I’m currently playing with a custom search guard audit plugin to send events to a remote server.
When looking at the event, there are very specific and using attributes related only to a search guard schema.
I would like to transform them to better match Elastic Common Schema, but then I will break the default dashboard provided by SearchGuard. Perhaps some documentation could be added to explain how to handle compatibly and alternative dashboards could be provided.
@fbacchella Thank you for the question. This is currently being assessed.
Another important aspect to think of is the compliance to data stream.