pid": 52201,
+            "working_directory": "/etc",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==",
+            "executable": "/usr/bin/ls",
+            "args": ["ls", "--color=auto"],
+            "name": "ls",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:45:01.35Z",
+          "pid": 52201,
+          "working_directory": "/etc",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==",
+          "executable": "/usr/bin/ls",
+          "args": ["ls", "--color=auto"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "ls",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "ls --color=auto",
+          "hash": {
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f",
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:23.6898263Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305757,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:23.6898263Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UJd",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UK+",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:45:04.15Z",
+            "pid": 52202,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==",
+            "executable": "/usr/bin/ls",
+            "args": ["ls", "--color=auto"],
+            "name": "ls",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:45:04.15Z",
+          "pid": 52202,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==",
+          "executable": "/usr/bin/ls",
+          "args": ["ls", "--color=auto"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "ls",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "ls --color=auto",
+          "hash": {
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f",
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:26.4869806Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305763,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:26.4869806Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UK+",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UKD",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:45:05.15Z",
+            "pid": 52203,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==",
+            "executable": "/usr/bin/ls",
+            "args": ["ls", "--color=auto"],
+            "name": "ls",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:45:05.15Z",
+          "pid": 52203,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==",
+          "executable": "/usr/bin/ls",
+          "args": ["ls", "--color=auto"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "ls",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "ls --color=auto",
+          "hash": {
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f",
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:27.4767624Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305769,
+          "ingested": "2022-05-10T20:39:29Z",
+          "created": "2022-05-10T20:39:27.4767624Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UKD",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UKq",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:45:06.08Z",
+            "pid": 52204,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw",
+            "executable": "/usr/bin/ls",
+            "args": ["ls", "--color=auto", "-la"],
+            "name": "ls",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:45:06.08Z",
+          "pid": 52204,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw",
+          "executable": "/usr/bin/ls",
+          "args": ["ls", "--color=auto", "-la"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "ls",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "ls --color=auto -la",
+          "hash": {
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f",
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:39:28.4223867Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305775,
+          "ingested": "2022-05-10T20:39:39Z",
+          "created": "2022-05-10T20:39:28.4223867Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UKq",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UMt",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.41Z",
+            "pid": 52208,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==",
+            "executable": "/usr/lib/needrestart/dpkg-status",
+            "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+            "name": "dpkg-status",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 2,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+              "args_count": 0,
+              "executable": "/usr/lib/needrestart/dpkg-status"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:40:24.9687687Z",
+          "pid": 52209,
+          "working_directory": "/run",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA5LTEzMjk2Njg4ODI0Ljk2ODc2ODcwMA==",
+          "executable": "/usr/bin/mkdir",
+          "args": ["mkdir", "-p", "/run/needrestart"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "mkdir",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "mkdir -p /run/needrestart",
+          "hash": {
+            "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8",
+            "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413",
+            "md5": "682f61cbbbd7a2a3820f79616eac9602"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:24.9692104Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305799,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:24.9692104Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UMt",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Ujo",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:03.08Z",
+            "pid": 52211,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+            "executable": "/var/lib/dpkg/info/cmd.prerm",
+            "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+            "name": "cmd.prerm",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+              "args_count": 0,
+              "executable": "/var/lib/dpkg/info/cmd.prerm"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.08Z",
+          "pid": 52212,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEyLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+          "executable": "/usr/bin/readlink",
+          "args": ["readlink", "/proc/1/exe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "readlink",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "readlink /proc/1/exe",
+          "hash": {
+            "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3",
+            "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8",
+            "md5": "5eaeababd7dc6bb9348867431cf32f35"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4089529Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305819,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4089529Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Ujo",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Ujt",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:03.08Z",
+            "pid": 52211,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+            "executable": "/var/lib/dpkg/info/cmd.prerm",
+            "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+            "name": "cmd.prerm",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.09Z",
+          "pid": 52213,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEzLTEzMjk2NDkxMTYzLjkwMDAwMDAw",
+          "executable": "/var/lib/dpkg/info/cmd.prerm",
+          "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "cmd.prerm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4167455Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305825,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4167455Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Ujt",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Ujz",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:03.08Z",
+            "pid": 52211,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+            "executable": "/var/lib/dpkg/info/cmd.prerm",
+            "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+            "name": "cmd.prerm",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+              "args_count": 0,
+              "executable": "/var/lib/dpkg/info/cmd.prerm"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.09Z",
+          "pid": 52214,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE0LTEzMjk2NDkxMTYzLjkwMDAwMDAw",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "[A-Z]", "[a-z]"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr [A-Z] [a-z]",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4227022Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305829,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4227022Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Ujz",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uk+",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:03.08Z",
+            "pid": 52210,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+            "executable": "/var/lib/dpkg/info/cmd.prerm",
+            "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+            "name": "cmd.prerm",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.08Z",
+          "pid": 52211,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+          "executable": "/var/lib/dpkg/info/cmd.prerm",
+          "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "cmd.prerm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4238276Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305831,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4238276Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uk+",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UkG",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:03.08Z",
+            "pid": 52210,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+            "executable": "/var/lib/dpkg/info/cmd.prerm",
+            "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+            "name": "cmd.prerm",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+              "args_count": 0,
+              "executable": "/var/lib/dpkg/info/cmd.prerm"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.1Z",
+          "pid": 52215,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE1LTEzMjk2NDkxMTYzLjEwMDAwMDAwMA==",
+          "executable": "/usr/bin/rm",
+          "args": ["rm", "-rf", "/var/lib/cmd", "/var/run/cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "rm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "rm -rf /var/lib/cmd /var/run/cmd",
+          "hash": {
+            "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a",
+            "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2",
+            "md5": "293c386a9257f691787b3baa83876321"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4339601Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305851,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4339601Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UkG",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UlC",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:03.11Z",
+            "pid": 52216,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==",
+            "executable": "/usr/bin/systemctl",
+            "args": ["systemctl", "stop", "cmd.service"],
+            "name": "systemctl",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "systemctl stop cmd.service",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["systemctl", "stop", "cmd.service"],
+              "args_count": 0,
+              "executable": "/usr/bin/systemctl"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.14Z",
+          "pid": 52217,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE3LTEzMjk2NDkxMTYzLjE0MDAwMDAwMA==",
+          "executable": "/bin/systemd-tty-ask-password-agent",
+          "args": ["/bin/systemd-tty-ask-password-agent", "--watch"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 15,
+          "name": "systemd-tty-ask-password-agent",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/systemd-tty-ask-password-agent --watch",
+          "hash": {
+            "sha1": "16da89959976150cc95ea58b33ebc35c2419ffe6",
+            "sha256": "a184188e6d947634a98a9667ad4281e556670cbacff7e0beb57c7e9cb69e7a89",
+            "md5": "3607fd619b6534f4dc5c8ee071ea30e4"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4809715Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305863,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4809715Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UlC",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UlD",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:03.08Z",
+            "pid": 52210,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+            "executable": "/var/lib/dpkg/info/cmd.prerm",
+            "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+            "name": "cmd.prerm",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+              "args_count": 0,
+              "executable": "/var/lib/dpkg/info/cmd.prerm"
+            },
+            {
+              "args": ["/usr/bin/perl", "/usr/bin/deb-systemd-invoke", "stop", "cmd.service"],
+              "args_count": 4,
+              "executable": "/usr/bin/deb-systemd-invoke"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.11Z",
+          "pid": 52216,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==",
+          "executable": "/usr/bin/systemctl",
+          "args": ["systemctl", "stop", "cmd.service"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "systemctl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "systemctl stop cmd.service",
+          "hash": {
+            "sha1": "cea82eefca581ac4029313b72216b470b8ac741e",
+            "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622",
+            "md5": "c4462083c2ee42c852b994a9f8c5ff79"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4816667Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305865,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4816667Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UlD",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UlE",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg --purge cmd",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            { "args": ["dpkg", "--purge", "cmd"], "args_count": 0, "executable": "/usr/bin/dpkg" }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:03.08Z",
+          "pid": 52210,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw",
+          "executable": "/var/lib/dpkg/info/cmd.prerm",
+          "args": ["/bin/bash", "/var/lib/dpkg/info/cmd.prerm", "remove"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "cmd.prerm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove",
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.4826277Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305867,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.4826277Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UlE",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Unc",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.8Z",
+            "pid": 52194,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:02.34Z",
+          "pid": 52205,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg",
+          "args": ["dpkg", "--purge", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg --purge cmd",
+          "hash": {
+            "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9",
+            "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559",
+            "md5": "05979fd688347b3c5af19862d71d801a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.7869067Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305971,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.7869067Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Unc",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Und",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.4Z",
+            "pid": 52207,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==",
+            "executable": "/usr/bin/sh",
+            "args": [
+              "sh",
+              "-c",
+              "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+            ],
+            "name": "sh",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": [
+                "sh",
+                "-c",
+                "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+              ],
+              "args_count": 0,
+              "executable": "/usr/bin/sh"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:02.41Z",
+          "pid": 52208,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==",
+          "executable": "/usr/lib/needrestart/dpkg-status",
+          "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-status",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+          "hash": {
+            "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668",
+            "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946",
+            "md5": "3e3cfb98f92e89c90e99876ce72415b5"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.7876858Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305973,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.7876858Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Und",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Une",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.35Z",
+            "pid": 52206,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==",
+            "executable": "/usr/bin/sh",
+            "args": [
+              "sh",
+              "-c",
+              "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+            ],
+            "name": "sh",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:02.4Z",
+          "pid": 52207,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==",
+          "executable": "/usr/bin/sh",
+          "args": [
+            "sh",
+            "-c",
+            "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sh",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+          "hash": {
+            "sha1": "7505998e3f5909ee10b0f639b570383881444afd",
+            "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb",
+            "md5": "6f0fd9cced2852bc85a2722750ab7d64"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.788219Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305975,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.788219Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Une",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Unf",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:02.34Z",
+            "pid": 52205,
+            "working_directory": "/etc/cmd",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "--purge", "cmd"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg --purge cmd",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            { "args": ["dpkg", "--purge", "cmd"], "args_count": 0, "executable": "/usr/bin/dpkg" }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:02.35Z",
+          "pid": 52206,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==",
+          "executable": "/usr/bin/sh",
+          "args": [
+            "sh",
+            "-c",
+            "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sh",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+          "hash": {
+            "sha1": "7505998e3f5909ee10b0f639b570383881444afd",
+            "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb",
+            "md5": "6f0fd9cced2852bc85a2722750ab7d64"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:25.7887321Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305977,
+          "ingested": "2022-05-10T20:40:30Z",
+          "created": "2022-05-10T20:40:25.7887321Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Unf",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UoY",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.73Z",
+            "pid": 52193,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+            "executable": "/usr/bin/su",
+            "args": ["su"],
+            "name": "su",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "su",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.63Z",
+            "pid": 52192,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "su"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["su"], "args_count": 0, "executable": "/usr/bin/su" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.8Z",
+          "pid": 52194,
+          "working_directory": "/etc/cmd",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 130,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:41.4844593Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305979,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:41.4844593Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UoY",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uom",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.63Z",
+            "pid": 52192,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "su"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sudo su",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.63Z",
+            "pid": 52192,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "su"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": false,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["sudo", "su"], "args_count": 0, "executable": "/usr/bin/sudo" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.73Z",
+          "pid": 52193,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+          "executable": "/usr/bin/su",
+          "args": ["su"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 130,
+          "name": "su",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "su",
+          "hash": {
+            "sha1": "8c4fcb67858dc0862f67b53f956e1d601a714bba",
+            "sha256": "27009f2285d7e7af458d8b7e752a4ebcfc316efeeed8aa87f535c58d5b7335a9",
+            "md5": "e90d906f2647087d1ac2aa06de77293e"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:41.5047303Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305981,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:41.5047303Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uom",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uoy",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:57.63Z",
+            "pid": 52192,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "su"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "root", "id": 0 },
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:57.63Z",
+          "pid": 52192,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+          "executable": "/usr/bin/sudo",
+          "args": ["sudo", "su"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 130,
+          "name": "sudo",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sudo su",
+          "hash": {
+            "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493",
+            "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7",
+            "md5": "b18ff8646681c8d244d5118197592907"
+          },
+          "group": { "name": "root", "id": 0 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:41.5137975Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 305983,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:41.5137975Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uoy",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UtT",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.02Z",
+            "pid": 52218,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+            "executable": "/usr/bin/curl",
+            "args": [
+              "curl",
+              "-s",
+              "-f",
+              "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA=="
+            ],
+            "name": "curl",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.02Z",
+          "pid": 52218,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+          "executable": "/usr/bin/curl",
+          "args": [
+            "curl",
+            "-s",
+            "-f",
+            "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA=="
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "curl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "curl -s -f https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==",
+          "hash": {
+            "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2",
+            "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455",
+            "md5": "fd39da18fe71abe77532a98ed3539e1a"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6393576Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306035,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6393576Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UtT",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uu1",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.34Z",
+          "pid": 52222,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIyLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==",
+          "executable": "/usr/bin/uname",
+          "args": ["uname", "-s"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "uname",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "uname -s",
+          "hash": {
+            "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0",
+            "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f",
+            "md5": "ab2c3332885647313dbc160a329fd0f5"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6618563Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306041,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6618563Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uu1",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UuC",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.34Z",
+          "pid": 52223,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIzLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==",
+          "executable": "/usr/bin/id",
+          "args": ["id", "-u"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "id",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "id -u",
+          "hash": {
+            "sha1": "02339fec9524a489db7f552ebd82a6130266e0db",
+            "sha256": "f0c0a70a1bd13ee3af1a82d85af8230e88ba27763caca91db44557c61ceaabb0",
+            "md5": "8aa4dbf8064d18cf9117cd9673f2d5ed"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6666456Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306047,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6666456Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UuC",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UuK",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.34Z",
+          "pid": 52224,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI0LTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==",
+          "executable": "/usr/bin/uname",
+          "args": ["uname", "-r"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "uname",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "uname -r",
+          "hash": {
+            "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0",
+            "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f",
+            "md5": "ab2c3332885647313dbc160a329fd0f5"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6705537Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306053,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6705537Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UuK",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uuc",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.36Z",
+            "pid": 52227,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:40:42.6822515Z",
+          "pid": 52228,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI4LTEzMjk2Njg4ODQyLjY4MjI1MTUwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6888346Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306065,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6888346Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uuc",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uuh",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.36Z",
+            "pid": 52227,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.36Z",
+          "pid": 52229,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI5LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "A-Z", "a-z"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr A-Z a-z",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6914489Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306069,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6914489Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uuh",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uui",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.36Z",
+            "pid": 52226,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.36Z",
+          "pid": 52227,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6920784Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306071,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6920784Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uui",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uup",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.37Z",
+            "pid": 52230,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:40:42.6961356Z",
+          "pid": 52231,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMxLTEzMjk2Njg4ODQyLjY5NjEzNTYwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.6983705Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306079,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.6983705Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uup",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uuv",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.37Z",
+            "pid": 52230,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.37Z",
+          "pid": 52232,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMyLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "A-Z", "a-z"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr A-Z a-z",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7003632Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306083,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7003632Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uuv",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uuw",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.36Z",
+            "pid": 52226,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.37Z",
+          "pid": 52230,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7008805Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306085,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7008805Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uuw",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uv1",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.38Z",
+            "pid": 52233,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.38Z",
+          "pid": 52234,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM0LTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7109407Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306093,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7109407Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uv1",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uv7",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.38Z",
+            "pid": 52233,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.38Z",
+          "pid": 52235,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM1LTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "A-Z", "a-z"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr A-Z a-z",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.713786Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306097,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.713786Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uv7",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uv8",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.36Z",
+            "pid": 52226,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.38Z",
+          "pid": 52233,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7143127Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306099,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7143127Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uv8",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uv9",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.36Z",
+            "pid": 52225,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.36Z",
+          "pid": 52226,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7147818Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306101,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7147818Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uv9",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UvA",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.36Z",
+          "pid": 52225,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7157162Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306103,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7157162Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UvA",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uve",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.39Z",
+            "pid": 52236,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.39Z",
+          "pid": 52237,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM3LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg",
+          "args": ["dpkg", "--print-architecture"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg --print-architecture",
+          "hash": {
+            "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9",
+            "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559",
+            "md5": "05979fd688347b3c5af19862d71d801a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7294651Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306111,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7294651Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uve",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uvf",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.39Z",
+          "pid": 52236,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7299431Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306113,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7299431Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uvf",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uvw",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.42Z",
+          "pid": 52238,
+          "working_directory": "/etc",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM4LTEzMjk2NDkxMTgwLjQyMDAwMDAwMA==",
+          "executable": "/usr/bin/mkdir",
+          "args": ["mkdir", "-p", "/etc/cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "mkdir",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "mkdir -p /etc/cmd",
+          "hash": {
+            "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8",
+            "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413",
+            "md5": "682f61cbbbd7a2a3820f79616eac9602"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7506438Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306119,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7506438Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uvw",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uw9",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.43Z",
+          "pid": 52239,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM5LTEzMjk2NDkxMTgwLjQzMDAwMDAwMA==",
+          "executable": "/usr/bin/cat",
+          "args": ["cat"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "cat",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "cat",
+          "hash": {
+            "sha1": "eecdba8e7def6c111a084ae6164ffe1697bf4397",
+            "sha256": "df954abca766aceddd79dd20429e4f222019018667446626d3a641d3c47c50fc",
+            "md5": "dec1edc9a903636853ed9097faf5bb33"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7602468Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306125,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7602468Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uw9",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uwc",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.44Z",
+            "pid": 52240,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==",
+            "executable": "/usr/bin/find",
+            "args": ["find", "/etc/cmd", "-type", "d", "-exec", "chmod", "0700", "{}", ";"],
+            "name": "find",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 9,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["find", "/etc/cmd", "-type", "d", "-exec", "chmod", "0700", "{}", ";"],
+              "args_count": 0,
+              "executable": "/usr/bin/find"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.45Z",
+          "pid": 52241,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQxLTEzMjk2NDkxMTgwLjQ1MDAwMDAwMA==",
+          "executable": "/usr/bin/chmod",
+          "args": ["chmod", "0700", "/etc/cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "chmod",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "chmod 0700 /etc/cmd",
+          "hash": {
+            "sha1": "f44efcf93d286c10450b4bc44053508620c372fd",
+            "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748",
+            "md5": "655ee67724359cc2d1d9c523ff284c2b"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.776821Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306135,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.776821Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uwc",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uwh",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.44Z",
+          "pid": 52240,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==",
+          "executable": "/usr/bin/find",
+          "args": ["find", "/etc/cmd", "-type", "d", "-exec", "chmod", "0700", "{}", ";"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "find",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;",
+          "hash": {
+            "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb",
+            "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422",
+            "md5": "7ca65add76f8b5bcbd7fccd558f65999"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7798621Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306137,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7798621Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uwh",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Ux3",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.46Z",
+            "pid": 52242,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+            "executable": "/usr/bin/find",
+            "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+            "name": "find",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 9,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+              "args_count": 0,
+              "executable": "/usr/bin/find"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.46Z",
+          "pid": 52243,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQzLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+          "executable": "/usr/bin/chmod",
+          "args": ["chmod", "0600", "/etc/cmd/config.ini"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "chmod",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "chmod 0600 /etc/cmd/config.ini",
+          "hash": {
+            "sha1": "f44efcf93d286c10450b4bc44053508620c372fd",
+            "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748",
+            "md5": "655ee67724359cc2d1d9c523ff284c2b"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7907489Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306147,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7907489Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Ux3",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UxE",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.46Z",
+            "pid": 52242,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+            "executable": "/usr/bin/find",
+            "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+            "name": "find",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 9,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+              "args_count": 0,
+              "executable": "/usr/bin/find"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.47Z",
+          "pid": 52244,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ0LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==",
+          "executable": "/usr/bin/chmod",
+          "args": ["chmod", "0600", "/etc/cmd/cmd.prj"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "chmod",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "chmod 0600 /etc/cmd/cmd.prj",
+          "hash": {
+            "sha1": "f44efcf93d286c10450b4bc44053508620c372fd",
+            "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748",
+            "md5": "655ee67724359cc2d1d9c523ff284c2b"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.7965979Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306153,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.7965979Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UxE",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UxP",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.46Z",
+            "pid": 52242,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+            "executable": "/usr/bin/find",
+            "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+            "name": "find",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 9,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+              "args_count": 0,
+              "executable": "/usr/bin/find"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.47Z",
+          "pid": 52245,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ1LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==",
+          "executable": "/usr/bin/chmod",
+          "args": ["chmod", "0600", "/etc/cmd/cmd.token"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "chmod",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "chmod 0600 /etc/cmd/cmd.token",
+          "hash": {
+            "sha1": "f44efcf93d286c10450b4bc44053508620c372fd",
+            "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748",
+            "md5": "655ee67724359cc2d1d9c523ff284c2b"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.8009386Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306159,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.8009386Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UxP",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UxR",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.46Z",
+          "pid": 52242,
+          "working_directory": "/proc/filesystems",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==",
+          "executable": "/usr/bin/find",
+          "args": ["find", "/etc/cmd", "-type", "f", "-exec", "chmod", "0600", "{}", ";"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "find",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;",
+          "hash": {
+            "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb",
+            "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422",
+            "md5": "7ca65add76f8b5bcbd7fccd558f65999"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:42.8012932Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306161,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:42.8012932Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2UxR",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Uzo",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.48Z",
+          "pid": 52246,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ2LTEzMjk2NDkxMTgwLjQ4MDAwMDAwMA==",
+          "executable": "/usr/bin/curl",
+          "args": [
+            "curl",
+            "-s",
+            "-w",
+            "%{http_code}",
+            "-H",
+            "project-key: fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5",
+            "https://sub4.c-app.cmd.com/download/cmd?architecture=amd64&format=deb",
+            "-o",
+            "/tmp/amd64.deb"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "curl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "curl -s -w %{http_code} -H project-key: fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5 https://sub4.c-app.cmd.com/download/cmd?architecture=amd64&format=deb -o /tmp/amd64.deb",
+          "hash": {
+            "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2",
+            "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455",
+            "md5": "fd39da18fe71abe77532a98ed3539e1a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:44.0135498Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306173,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:44.0135498Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Uzo",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2V+v",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.72Z",
+            "pid": 52251,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+            "executable": "/usr/lib/needrestart/dpkg-status",
+            "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+            "name": "dpkg-status",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 2,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+              "args_count": 0,
+              "executable": "/usr/lib/needrestart/dpkg-status"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.73Z",
+          "pid": 52252,
+          "working_directory": "/run",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUyLTEzMjk2NDkxMTgxLjczMDAwMDAwMA==",
+          "executable": "/usr/bin/mkdir",
+          "args": ["mkdir", "-p", "/run/needrestart"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "mkdir",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "mkdir -p /run/needrestart",
+          "hash": {
+            "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8",
+            "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413",
+            "md5": "682f61cbbbd7a2a3820f79616eac9602"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:44.0624691Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306195,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:44.0624691Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2V+v",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2V/S",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.7Z",
+            "pid": 52248,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.75Z",
+          "pid": 52253,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUzLTEzMjk2NDkxMTgxLjc1MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-split",
+          "args": ["dpkg-split", "-Qao", "/var/lib/dpkg/reassemble.deb", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "dpkg-split",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/amd64.deb",
+          "hash": {
+            "sha1": "1164d7ce3e863dfd2a08d525bee81913e977fb45",
+            "sha256": "5979bd01207b92168c1c5d4c892695baced753fd13b404e4cc4aff35acfcd646",
+            "md5": "64f52dbd8518a6785de7296d9e76ce72"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:44.0820579Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306201,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:44.0820579Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2V/S",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2V/k",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.76Z",
+            "pid": 52254,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 4,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.77Z",
+          "pid": 52255,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU1LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:44.0953659Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306213,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:44.0953659Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2V/k",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2V0F",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.76Z",
+            "pid": 52254,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 4,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.77Z",
+          "pid": 52256,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU2LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:44.1130486Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306217,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:44.1130486Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2V0F",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2V0U",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.76Z",
+            "pid": 52254,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 4,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg-deb"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.77Z",
+          "pid": 52257,
+          "working_directory": "/var/lib/dpkg/tmp.ci",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU3LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==",
+          "executable": "/usr/bin/tar",
+          "args": ["tar", "-x", "-f", "-", "--warning=no-timestamp"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tar",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tar -x -f - --warning=no-timestamp",
+          "hash": {
+            "sha1": "18c40bff8f913e7a8cf46c9d0ff489335bd3d3aa",
+            "sha256": "a6b2054c8231d8973f2626ef66c2f9681cb0a27c5fc616df49eb0436a93399dd",
+            "md5": "083e87381a0b156ad66758ff2ba87f57"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:44.1203379Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306229,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:44.1203379Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2V0U",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2V0i",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.7Z",
+            "pid": 52248,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.76Z",
+          "pid": 52254,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--control", "/tmp/amd64.deb", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:44.1251935Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306231,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:44.1251935Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2V0i",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VOS",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:22.58Z",
+            "pid": 52258,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.59Z",
+          "pid": 52259,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU5LTEzMjk2NDkxMTgyLjU5MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.0283779Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306249,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.0283779Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VOS",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VOj",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:22.58Z",
+            "pid": 52258,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg-deb",
+            "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+            "name": "dpkg-deb",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.59Z",
+          "pid": 52260,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYwLTEzMjk2NDkxMTgyLjU5MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.0423011Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306259,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.0423011Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VOj",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VOm",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.7Z",
+            "pid": 52248,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.58Z",
+          "pid": 52258,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg-deb",
+          "args": ["dpkg-deb", "--fsys-tarfile", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-deb",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb",
+          "hash": {
+            "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026",
+            "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e",
+            "md5": "08ce10552a0339864e66190748f94f13"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.0425552Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306261,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.0425552Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VOm",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VPg",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.72Z",
+            "pid": 52251,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+            "executable": "/usr/lib/needrestart/dpkg-status",
+            "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+            "name": "dpkg-status",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 2,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+              "args_count": 0,
+              "executable": "/usr/lib/needrestart/dpkg-status"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.76Z",
+          "pid": 52261,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYxLTEzMjk2NDkxMTgyLjc2MDAwMDAwMA==",
+          "executable": "/usr/bin/touch",
+          "args": ["touch", "/run/needrestart/unpacked"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "touch",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "touch /run/needrestart/unpacked",
+          "hash": {
+            "sha1": "2fbc3bb2cf887bd8edcb9177d40e9576c55f5719",
+            "sha256": "a7558a34447cbcbe7af2951d3c435d3b65bfdd5e9225df1a99970a592378fab0",
+            "md5": "6942c7b2fccc8bedf025b6f4a59d7242"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.0922392Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306299,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.0922392Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VPg",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VQE",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.7Z",
+            "pid": 52248,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.78Z",
+          "pid": 52262,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYyLTEzMjk2NDkxMTgyLjc4MDAwMDAwMA==",
+          "executable": "/usr/bin/rm",
+          "args": ["rm", "-rf", "--", "/var/lib/dpkg/tmp.ci"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "rm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "rm -rf -- /var/lib/dpkg/tmp.ci",
+          "hash": {
+            "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a",
+            "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2",
+            "md5": "293c386a9257f691787b3baa83876321"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.114271Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306313,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.114271Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VQE",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VQs",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.7Z",
+            "pid": 52248,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.84Z",
+          "pid": 52263,
+          "working_directory": "/",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYzLTEzMjk2NDkxMTgyLjg0MDAwMDAwMA==",
+          "executable": "/var/lib/dpkg/info/cmd.postinst",
+          "args": ["/bin/sh", "/var/lib/dpkg/info/cmd.postinst", "configure", ""],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "cmd.postinst",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/sh /var/lib/dpkg/info/cmd.postinst configure ",
+          "hash": {
+            "sha1": "dd8c652bab9cfd7c2a81796014e7223277c48281",
+            "sha256": "2f9581444bd16ae4436f37cd3f995193778a055b953082e02c0f62c8d146ccb0",
+            "md5": "01bd3f90082b37dc6c16ec39f6d71f90"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.1658813Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306345,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.1658813Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VQs",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VRc",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.7Z",
+          "pid": 52248,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+          "executable": "/usr/bin/dpkg",
+          "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "dpkg -i /tmp/amd64.deb",
+          "hash": {
+            "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9",
+            "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559",
+            "md5": "05979fd688347b3c5af19862d71d801a"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2040973Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306377,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2040973Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VRc",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VRf",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.72Z",
+            "pid": 52250,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+            "executable": "/usr/bin/sh",
+            "args": [
+              "sh",
+              "-c",
+              "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+            ],
+            "name": "sh",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": [
+                "sh",
+                "-c",
+                "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+              ],
+              "args_count": 0,
+              "executable": "/usr/bin/sh"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.72Z",
+          "pid": 52251,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+          "executable": "/usr/lib/needrestart/dpkg-status",
+          "args": ["/bin/sh", "/usr/lib/needrestart/dpkg-status"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "dpkg-status",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status",
+          "hash": {
+            "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668",
+            "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946",
+            "md5": "3e3cfb98f92e89c90e99876ce72415b5"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2081213Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306381,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2081213Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VRf",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VRi",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.71Z",
+            "pid": 52249,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==",
+            "executable": "/usr/bin/sh",
+            "args": [
+              "sh",
+              "-c",
+              "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+            ],
+            "name": "sh",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 3,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.72Z",
+          "pid": 52250,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==",
+          "executable": "/usr/bin/sh",
+          "args": [
+            "sh",
+            "-c",
+            "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sh",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+          "hash": {
+            "sha1": "7505998e3f5909ee10b0f639b570383881444afd",
+            "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb",
+            "md5": "6f0fd9cced2852bc85a2722750ab7d64"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2085155Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306383,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2085155Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VRi",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VRl",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:21.7Z",
+            "pid": 52248,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==",
+            "executable": "/usr/bin/dpkg",
+            "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+            "name": "dpkg",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "dpkg -i /tmp/amd64.deb",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["dpkg", "-i", "/tmp/amd64.deb"],
+              "args_count": 0,
+              "executable": "/usr/bin/dpkg"
+            }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:21.71Z",
+          "pid": 52249,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==",
+          "executable": "/usr/bin/sh",
+          "args": [
+            "sh",
+            "-c",
+            "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"
+          ],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sh",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)",
+          "hash": {
+            "sha1": "7505998e3f5909ee10b0f639b570383881444afd",
+            "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb",
+            "md5": "6f0fd9cced2852bc85a2722750ab7d64"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2088405Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306385,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2088405Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VRl",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VRw",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.88Z",
+          "pid": 52264,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY0LTEzMjk2NDkxMTgyLjg4MDAwMDAwMA==",
+          "executable": "/usr/bin/rm",
+          "args": ["rm", "-f", "/tmp/amd64.deb"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "rm",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "rm -f /tmp/amd64.deb",
+          "hash": {
+            "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a",
+            "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2",
+            "md5": "293c386a9257f691787b3baa83876321"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2202677Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306391,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2202677Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VRw",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VST",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.9Z",
+          "pid": 52265,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY1LTEzMjk2NDkxMTgyLjkwMDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.238083Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306395,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.238083Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VST",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VSi",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:22.92Z",
+            "pid": 52266,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.92Z",
+          "pid": 52267,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY3LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+          "executable": "/usr/bin/readlink",
+          "args": ["readlink", "/proc/1/exe"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "readlink",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "readlink /proc/1/exe",
+          "hash": {
+            "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3",
+            "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8",
+            "md5": "5eaeababd7dc6bb9348867431cf32f35"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2500353Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306403,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2500353Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VSi",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VSn",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:22.92Z",
+            "pid": 52266,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-10T20:40:45.2505301Z",
+          "pid": 52268,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY4LTEzMjk2Njg4ODQ1LjI1MDUzMDEwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2526149Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306409,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2526149Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VSn",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VSt",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:22.92Z",
+            "pid": 52266,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.93Z",
+          "pid": 52269,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY5LTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==",
+          "executable": "/usr/bin/tr",
+          "args": ["tr", "[A-Z]", "[a-z]"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "tr",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "tr [A-Z] [a-z]",
+          "hash": {
+            "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d",
+            "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9",
+            "md5": "92af9c32a56307f6d3187c33096dc4a3"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.254846Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306413,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.254846Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VSt",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2VSu",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.92Z",
+          "pid": 52266,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:45.2553271Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306415,
+          "ingested": "2022-05-10T20:40:51Z",
+          "created": "2022-05-10T20:40:45.2553271Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2VSu",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2XeF",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:22.93Z",
+          "pid": 52270,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjcwLTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==",
+          "executable": "/usr/bin/systemctl",
+          "args": ["systemctl", "enable", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "systemctl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "systemctl enable cmd",
+          "hash": {
+            "sha1": "cea82eefca581ac4029313b72216b470b8ac741e",
+            "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622",
+            "md5": "c4462083c2ee42c852b994a9f8c5ff79"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:54.8140323Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306671,
+          "ingested": "2022-05-10T20:41:01Z",
+          "created": "2022-05-10T20:40:54.8140323Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2XeF",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Xh2",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "root", "id": 0 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.19Z",
+            "pid": 52221,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+            "executable": "/usr/bin/bash",
+            "args": ["bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 1,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/usr/bin/bash" }],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:32.49Z",
+          "pid": 52305,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzA1LTEzMjk2NDkxMTkyLjQ5MDAwMDAwMA==",
+          "executable": "/usr/bin/systemctl",
+          "args": ["systemctl", "start", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "systemctl",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "systemctl start cmd",
+          "hash": {
+            "sha1": "cea82eefca581ac4029313b72216b470b8ac741e",
+            "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622",
+            "md5": "c4462083c2ee42c852b994a9f8c5ff79"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:54.9302956Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306683,
+          "ingested": "2022-05-10T20:41:01Z",
+          "created": "2022-05-10T20:40:54.9302956Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Xh2",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2XhM",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:20.02Z",
+            "pid": 52219,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+            "executable": "/usr/bin/sudo",
+            "args": ["sudo", "bash"],
+            "name": "sudo",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "root", "id": 0 },
+            "args_count": 0,
+            "user": { "name": "root", "id": 0 },
+            "command_line": "sudo bash",
+            "group": { "name": "root", "id": 0 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            { "args": ["sudo", "bash"], "args_count": 0, "executable": "/usr/bin/sudo" }
+          ],
+          "real_user": { "name": "root", "id": 0 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.19Z",
+          "pid": 52221,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==",
+          "executable": "/usr/bin/bash",
+          "args": ["bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "root", "id": 0 }
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:54.9784941Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306687,
+          "ingested": "2022-05-10T20:41:01Z",
+          "created": "2022-05-10T20:40:54.9784941Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2XhM",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2Xhd",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:20.02Z",
+          "pid": 52219,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw",
+          "executable": "/usr/bin/sudo",
+          "args": ["sudo", "bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "sudo",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "root", "id": 0 },
+          "args_count": 0,
+          "user": { "name": "root", "id": 0 },
+          "command_line": "sudo bash",
+          "hash": {
+            "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493",
+            "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7",
+            "md5": "b18ff8646681c8d244d5118197592907"
+          },
+          "group": { "name": "root", "id": 0 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:55.0162733Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306693,
+          "ingested": "2022-05-10T20:41:01Z",
+          "created": "2022-05-10T20:40:55.0162733Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2Xhd",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "root", "id": 0 },
+        "group": { "Ext": { "real": { "name": "root", "id": 0 } }, "name": "root", "id": 0 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2YJX",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:46:36.12Z",
+            "pid": 52317,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==",
+            "executable": "/usr/bin/ps",
+            "args": ["ps", "aux"],
+            "name": "ps",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:36.12Z",
+          "pid": 52317,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==",
+          "executable": "/usr/bin/ps",
+          "args": ["ps", "aux"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "ps",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "ps aux",
+          "hash": {
+            "sha1": "76f7135d070445f53d96804413ee29026b96c57b",
+            "sha256": "94391ba36b39a425b349b1ffa7cda195b888e25b8016c8a41fea345ac8c1959f",
+            "md5": "97b92a84ef38a9298054e3eaeacb42a5"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:58.6289903Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306847,
+          "ingested": "2022-05-10T20:41:01Z",
+          "created": "2022-05-10T20:40:58.6289903Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2YJX",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2YJY",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "-bash",
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [{ "args": ["-bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:46:36.12Z",
+          "pid": 52318,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE4LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==",
+          "executable": "/usr/bin/grep",
+          "args": ["grep", "--color=auto", "cmd"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.06Z",
+              "pid": 52056,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw"
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 1,
+            "same_as_process": false,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 0,
+          "name": "grep",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "grep --color=auto cmd",
+          "hash": {
+            "sha1": "b9cedf6bbf2cd89ddaf5e2b7e8c8bddc98b4b037",
+            "sha256": "2674a998b9a1969477fa71f7d01bebf450733c418a13b52b5b64e758297c72dd",
+            "md5": "0b1b0e3205c1b31d339a6959c73d5035"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T20:40:58.6307219Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306849,
+          "ingested": "2022-05-10T20:41:01Z",
+          "created": "2022-05-10T20:40:58.6307219Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2YJY",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2ZDv",
+      "source": {
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "parent": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": false,
+            "start": "2022-05-08T13:44:00.06Z",
+            "pid": 52056,
+            "working_directory": "/",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+            "executable": "/usr/sbin/sshd",
+            "args": ["/usr/sbin/sshd", "-D", "-R"],
+            "name": "sshd",
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "user": { "name": "kg", "id": 1000 },
+            "command_line": "/usr/sbin/sshd -D -R",
+            "group": { "name": "kg", "id": 1000 }
+          },
+          "group_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "previous": [
+            {
+              "args": ["/usr/sbin/sshd", "-D", "-R"],
+              "args_count": 0,
+              "executable": "/usr/sbin/sshd"
+            }
+          ],
+          "real_user": { "name": "kg", "id": 1000 },
+          "interactive": true,
+          "start": "2022-05-08T13:44:00.13Z",
+          "pid": 52057,
+          "working_directory": "/home/kg",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+          "executable": "/bin/bash",
+          "args": ["-bash"],
+          "session_leader": {
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "entry_leader": {
+            "parent": {
+              "start": "2022-05-08T13:44:00.13Z",
+              "pid": 52057,
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA=="
+            },
+            "real_user": { "name": "kg", "id": 1000 },
+            "interactive": true,
+            "start": "2022-05-08T13:44:00.13Z",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "pid": 52057,
+            "working_directory": "/home/kg",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "args": ["-bash"],
+            "name": "bash",
+            "tty": { "char_device": { "major": 4, "minor": 1 }, "type": "char_device" },
+            "real_group": { "name": "kg", "id": 1000 },
+            "args_count": 0,
+            "same_as_process": true,
+            "user": { "name": "kg", "id": 1000 },
+            "group": { "name": "kg", "id": 1000 },
+            "supplemental_groups": [
+              { "name": "adm", "id": 4 },
+              { "name": "cdrom", "id": 24 },
+              { "name": "sudo", "id": 27 },
+              { "name": "dip", "id": 30 },
+              { "name": "plugdev", "id": 46 },
+              { "name": "lxd", "id": 110 },
+              { "name": "docker", "id": 118 }
+            ]
+          },
+          "exit_code": 1,
+          "name": "bash",
+          "tty": { "char_device": { "major": 4, "minor": 1 } },
+          "real_group": { "name": "kg", "id": 1000 },
+          "args_count": 0,
+          "user": { "name": "kg", "id": 1000 },
+          "command_line": "-bash",
+          "hash": {
+            "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f",
+            "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322",
+            "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c"
+          },
+          "group": { "name": "kg", "id": 1000 },
+          "supplemental_groups": [
+            { "name": "adm", "id": 4 },
+            { "name": "cdrom", "id": 24 },
+            { "name": "sudo", "id": 27 },
+            { "name": "dip", "id": 30 },
+            { "name": "plugdev", "id": 46 },
+            { "name": "lxd", "id": 110 },
+            { "name": "docker", "id": 118 }
+          ]
+        },
+        "message": "Endpoint process event",
+        "@timestamp": "2022-05-10T21:39:56.8328008Z",
+        "ecs": { "version": "1.11.0" },
+        "data_stream": {
+          "namespace": "default",
+          "type": "logs",
+          "dataset": "endpoint.events.process"
+        },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "host": {
+          "hostname": "codecvlt",
+          "boot": { "id": "1234" },
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "family": "ubuntu",
+            "type": "linux",
+            "version": "21.10",
+            "platform": "ubuntu",
+            "full": "Ubuntu 21.10"
+          },
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "name": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "architecture": "x86_64"
+        },
+        "event": {
+          "agent_id_status": "auth_metadata_missing",
+          "sequence": 306935,
+          "ingested": "2022-05-10T21:40:00Z",
+          "created": "2022-05-10T21:39:56.8328008Z",
+          "kind": "event",
+          "module": "endpoint",
+          "action": ["fork", "exec", "end"],
+          "id": "MbEL/BDTBn1bDrQw++++2ZDv",
+          "category": ["process"],
+          "type": ["start", "end"],
+          "dataset": "endpoint.events.process"
+        },
+        "user": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 },
+        "group": { "Ext": { "real": { "name": "kg", "id": 1000 } }, "name": "kg", "id": 1000 }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UJd",
+      "source": {
+        "@timestamp": "2022-05-10T20:40:27.413Z",
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "data_stream": {
+          "dataset": "endpoint.events.process",
+          "namespace": "default",
+          "type": "logs"
+        },
+        "ecs": { "version": "1.11.0" },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "event": {
+          "action": ["fork", "exec", "end"],
+          "agent_id_status": "auth_metadata_missing",
+          "category": ["process"],
+          "created": "2022-05-10T20:39:23.6898263Z",
+          "dataset": "endpoint.events.process",
+          "id": "MbEL/BDTBn1bDrQw++++2UJd",
+          "ingested": "2022-05-10T20:39:29Z",
+          "kind": "signal",
+          "module": "endpoint",
+          "sequence": 305757,
+          "type": ["start", "end"]
+        },
+        "group": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" },
+        "host": {
+          "architecture": "x86_64",
+          "hostname": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "name": "codecvlt",
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "family": "ubuntu",
+            "full": "Ubuntu 21.10",
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "21.10"
+          }
+        },
+        "kibana": {
+          "alert": {
+            "ancestors": [
+              {
+                "depth": 0,
+                "id": "gFWyr4ABxtjWu-ucwDVk",
+                "index": ".ds-logs-endpoint.events.process-default-2022.05.04-000001",
+                "type": "event"
+              }
+            ],
+            "depth": 1,
+            "original_event": {
+              "action": "end",
+              "agent_id_status": "auth_metadata_missing",
+              "category": ["process"],
+              "created": "2022-05-10T20:39:23.6898263Z",
+              "dataset": "endpoint.events.process",
+              "id": "MbEL/BDTBn1bDrQw++++2UJd",
+              "ingested": "2022-05-10T20:39:29Z",
+              "kind": "event",
+              "module": "endpoint",
+              "sequence": 305757,
+              "type": ["end"]
+            },
+            "original_time": "2022-05-10T20:39:23.689Z",
+            "reason": "process event with process ls, parent process bash, by root on codecvlt created low alert ls.",
+            "risk_score": 21,
+            "rule": {
+              "actions": [],
+              "author": [],
+              "category": "Custom Query Rule",
+              "consumer": "siem",
+              "created_at": "2022-05-06T00:18:58.945Z",
+              "created_by": "elastic",
+              "description": "test",
+              "enabled": true,
+              "exceptions_list": [],
+              "execution": { "uuid": "e634d394-a544-4f0b-88d2-36b1b1798a63" },
+              "false_positives": [],
+              "from": "now-360s",
+              "immutable": false,
+              "interval": "1m",
+              "license": "",
+              "max_signals": 100,
+              "meta": {
+                "from": "5m",
+                "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+              },
+              "name": "ls",
+              "parameters": {
+                "author": [],
+                "description": "test",
+                "exceptions_list": [],
+                "false_positives": [],
+                "filters": [],
+                "from": "now-360s",
+                "immutable": false,
+                "index": [
+                  "apm-*-transaction*",
+                  "traces-apm*",
+                  "auditbeat-*",
+                  "endgame-*",
+                  "filebeat-*",
+                  "logs-*",
+                  "packetbeat-*",
+                  "winlogbeat-*"
+                ],
+                "language": "kuery",
+                "license": "",
+                "max_signals": 100,
+                "meta": {
+                  "from": "5m",
+                  "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+                },
+                "query": "process.executable: /usr/bin/ls",
+                "references": [],
+                "risk_score": 21,
+                "risk_score_mapping": [],
+                "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+                "severity": "low",
+                "severity_mapping": [],
+                "threat": [],
+                "to": "now",
+                "type": "query",
+                "version": 1
+              },
+              "producer": "siem",
+              "references": [],
+              "risk_score": 21,
+              "risk_score_mapping": [],
+              "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+              "rule_type_id": "siem.queryRule",
+              "severity": "low",
+              "severity_mapping": [],
+              "tags": [],
+              "threat": [],
+              "to": "now",
+              "type": "query",
+              "updated_at": "2022-05-06T00:19:00.432Z",
+              "updated_by": "elastic",
+              "uuid": "1f6146b0-ccd2-11ec-9418-bd1502dcc7c7",
+              "version": 1
+            },
+            "severity": "low",
+            "status": "active",
+            "uuid": "4f0807c33cdd2f19cbfff090710b20b649d7f38c012c3c5d64179a4a35b3b775",
+            "workflow_status": "open"
+          },
+          "space_ids": ["default"],
+          "version": "8.3.0"
+        },
+        "message": "Endpoint process event",
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "args": ["ls", "--color=auto"],
+          "args_count": 0,
+          "command_line": "ls --color=auto",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==",
+          "entry_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "parent": {
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "pid": 52056,
+              "start": "2022-05-08T13:44:00.06Z"
+            },
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "executable": "/usr/bin/ls",
+          "exit_code": 0,
+          "group": { "id": 0, "name": "root" },
+          "group_leader": {
+            "args": ["ls", "--color=auto"],
+            "args_count": 0,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==",
+            "executable": "/usr/bin/ls",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "ls",
+            "pid": 52201,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "same_as_process": true,
+            "start": "2022-05-08T13:45:01.35Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/etc"
+          },
+          "hash": {
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f",
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f"
+          },
+          "interactive": true,
+          "name": "ls",
+          "parent": {
+            "args": ["bash"],
+            "args_count": 1,
+            "command_line": "bash",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52194,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "start": "2022-05-08T13:44:57.8Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/home/kg"
+          },
+          "pid": 52201,
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_group": { "id": 0, "name": "root" },
+          "real_user": { "id": 0, "name": "root" },
+          "session_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "start": "2022-05-08T13:45:01.35Z",
+          "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+          "user": { "id": 0, "name": "root" },
+          "working_directory": "/etc"
+        },
+        "user": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UK+",
+      "source": {
+        "@timestamp": "2022-05-10T20:40:27.420Z",
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "data_stream": {
+          "dataset": "endpoint.events.process",
+          "namespace": "default",
+          "type": "logs"
+        },
+        "ecs": { "version": "1.11.0" },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "event": {
+          "action": ["fork", "exec", "end"],
+          "agent_id_status": "auth_metadata_missing",
+          "category": ["process"],
+          "created": "2022-05-10T20:39:26.4869806Z",
+          "dataset": "endpoint.events.process",
+          "id": "MbEL/BDTBn1bDrQw++++2UK+",
+          "ingested": "2022-05-10T20:39:29Z",
+          "kind": "signal",
+          "module": "endpoint",
+          "sequence": 305763,
+          "type": ["start", "end"]
+        },
+        "group": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" },
+        "host": {
+          "architecture": "x86_64",
+          "hostname": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "name": "codecvlt",
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "family": "ubuntu",
+            "full": "Ubuntu 21.10",
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "21.10"
+          }
+        },
+        "kibana": {
+          "alert": {
+            "ancestors": [
+              {
+                "depth": 0,
+                "id": "g1Wyr4ABxtjWu-ucwDVk",
+                "index": ".ds-logs-endpoint.events.process-default-2022.05.04-000001",
+                "type": "event"
+              }
+            ],
+            "depth": 1,
+            "original_event": {
+              "action": "end",
+              "agent_id_status": "auth_metadata_missing",
+              "category": ["process"],
+              "created": "2022-05-10T20:39:26.4869806Z",
+              "dataset": "endpoint.events.process",
+              "id": "MbEL/BDTBn1bDrQw++++2UK+",
+              "ingested": "2022-05-10T20:39:29Z",
+              "kind": "event",
+              "module": "endpoint",
+              "sequence": 305763,
+              "type": ["end"]
+            },
+            "original_time": "2022-05-10T20:39:26.486Z",
+            "reason": "process event with process ls, parent process bash, by root on codecvlt created low alert ls.",
+            "risk_score": 21,
+            "rule": {
+              "actions": [],
+              "author": [],
+              "category": "Custom Query Rule",
+              "consumer": "siem",
+              "created_at": "2022-05-06T00:18:58.945Z",
+              "created_by": "elastic",
+              "description": "test",
+              "enabled": true,
+              "exceptions_list": [],
+              "execution": { "uuid": "e634d394-a544-4f0b-88d2-36b1b1798a63" },
+              "false_positives": [],
+              "from": "now-360s",
+              "immutable": false,
+              "interval": "1m",
+              "license": "",
+              "max_signals": 100,
+              "meta": {
+                "from": "5m",
+                "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+              },
+              "name": "ls",
+              "parameters": {
+                "author": [],
+                "description": "test",
+                "exceptions_list": [],
+                "false_positives": [],
+                "filters": [],
+                "from": "now-360s",
+                "immutable": false,
+                "index": [
+                  "apm-*-transaction*",
+                  "traces-apm*",
+                  "auditbeat-*",
+                  "endgame-*",
+                  "filebeat-*",
+                  "logs-*",
+                  "packetbeat-*",
+                  "winlogbeat-*"
+                ],
+                "language": "kuery",
+                "license": "",
+                "max_signals": 100,
+                "meta": {
+                  "from": "5m",
+                  "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+                },
+                "query": "process.executable: /usr/bin/ls",
+                "references": [],
+                "risk_score": 21,
+                "risk_score_mapping": [],
+                "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+                "severity": "low",
+                "severity_mapping": [],
+                "threat": [],
+                "to": "now",
+                "type": "query",
+                "version": 1
+              },
+              "producer": "siem",
+              "references": [],
+              "risk_score": 21,
+              "risk_score_mapping": [],
+              "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+              "rule_type_id": "siem.queryRule",
+              "severity": "low",
+              "severity_mapping": [],
+              "tags": [],
+              "threat": [],
+              "to": "now",
+              "type": "query",
+              "updated_at": "2022-05-06T00:19:00.432Z",
+              "updated_by": "elastic",
+              "uuid": "1f6146b0-ccd2-11ec-9418-bd1502dcc7c7",
+              "version": 1
+            },
+            "severity": "low",
+            "status": "active",
+            "uuid": "8b1147de333111a8dc3020b14fce7e135dd7248de9bb1514b44ceb328df63cce",
+            "workflow_status": "open"
+          },
+          "space_ids": ["default"],
+          "version": "8.3.0"
+        },
+        "message": "Endpoint process event",
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "args": ["ls", "--color=auto"],
+          "args_count": 0,
+          "command_line": "ls --color=auto",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==",
+          "entry_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "parent": {
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "pid": 52056,
+              "start": "2022-05-08T13:44:00.06Z"
+            },
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "executable": "/usr/bin/ls",
+          "exit_code": 0,
+          "group": { "id": 0, "name": "root" },
+          "group_leader": {
+            "args": ["ls", "--color=auto"],
+            "args_count": 0,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==",
+            "executable": "/usr/bin/ls",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "ls",
+            "pid": 52202,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "same_as_process": true,
+            "start": "2022-05-08T13:45:04.15Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/etc/cmd"
+          },
+          "hash": {
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f",
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f"
+          },
+          "interactive": true,
+          "name": "ls",
+          "parent": {
+            "args": ["bash"],
+            "args_count": 1,
+            "command_line": "bash",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52194,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "start": "2022-05-08T13:44:57.8Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/home/kg"
+          },
+          "pid": 52202,
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_group": { "id": 0, "name": "root" },
+          "real_user": { "id": 0, "name": "root" },
+          "session_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "start": "2022-05-08T13:45:04.15Z",
+          "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+          "user": { "id": 0, "name": "root" },
+          "working_directory": "/etc/cmd"
+        },
+        "user": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UKD",
+      "source": {
+        "@timestamp": "2022-05-10T20:40:27.423Z",
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "data_stream": {
+          "dataset": "endpoint.events.process",
+          "namespace": "default",
+          "type": "logs"
+        },
+        "ecs": { "version": "1.11.0" },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "event": {
+          "action": ["fork", "exec", "end"],
+          "agent_id_status": "auth_metadata_missing",
+          "category": ["process"],
+          "created": "2022-05-10T20:39:27.4767624Z",
+          "dataset": "endpoint.events.process",
+          "id": "MbEL/BDTBn1bDrQw++++2UKD",
+          "ingested": "2022-05-10T20:39:29Z",
+          "kind": "signal",
+          "module": "endpoint",
+          "sequence": 305769,
+          "type": ["start", "end"]
+        },
+        "group": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" },
+        "host": {
+          "architecture": "x86_64",
+          "hostname": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "name": "codecvlt",
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "family": "ubuntu",
+            "full": "Ubuntu 21.10",
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "21.10"
+          }
+        },
+        "kibana": {
+          "alert": {
+            "ancestors": [
+              {
+                "depth": 0,
+                "id": "hlWyr4ABxtjWu-ucwDVk",
+                "index": ".ds-logs-endpoint.events.process-default-2022.05.04-000001",
+                "type": "event"
+              }
+            ],
+            "depth": 1,
+            "original_event": {
+              "action": "end",
+              "agent_id_status": "auth_metadata_missing",
+              "category": ["process"],
+              "created": "2022-05-10T20:39:27.4767624Z",
+              "dataset": "endpoint.events.process",
+              "id": "MbEL/BDTBn1bDrQw++++2UKD",
+              "ingested": "2022-05-10T20:39:29Z",
+              "kind": "event",
+              "module": "endpoint",
+              "sequence": 305769,
+              "type": ["end"]
+            },
+            "original_time": "2022-05-10T20:39:27.476Z",
+            "reason": "process event with process ls, parent process bash, by root on codecvlt created low alert ls.",
+            "risk_score": 21,
+            "rule": {
+              "actions": [],
+              "author": [],
+              "category": "Custom Query Rule",
+              "consumer": "siem",
+              "created_at": "2022-05-06T00:18:58.945Z",
+              "created_by": "elastic",
+              "description": "test",
+              "enabled": true,
+              "exceptions_list": [],
+              "execution": { "uuid": "e634d394-a544-4f0b-88d2-36b1b1798a63" },
+              "false_positives": [],
+              "from": "now-360s",
+              "immutable": false,
+              "interval": "1m",
+              "license": "",
+              "max_signals": 100,
+              "meta": {
+                "from": "5m",
+                "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+              },
+              "name": "ls",
+              "parameters": {
+                "author": [],
+                "description": "test",
+                "exceptions_list": [],
+                "false_positives": [],
+                "filters": [],
+                "from": "now-360s",
+                "immutable": false,
+                "index": [
+                  "apm-*-transaction*",
+                  "traces-apm*",
+                  "auditbeat-*",
+                  "endgame-*",
+                  "filebeat-*",
+                  "logs-*",
+                  "packetbeat-*",
+                  "winlogbeat-*"
+                ],
+                "language": "kuery",
+                "license": "",
+                "max_signals": 100,
+                "meta": {
+                  "from": "5m",
+                  "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+                },
+                "query": "process.executable: /usr/bin/ls",
+                "references": [],
+                "risk_score": 21,
+                "risk_score_mapping": [],
+                "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+                "severity": "low",
+                "severity_mapping": [],
+                "threat": [],
+                "to": "now",
+                "type": "query",
+                "version": 1
+              },
+              "producer": "siem",
+              "references": [],
+              "risk_score": 21,
+              "risk_score_mapping": [],
+              "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+              "rule_type_id": "siem.queryRule",
+              "severity": "low",
+              "severity_mapping": [],
+              "tags": [],
+              "threat": [],
+              "to": "now",
+              "type": "query",
+              "updated_at": "2022-05-06T00:19:00.432Z",
+              "updated_by": "elastic",
+              "uuid": "1f6146b0-ccd2-11ec-9418-bd1502dcc7c7",
+              "version": 1
+            },
+            "severity": "low",
+            "status": "active",
+            "uuid": "c578ebc0d2ea55c33b58f0088ea93f03d78615974c4f60d2e30b12c3e82f7c67",
+            "workflow_status": "open"
+          },
+          "space_ids": ["default"],
+          "version": "8.3.0"
+        },
+        "message": "Endpoint process event",
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "args": ["ls", "--color=auto"],
+          "args_count": 0,
+          "command_line": "ls --color=auto",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==",
+          "entry_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "parent": {
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "pid": 52056,
+              "start": "2022-05-08T13:44:00.06Z"
+            },
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "executable": "/usr/bin/ls",
+          "exit_code": 0,
+          "group": { "id": 0, "name": "root" },
+          "group_leader": {
+            "args": ["ls", "--color=auto"],
+            "args_count": 0,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==",
+            "executable": "/usr/bin/ls",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "ls",
+            "pid": 52203,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "same_as_process": true,
+            "start": "2022-05-08T13:45:05.15Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/etc/cmd"
+          },
+          "hash": {
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f",
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f"
+          },
+          "interactive": true,
+          "name": "ls",
+          "parent": {
+            "args": ["bash"],
+            "args_count": 1,
+            "command_line": "bash",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52194,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "start": "2022-05-08T13:44:57.8Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/home/kg"
+          },
+          "pid": 52203,
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_group": { "id": 0, "name": "root" },
+          "real_user": { "id": 0, "name": "root" },
+          "session_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "start": "2022-05-08T13:45:05.15Z",
+          "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+          "user": { "id": 0, "name": "root" },
+          "working_directory": "/etc/cmd"
+        },
+        "user": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" }
+      }
+    }
+  }
+
+  {
+    "type": "doc",
+    "value": {
+      "index": "logs-endpoint.events.process",
+      "id": "MbEL/BDTBn1bDrQw++++2UKq",
+      "source": {
+        "@timestamp": "2022-05-10T20:40:27.426Z",
+        "agent": {
+          "id": "01010101-0101-0101-0101-010101010101",
+          "type": "endpoint",
+          "version": "8.3.0-SNAPSHOT"
+        },
+        "data_stream": {
+          "dataset": "endpoint.events.process",
+          "namespace": "default",
+          "type": "logs"
+        },
+        "ecs": { "version": "1.11.0" },
+        "elastic": { "agent": { "id": "01010101-0101-0101-0101-010101010101" } },
+        "event": {
+          "action": ["fork", "exec", "end"],
+          "agent_id_status": "auth_metadata_missing",
+          "category": ["process"],
+          "created": "2022-05-10T20:39:28.4223867Z",
+          "dataset": "endpoint.events.process",
+          "id": "MbEL/BDTBn1bDrQw++++2UKq",
+          "ingested": "2022-05-10T20:39:39Z",
+          "kind": "signal",
+          "module": "endpoint",
+          "sequence": 305775,
+          "type": ["start", "end"]
+        },
+        "group": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" },
+        "host": {
+          "architecture": "x86_64",
+          "hostname": "codecvlt",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "ip": ["172.17.0.1", "127.0.0.1", "::1", "10.0.2.15", "fe80::a00:27ff:fed8:d0c7"],
+          "mac": ["02:42:7e:91:e2:fc", "08:00:27:d8:d0:c7"],
+          "name": "codecvlt",
+          "os": {
+            "Ext": { "variant": "Ubuntu" },
+            "family": "ubuntu",
+            "full": "Ubuntu 21.10",
+            "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022",
+            "name": "Linux",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "21.10"
+          }
+        },
+        "kibana": {
+          "alert": {
+            "ancestors": [
+              {
+                "depth": 0,
+                "id": "ilWyr4ABxtjWu-uc6TUp",
+                "index": ".ds-logs-endpoint.events.process-default-2022.05.04-000001",
+                "type": "event"
+              }
+            ],
+            "depth": 1,
+            "original_event": {
+              "action": "end",
+              "agent_id_status": "auth_metadata_missing",
+              "category": ["process"],
+              "created": "2022-05-10T20:39:28.4223867Z",
+              "dataset": "endpoint.events.process",
+              "id": "MbEL/BDTBn1bDrQw++++2UKq",
+              "ingested": "2022-05-10T20:39:39Z",
+              "kind": "event",
+              "module": "endpoint",
+              "sequence": 305775,
+              "type": ["end"]
+            },
+            "original_time": "2022-05-10T20:39:28.422Z",
+            "reason": "process event with process ls, parent process bash, by root on codecvlt created low alert ls.",
+            "risk_score": 21,
+            "rule": {
+              "actions": [],
+              "author": [],
+              "category": "Custom Query Rule",
+              "consumer": "siem",
+              "created_at": "2022-05-06T00:18:58.945Z",
+              "created_by": "elastic",
+              "description": "test",
+              "enabled": true,
+              "exceptions_list": [],
+              "execution": { "uuid": "e634d394-a544-4f0b-88d2-36b1b1798a63" },
+              "false_positives": [],
+              "from": "now-360s",
+              "immutable": false,
+              "interval": "1m",
+              "license": "",
+              "max_signals": 100,
+              "meta": {
+                "from": "5m",
+                "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+              },
+              "name": "ls",
+              "parameters": {
+                "author": [],
+                "description": "test",
+                "exceptions_list": [],
+                "false_positives": [],
+                "filters": [],
+                "from": "now-360s",
+                "immutable": false,
+                "index": [
+                  "apm-*-transaction*",
+                  "traces-apm*",
+                  "auditbeat-*",
+                  "endgame-*",
+                  "filebeat-*",
+                  "logs-*",
+                  "packetbeat-*",
+                  "winlogbeat-*"
+                ],
+                "language": "kuery",
+                "license": "",
+                "max_signals": 100,
+                "meta": {
+                  "from": "5m",
+                  "kibana_siem_app_url": "http://192.168.1.253:5602/app/security"
+                },
+                "query": "process.executable: /usr/bin/ls",
+                "references": [],
+                "risk_score": 21,
+                "risk_score_mapping": [],
+                "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+                "severity": "low",
+                "severity_mapping": [],
+                "threat": [],
+                "to": "now",
+                "type": "query",
+                "version": 1
+              },
+              "producer": "siem",
+              "references": [],
+              "risk_score": 21,
+              "risk_score_mapping": [],
+              "rule_id": "73cd463b-bcb7-4b31-9452-5f8f35b151c0",
+              "rule_type_id": "siem.queryRule",
+              "severity": "low",
+              "severity_mapping": [],
+              "tags": [],
+              "threat": [],
+              "to": "now",
+              "type": "query",
+              "updated_at": "2022-05-06T00:19:00.432Z",
+              "updated_by": "elastic",
+              "uuid": "1f6146b0-ccd2-11ec-9418-bd1502dcc7c7",
+              "version": 1
+            },
+            "severity": "low",
+            "status": "active",
+            "uuid": "9aa8164b63dec1bc49ad482b22d258eac86ba18f78bddad56f19af9bd02f7c95",
+            "workflow_status": "open"
+          },
+          "space_ids": ["default"],
+          "version": "8.3.0"
+        },
+        "message": "Endpoint process event",
+        "process": {
+          "Ext": {
+            "ancestry": [
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==",
+              "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA=="
+            ]
+          },
+          "args": ["ls", "--color=auto", "-la"],
+          "args_count": 0,
+          "command_line": "ls --color=auto -la",
+          "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw",
+          "entry_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "entry_meta": { "source": { "ip": "10.0.2.2" }, "type": "sshd" },
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "parent": {
+              "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw",
+              "pid": 52056,
+              "start": "2022-05-08T13:44:00.06Z"
+            },
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "executable": "/usr/bin/ls",
+          "exit_code": 0,
+          "group": { "id": 0, "name": "root" },
+          "group_leader": {
+            "args": ["ls", "--color=auto", "-la"],
+            "args_count": 0,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw",
+            "executable": "/usr/bin/ls",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "ls",
+            "pid": 52204,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "same_as_process": true,
+            "start": "2022-05-08T13:45:06.08Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/etc/cmd"
+          },
+          "hash": {
+            "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f",
+            "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f",
+            "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f"
+          },
+          "interactive": true,
+          "name": "ls",
+          "parent": {
+            "args": ["bash"],
+            "args_count": 1,
+            "command_line": "bash",
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 0, "name": "root" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52194,
+            "real_group": { "id": 0, "name": "root" },
+            "real_user": { "id": 0, "name": "root" },
+            "start": "2022-05-08T13:44:57.8Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 0, "name": "root" },
+            "working_directory": "/home/kg"
+          },
+          "pid": 52204,
+          "previous": [{ "args": ["bash"], "args_count": 0, "executable": "/bin/bash" }],
+          "real_group": { "id": 0, "name": "root" },
+          "real_user": { "id": 0, "name": "root" },
+          "session_leader": {
+            "args": ["-bash"],
+            "args_count": 1,
+            "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==",
+            "executable": "/bin/bash",
+            "group": { "id": 1000, "name": "kg" },
+            "interactive": true,
+            "name": "bash",
+            "pid": 52057,
+            "real_group": { "id": 1000, "name": "kg" },
+            "real_user": { "id": 1000, "name": "kg" },
+            "same_as_process": false,
+            "start": "2022-05-08T13:44:00.13Z",
+            "supplemental_groups": [
+              { "id": 4, "name": "adm" },
+              { "id": 24, "name": "cdrom" },
+              { "id": 27, "name": "sudo" },
+              { "id": 30, "name": "dip" },
+              { "id": 46, "name": "plugdev" },
+              { "id": 110, "name": "lxd" },
+              { "id": 118, "name": "docker" }
+            ],
+            "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+            "user": { "id": 1000, "name": "kg" },
+            "working_directory": "/home/kg"
+          },
+          "start": "2022-05-08T13:45:06.08Z",
+          "tty": { "char_device": { "major": 136, "minor": 0 }, "type": "char_device" },
+          "user": { "id": 0, "name": "root" },
+          "working_directory": "/etc/cmd"
+        },
+        "user": { "Ext": { "real": { "id": 0, "name": "root" } }, "id": 0, "name": "root" }
+      }
+    }
+  }
diff --git a/x-pack/test/functional/es_archives/session_view/process_events_merged/mappings.json b/x-pack/test/functional/es_archives/session_view/process_events_merged/mappings.json
new file mode 100644
index 000000000000..73d8976d554e
--- /dev/null
+++ b/x-pack/test/functional/es_archives/session_view/process_events_merged/mappings.json
@@ -0,0 +1,37 @@
+{
+  "type": "index",
+  "value": {
+    "index": "logs-endpoint.events.process",
+    "mappings": {
+      "properties": {
+        "message": {
+          "type": "text",
+          "fields": {
+            "keyword": {
+              "type": "keyword",
+              "ignore_above": 256
+            }
+          }
+        },
+        "process.entry_leader.entity_id": {
+          "type": "keyword",
+          "ignore_above": 256
+        },
+        "event.action": {
+          "type": "keyword",
+          "ignore_above": 256
+        },
+        "process.tty.char_device.major": {
+          "type": "long"
+        },
+        "process.tty.char_device.minor": {
+          "type": "long"
+        },
+        "host.id": {
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}
+
diff --git a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/async_search.ts b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/async_search.ts
index d37d8a937601..465681a1a210 100644
--- a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/async_search.ts
+++ b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/async_search.ts
@@ -16,6 +16,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
   const dashboardPanelActions = getService('dashboardPanelActions');
   const queryBar = getService('queryBar');
   const elasticChart = getService('elasticChart');
+  const dashboardExpect = getService('dashboardExpect');
+
   const xyChartSelector = 'xyVisChart';
 
   const enableNewChartLibraryDebug = async () => {
@@ -36,7 +38,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
       await PageObjects.common.navigateToApp('dashboard');
       await PageObjects.dashboard.loadSavedDashboard('Not Delayed');
       await PageObjects.header.waitUntilLoadingHasFinished();
-      await testSubjects.missingOrFail('embeddableError');
+      await dashboardExpect.noErrorEmbeddablesPresent();
       await enableNewChartLibraryDebug();
       const data = await PageObjects.visChart.getBarChartData(xyChartSelector, 'Sum of bytes');
       expect(data.length).to.be(5);
@@ -46,7 +48,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
       await PageObjects.common.navigateToApp('dashboard');
       await PageObjects.dashboard.loadSavedDashboard('Delayed 5s');
       await PageObjects.header.waitUntilLoadingHasFinished();
-      await testSubjects.missingOrFail('embeddableError');
+      await dashboardExpect.noErrorEmbeddablesPresent();
       await enableNewChartLibraryDebug();
       const data = await PageObjects.visChart.getBarChartData(xyChartSelector, 'Sum of bytes');
       expect(data.length).to.be(5);
diff --git a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session.ts b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session.ts
index 456f81aa87bc..8f3cb7f3b8a8 100644
--- a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session.ts
+++ b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session.ts
@@ -25,6 +25,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
   const queryBar = getService('queryBar');
   const elasticChart = getService('elasticChart');
   const toasts = getService('toasts');
+  const dashboardExpect = getService('dashboardExpect');
 
   const enableNewChartLibraryDebug = async () => {
     await elasticChart.setNewChartUiDebugFlag();
@@ -63,7 +64,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
       await queryBar.clickQuerySubmitButton();
       await PageObjects.header.waitUntilLoadingHasFinished();
       await searchSessions.expectState('completed');
-      await testSubjects.missingOrFail('embeddableError');
+      await dashboardExpect.noErrorEmbeddablesPresent();
       const session2 = await dashboardPanelActions.getSearchSessionIdByTitle(
         'Sum of Bytes by Extension'
       );
@@ -104,7 +105,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
 
       // Check that session is restored
       await searchSessions.expectState('restored');
-      await testSubjects.missingOrFail('embeddableError');
+      await dashboardExpect.noErrorEmbeddablesPresent();
 
       // switching dashboard to edit mode (or any other non-fetch required) state change
       // should leave session state untouched
diff --git a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session_relative_time.ts b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session_relative_time.ts
index 86c36241b9ca..ad46f0a2add8 100644
--- a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session_relative_time.ts
+++ b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/save_search_session_relative_time.ts
@@ -9,7 +9,6 @@ import expect from '@kbn/expect';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 
 export default function ({ getService, getPageObjects }: FtrProviderContext) {
-  const testSubjects = getService('testSubjects');
   const log = getService('log');
   const retry = getService('retry');
   const PageObjects = getPageObjects([
@@ -85,7 +84,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
 
   async function checkSampleDashboardLoaded(visualizationContainer?: string) {
     log.debug('Checking no error labels');
-    await testSubjects.missingOrFail('embeddableError');
+    await dashboardExpect.noErrorEmbeddablesPresent();
     log.debug('Checking charts rendered');
     await elasticChart.waitForRenderComplete(visualizationContainer ?? 'lnsVisualizationContainer');
     log.debug('Checking saved searches rendered');
diff --git a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/session_searches_integration.ts b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/session_searches_integration.ts
index d7974555a247..cffd9db8dd12 100644
--- a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/session_searches_integration.ts
+++ b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/session_searches_integration.ts
@@ -27,6 +27,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
   const listingTable = getService('listingTable');
   const testSubjects = getService('testSubjects');
   const elasticChart = getService('elasticChart');
+  const dashboardExpect = getService('dashboardExpect');
 
   describe('Session and searches integration', () => {
     before(async function () {
@@ -195,7 +196,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
         await searchSessionItem.view();
         expect(await toasts.getToastCount()).to.be(0); // there should be no warnings
         await searchSessions.expectState('restored', 20000);
-        await testSubjects.missingOrFail('embeddableError');
+        await dashboardExpect.noErrorEmbeddablesPresent();
 
         const data = await elasticChart.getChartDebugData();
         expect(data!.bars![0].bars.length).to.eql(4);
diff --git a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/sessions_in_space.ts b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/sessions_in_space.ts
index e7cefd782f9a..c5851c44365d 100644
--- a/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/sessions_in_space.ts
+++ b/x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/sessions_in_space.ts
@@ -9,7 +9,6 @@ import expect from '@kbn/expect';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 
 export default function ({ getService, getPageObjects }: FtrProviderContext) {
-  const testSubjects = getService('testSubjects');
   const spacesService = getService('spaces');
   const security = getService('security');
   const PageObjects = getPageObjects([
@@ -26,6 +25,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
   const searchSessions = getService('searchSessions');
   const kibanaServer = getService('kibanaServer');
   const toasts = getService('toasts');
+  const dashboardExpect = getService('dashboardExpect');
 
   describe('dashboard in space', () => {
     afterEach(async () => await clean());
@@ -67,7 +67,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
 
         // Check that session is restored
         await searchSessions.expectState('restored');
-        await testSubjects.missingOrFail('embeddableError');
+        await dashboardExpect.noErrorEmbeddablesPresent();
         expect(await toasts.getToastCount()).to.be(0); // no session restoration related warnings
       });
     });
diff --git a/x-pack/test/session_view/basic/tests/process_events_route.ts b/x-pack/test/session_view/basic/tests/process_events_route.ts
index c44279cf39dc..18f272e0e02d 100644
--- a/x-pack/test/session_view/basic/tests/process_events_route.ts
+++ b/x-pack/test/session_view/basic/tests/process_events_route.ts
@@ -43,128 +43,154 @@ export default function processEventsTests({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
 
   describe(`Session view - ${PROCESS_EVENTS_ROUTE} - with a basic license`, () => {
-    before(async () => {
-      await esArchiver.load('x-pack/test/functional/es_archives/session_view/process_events');
-      await esArchiver.load('x-pack/test/functional/es_archives/session_view/alerts');
-      await esArchiver.load('x-pack/test/functional/es_archives/session_view/io_events');
-    });
-
-    after(async () => {
-      await esArchiver.unload('x-pack/test/functional/es_archives/session_view/process_events');
-      await esArchiver.unload('x-pack/test/functional/es_archives/session_view/alerts');
-      await esArchiver.unload('x-pack/test/functional/es_archives/session_view/io_events');
-    });
+    describe(`using typical process event data`, () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/session_view/process_events');
+        await esArchiver.load('x-pack/test/functional/es_archives/session_view/alerts');
+        await esArchiver.load('x-pack/test/functional/es_archives/session_view/io_events');
+      });
 
-    it(`${PROCESS_EVENTS_ROUTE} returns a page of process events`, async () => {
-      const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({
-        sessionEntityId: MOCK_SESSION_ENTITY_ID,
-        pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/session_view/process_events');
+        await esArchiver.unload('x-pack/test/functional/es_archives/session_view/alerts');
+        await esArchiver.unload('x-pack/test/functional/es_archives/session_view/io_events');
       });
-      expect(response.status).to.be(200);
-      expect(response.body.total).to.be(MOCK_TOTAL_PROCESS_EVENTS);
-      expect(response.body.events.length).to.be(MOCK_PAGE_SIZE + ALERTS_IN_FIRST_PAGE);
-    });
 
-    it(`${PROCESS_EVENTS_ROUTE} returns a page of process events (w alerts) (paging forward)`, async () => {
-      const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({
-        sessionEntityId: MOCK_SESSION_ENTITY_ID,
-        pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
-        cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert.
+      it(`${PROCESS_EVENTS_ROUTE} returns a page of process events`, async () => {
+        const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({
+          sessionEntityId: MOCK_SESSION_ENTITY_ID,
+          pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
+        });
+        expect(response.status).to.be(200);
+        expect(response.body.total).to.be(MOCK_TOTAL_PROCESS_EVENTS);
+        expect(response.body.events.length).to.be(MOCK_PAGE_SIZE + ALERTS_IN_FIRST_PAGE);
       });
-      expect(response.status).to.be(200);
 
-      const alerts = response.body.events.filter(
-        (event: any) => event._source.event.kind === 'signal'
-      );
+      it(`${PROCESS_EVENTS_ROUTE} returns a page of process events (w alerts) (paging forward)`, async () => {
+        const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({
+          sessionEntityId: MOCK_SESSION_ENTITY_ID,
+          pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
+          cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert.
+        });
+        expect(response.status).to.be(200);
 
-      expect(alerts.length).to.above(0);
-    });
+        const alerts = response.body.events.filter(
+          (event: any) => event._source.event.kind === 'signal'
+        );
 
-    it(`${PROCESS_EVENTS_ROUTE} returns a page of process events (w alerts) (paging backwards)`, async () => {
-      const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({
-        sessionEntityId: MOCK_SESSION_ENTITY_ID,
-        pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
-        cursor: '2022-05-10T20:39:23.6817084Z',
-        forward: false,
+        expect(alerts.length).to.above(0);
       });
-      expect(response.status).to.be(200);
 
-      const alerts = response.body.events.filter(
-        (event: any) => event._source.event.kind === 'signal'
-      );
+      it(`${PROCESS_EVENTS_ROUTE} returns a page of process events (w alerts) (paging backwards)`, async () => {
+        const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({
+          sessionEntityId: MOCK_SESSION_ENTITY_ID,
+          pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
+          cursor: '2022-05-10T20:39:23.6817084Z',
+          forward: false,
+        });
+        expect(response.status).to.be(200);
 
-      expect(alerts.length).to.be(1); // only one since we are starting at the cursor of the first alert in the esarchiver data, and working backwards.
+        const alerts = response.body.events.filter(
+          (event: any) => event._source.event.kind === 'signal'
+        );
 
-      const events = response.body.events.filter(
-        (event: any) => event._source.event.kind === 'event'
-      );
+        expect(alerts.length).to.be(1); // only one since we are starting at the cursor of the first alert in the esarchiver data, and working backwards.
 
-      expect(events[0]._source['@timestamp']).to.be.below(
-        events[events.length - 1]._source['@timestamp']
-      );
-    });
+        const events = response.body.events.filter(
+          (event: any) => event._source.event.kind === 'event'
+        );
 
-    function addTests({ authorizedUsers, unauthorizedUsers }: TestCase) {
-      authorizedUsers.forEach(({ username, password }) => {
-        it(`${username} should be able to view alerts in session view`, async () => {
-          const response = await supertestWithoutAuth
-            .get(`${PROCESS_EVENTS_ROUTE}`)
-            .auth(username, password)
-            .set('kbn-xsrf', 'true')
-            .query({
-              sessionEntityId: MOCK_SESSION_ENTITY_ID,
-              pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
-              cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert.
-            });
-          expect(response.status).to.be(200);
-
-          const alerts = response.body.events.filter(
-            (event: any) => event._source.event.kind === 'signal'
-          );
-
-          expect(alerts.length).to.above(0);
-        });
+        expect(events[0]._source['@timestamp']).to.be.below(
+          events[events.length - 1]._source['@timestamp']
+        );
       });
 
-      unauthorizedUsers.forEach(({ username, password }) => {
-        it(`${username} should NOT be able to view alerts in session view`, async () => {
-          const response = await supertestWithoutAuth
-            .get(`${PROCESS_EVENTS_ROUTE}`)
-            .auth(username, password)
-            .set('kbn-xsrf', 'true')
-            .query({
-              sessionEntityId: MOCK_SESSION_ENTITY_ID,
-              cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert.
-            });
-          expect(response.status).to.be(200);
-
-          if (username === 'no_kibana_privileges') {
-            expect(response.body.events.length).to.be.equal(0);
-          } else {
-            // process events should still load (since logs-* is granted, except for no_kibana_privileges user)
-            expect(response.body.events.length).to.be.above(0);
-          }
-
-          const alerts = response.body.events.filter(
-            (event: any) => event._source.event.kind === 'signal'
-          );
-
-          expect(alerts.length).to.be(0);
+      function addTests({ authorizedUsers, unauthorizedUsers }: TestCase) {
+        authorizedUsers.forEach(({ username, password }) => {
+          it(`${username} should be able to view alerts in session view`, async () => {
+            const response = await supertestWithoutAuth
+              .get(`${PROCESS_EVENTS_ROUTE}`)
+              .auth(username, password)
+              .set('kbn-xsrf', 'true')
+              .query({
+                sessionEntityId: MOCK_SESSION_ENTITY_ID,
+                pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
+                cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert.
+              });
+            expect(response.status).to.be(200);
+
+            const alerts = response.body.events.filter(
+              (event: any) => event._source.event.kind === 'signal'
+            );
+
+            expect(alerts.length).to.above(0);
+          });
         });
+
+        unauthorizedUsers.forEach(({ username, password }) => {
+          it(`${username} should NOT be able to view alerts in session view`, async () => {
+            const response = await supertestWithoutAuth
+              .get(`${PROCESS_EVENTS_ROUTE}`)
+              .auth(username, password)
+              .set('kbn-xsrf', 'true')
+              .query({
+                sessionEntityId: MOCK_SESSION_ENTITY_ID,
+                cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert.
+              });
+            expect(response.status).to.be(200);
+
+            if (username === 'no_kibana_privileges') {
+              expect(response.body.events.length).to.be.equal(0);
+            } else {
+              // process events should still load (since logs-* is granted, except for no_kibana_privileges user)
+              expect(response.body.events.length).to.be.above(0);
+            }
+
+            const alerts = response.body.events.filter(
+              (event: any) => event._source.event.kind === 'signal'
+            );
+
+            expect(alerts.length).to.be(0);
+          });
+        });
+      }
+
+      describe('Session View', () => {
+        const authorizedInAllSpaces = [superUser, globalRead, secOnlyReadSpacesAll];
+        const unauthorized = [
+          // these users are not authorized to get alerts for session view
+          obsOnlySpacesAll,
+          noKibanaPrivileges,
+        ];
+
+        addTests({
+          authorizedUsers: [...authorizedInAllSpaces],
+          unauthorizedUsers: [...unauthorized],
+        });
+      });
+    });
+
+    describe(`Session view - ${PROCESS_EVENTS_ROUTE} - with merged fork/exec/end events`, () => {
+      before(async () => {
+        await esArchiver.load(
+          'x-pack/test/functional/es_archives/session_view/process_events_merged'
+        );
+      });
+
+      after(async () => {
+        await esArchiver.unload(
+          'x-pack/test/functional/es_archives/session_view/process_events_merged'
+        );
       });
-    }
-
-    describe('Session View', () => {
-      const authorizedInAllSpaces = [superUser, globalRead, secOnlyReadSpacesAll];
-      const unauthorized = [
-        // these users are not authorized to get alerts for session view
-        obsOnlySpacesAll,
-        noKibanaPrivileges,
-      ];
-
-      addTests({
-        authorizedUsers: [...authorizedInAllSpaces],
-        unauthorizedUsers: [...unauthorized],
+
+      it(`${PROCESS_EVENTS_ROUTE} returns a page of process events`, async () => {
+        const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({
+          sessionEntityId: MOCK_SESSION_ENTITY_ID,
+          pageSize: MOCK_PAGE_SIZE, // overriding to test pagination, as we only have 419 records of mock data
+        });
+        expect(response.status).to.be(200);
+        expect(response.body.total).to.be.greaterThan(0);
+        expect(response.body.events.length).to.be.greaterThan(0);
       });
     });
   });