Sentinel-One · nate-smalls-s1 · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026
diff --git a/pipelines/community/transform_ocsf/agent_metrics_logs/metadata.yaml b/pipelines/community/transform_ocsf/agent_metrics_logs/metadata.yaml
@@ -13,6 +13,8 @@ metadata_details:
   format: json
   ocsf_version: 1.3.0
   ingestion_method: "Observo OCSFSerializer (Lua-based transform)"
+  ingest_mode: "Other - {Explain: SentinelOne agent self-reported telemetry}"
+  auth_type: "N/A"
   ocsf_mapping:
     class_uid: 5001
     class_name: "Device Inventory Info"

diff --git a/pipelines/community/transform_ocsf/akamai_cdn/metadata.yaml b/pipelines/community/transform_ocsf/akamai_cdn/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"2026-04-20T02:26:52Z AkamaiCDN streamId=\\\"stream-735\\\" cp=\\\"87876\\\
     \" reqId=\\\"tsuzt53unx\\\" statusCode=304 cliIP=\\\"176.105.197.188\\\" reqHost=\\\"img.example.com\\\
     \" reqMethod=\\\"GET\\\" reqPath=\\\"/js/app.js\\\" bytes=525284 cacheStatus=\\\"TCP_MISS\\\" turnAroundTimeMSec=331\

diff --git a/pipelines/community/transform_ocsf/akamai_dns/metadata.yaml b/pipelines/community/transform_ocsf/akamai_dns/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"2026-04-19T19:07:52Z AkamaiDNS streamId=\\\"dns-662\\\" cliIP=\\\"4.61.218.110\\\
     \" resolverIP=\\\"8.8.8.8\\\" domain=\\\"app.example.net\\\" recordType=\\\"AAAA\\\" responseCode=\\\
     \"REFUSED\\\" answer=\\\"\\\" edge=\\\"edge-nyc\\\" ttl=0 bytes=64\"\n}"

diff --git a/pipelines/community/transform_ocsf/akamai_general/metadata.yaml b/pipelines/community/transform_ocsf/akamai_general/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"2026-04-19T09:18:52Z AkamaiSecurity clientIP=\\\"144.165.201.238\\\"\
     \ host=\\\"blog.example.com\\\" path=\\\"/login\\\" ruleId=\\\"925798\\\" attackType=\\\"Command_Injection\\\
     \" action=\\\"rate_limited\\\" httpMethod=\\\"HEAD\\\" status=400 userAgent=\\\"Googlebot/2.1\\\"\

diff --git a/pipelines/community/transform_ocsf/akamai_sitedefender/metadata.yaml b/pipelines/community/transform_ocsf/akamai_sitedefender/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"type\": \"akamai_siem\",\n  \"attackData\": {\n    \"clientIP\": \"198.51.100.2\"\
     ,\n    \"configId\": \"20933\",\n    \"policyId\": \"p_10245\",\n    \"rules\": []\n  },\n  \"httpMessage\"\
     : {\n    \"method\": \"DELETE\",\n    \"host\": \"api.example.com\",\n    \"path\": \"/search\",\n\

diff --git a/pipelines/community/transform_ocsf/apache_http_logs/metadata.yaml b/pipelines/community/transform_ocsf/apache_http_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: file-based agent ingestion (Apache access/error log)}"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"10.29.72.231 - - [20/Apr/2026:03:40:52 +0000] \\\"HEAD /settings HTTP/1.1\\\
     \" 200 5305\"\n}"
   dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events

diff --git a/pipelines/community/transform_ocsf/aws_cloudtrail/metadata.yaml b/pipelines/community/transform_ocsf/aws_cloudtrail/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: object store (S3) with SQS/SNS notifications}"
+  auth_type: "IAM Role"
   sample_record: "{\n  \"eventCategory\": \"Management\",\n  \"eventName\": \"CreateUser\",\n  \"eventSource\"\
     : \"iam.amazonaws.com\",\n  \"eventTime\": \"2026-04-20T03:40:52Z\",\n  \"eventVersion\": \"1.09\"\
     ,\n  \"eventID\": \"4ad68099-cad0-4172-8711-dd15c4d352c9\",\n  \"eventType\": \"AwsApiCall\",\n  \"\

diff --git a/pipelines/community/transform_ocsf/aws_elasticloadbalancer_logs/metadata.yaml b/pipelines/community/transform_ocsf/aws_elasticloadbalancer_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: object store (S3) for ELB access logs}"
+  auth_type: "IAM Role"
   sample_record: "{\n  \"type\": \"https\",\n  \"time\": \"2026-04-20T03:40:52.700664Z\",\n  \"alb\":\
     \ \"corporate-alb-3\",\n  \"client_ip\": \"192.168.10.200\",\n  \"client_port\": 41655,\n  \"backend_ip\"\
     : \"172.16.1.50\",\n  \"backend_port\": 443,\n  \"request_processing_time\": 0.029082,\n  \"backend_processing_time\"\

diff --git a/pipelines/community/transform_ocsf/aws_guardduty/metadata.yaml b/pipelines/community/transform_ocsf/aws_guardduty/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: AWS EventBridge or S3 export of GuardDuty findings}"
+  auth_type: "IAM Role"
   sample_record: "{\n  \"schemaVersion\": \"2.0\",\n  \"accountId\": \"222708836859\",\n  \"region\":\
     \ \"us-east-1\",\n  \"partition\": \"aws\",\n  \"id\": \"8db850b8-f1b1-4dfd-8676-efd7b4e8ee85\",\n\
     \  \"arn\": \"arn:aws:guardduty:us-east-1::84378c5c8013403891eb51ada1b2a47b:detector/84378c5c8013403891eb51ada1b2a47b/finding/8db850b8-f1b1-4dfd-8676-efd7b4e8ee85\"\

diff --git a/pipelines/community/transform_ocsf/aws_guardduty_logs/metadata.yaml b/pipelines/community/transform_ocsf/aws_guardduty_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: AWS EventBridge or S3 export of GuardDuty findings}"
+  auth_type: "IAM Role"
   sample_record: "{\n  \"schemaVersion\": \"2.0\",\n  \"accountId\": \"200759122295\",\n  \"region\":\
     \ \"ap-south-1\",\n  \"partition\": \"aws\",\n  \"id\": \"eb19bf82-4550-40d2-a0b8-ae97533cc0f2\",\n\
     \  \"arn\": \"arn:aws:guardduty:ap-south-1::e5485011576b45629ceb37d38e001440:detector/e5485011576b45629ceb37d38e001440/finding/eb19bf82-4550-40d2-a0b8-ae97533cc0f2\"\

diff --git a/pipelines/community/transform_ocsf/aws_vpc_dns_logs/metadata.yaml b/pipelines/community/transform_ocsf/aws_vpc_dns_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: Route 53 Resolver Query Logs to S3 or CloudWatch Logs}"
+  auth_type: "IAM Role"
   sample_record: "{\n  \"version\": \"1.100000\",\n  \"account_id\": \"213644108138\",\n  \"interface_id\"\
     : \"eni-02daa7e2\",\n  \"srcaddr\": \"10.101.151.110\",\n  \"dstaddr\": \"169.254.169.253\",\n  \"\
     srcport\": 49709,\n  \"dstport\": 53,\n  \"protocol\": 17,\n  \"packets\": 1,\n  \"bytes\": 503,\n\

diff --git a/pipelines/community/transform_ocsf/aws_vpc_flow/metadata.yaml b/pipelines/community/transform_ocsf/aws_vpc_flow/metadata.yaml
@@ -13,6 +13,8 @@ metadata_details:
   format: json
   ocsf_version: 1.3.0
   ingestion_method: "Observo OCSFSerializer (Lua-based transform)"
+  ingest_mode: "Other - {Explain: VPC Flow Logs to S3 or CloudWatch Logs}"
+  auth_type: "IAM Role"
   ocsf_mapping:
     class_uid: 4001
     class_name: "Network Activity"

diff --git a/pipelines/community/transform_ocsf/aws_waf/metadata.yaml b/pipelines/community/transform_ocsf/aws_waf/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: AWS WAF logs to Kinesis Data Firehose or S3}"
+  auth_type: "IAM Role"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:40:52Z\",\n  \"formatVersion\": \"1.0\",\n  \"webaclId\"\
     : \"arn:aws:wafv2:us-east-1:757912648842:regional/webacl/ExampleWebACL-1711\",\n  \"ruleGroupId\"\
     : \"XSSRules\",\n  \"terminatingRuleType\": \"RATE_BASED\",\n  \"action\": \"CAPTCHA\",\n  \"httpRequest\"\

diff --git a/pipelines/community/transform_ocsf/axonius_asset_logs/metadata.yaml b/pipelines/community/transform_ocsf/axonius_asset_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "API Call"
+  auth_type: "API Key & Secret"
   sample_record: "{\n  \"raw\": \"<134>Apr 20 03:37:46 armis-sensor armis - - .{\\\"id\\\":\\\"a0ab8edf-ecb9-41a5-a27b-ad2dfa00ca48\\\
     \",\\\"type\\\":\\\"DeviceRiskChange\\\",\\\"_time\\\":\\\"2026-04-20T03:37:46.021342+00:00Z\\\",\\\
     \"time\\\":1776656266,\\\"description\\\":\\\"Device risk score changed significantly\\\",\\\"severity\\\

diff --git a/pipelines/community/transform_ocsf/azure_ad/metadata.yaml b/pipelines/community/transform_ocsf/azure_ad/metadata.yaml
@@ -13,6 +13,8 @@ metadata_details:
   format: json
   ocsf_version: 1.3.0
   ingestion_method: "Observo OCSFSerializer (Lua-based transform)"
+  ingest_mode: "API Call"
+  auth_type: "OAuth"
   ocsf_mapping:
     class_uid: 3001
     class_name: "Account Change"

diff --git a/pipelines/community/transform_ocsf/azure_logs/metadata.yaml b/pipelines/community/transform_ocsf/azure_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: Azure Monitor / Event Hub stream}"
+  auth_type: "OAuth"
   sample_record: "(realistic sample not available \u2014 use empty {} for testing)"
   dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events
     must match the field layout exercised by the Lua mappings.

diff --git a/pipelines/community/transform_ocsf/azure_nsg_flow_logs/metadata.yaml b/pipelines/community/transform_ocsf/azure_nsg_flow_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: object store (Azure Storage Account / Blob) for NSG flow logs}"
+  auth_type: "OAuth"
   sample_record: "{\n  \"version\": \"2\",\n  \"account_id\": \"913435035175\",\n  \"interface_id\": \"\
     eni-c8ab934f27224e7db\",\n  \"srcaddr\": \"10.35.164.23\",\n  \"dstaddr\": \"203.0.113.1\",\n  \"\
     srcport\": 62807,\n  \"dstport\": 3389,\n  \"protocol\": 6,\n  \"packets\": 214,\n  \"bytes\": 23679,\n\

diff --git a/pipelines/community/transform_ocsf/azure_platform/metadata.yaml b/pipelines/community/transform_ocsf/azure_platform/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: Azure Event Hub for Activity Log delivery}"
+  auth_type: "OAuth"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:40:52.962457Z\",\n  \"vendor\": \"Microsoft\",\n\
     \  \"product\": \"Azure Ad Logs\",\n  \"version\": \"1.0\",\n  \"event_type\": \"security_event\"\
     ,\n  \"message\": \"Sample Microsoft Azure Ad Logs event at 2026-04-20T03:40:52.962457Z\",\n  \"severity\"\

diff --git a/pipelines/community/transform_ocsf/barracuda_firewall_logs_latest/metadata.yaml b/pipelines/community/transform_ocsf/barracuda_firewall_logs_latest/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "(realistic sample not available \u2014 use empty {} for testing)"
   dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events
     must match the field layout exercised by the Lua mappings.

diff --git a/pipelines/community/transform_ocsf/beyondtrust_passwordsafe_logs/metadata.yaml b/pipelines/community/transform_ocsf/beyondtrust_passwordsafe_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"2026-04-20 03:36:32 10.0.0.150 {\\\"EventTime\\\":\\\"2026-04-20T03:36:32.710887Z\\\
     \",\\\"EventType\\\":\\\"UserLogout\\\",\\\"EventId\\\":\\\"e8b5e243-6e4a-48e1-a38b-93ee87daba95\\\
     \",\\\"UserId\\\":\\\"svc_backup\\\",\\\"UserName\\\":\\\"Service Account\\\",\\\"UserDisplayName\\\

diff --git a/pipelines/community/transform_ocsf/cisco_asa_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_asa_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"<166>Apr 20 2026 03:40:52 asa-demo : %ASA-6-302015: Built outbound TCP\
     \ connection 441011 for inside:192.0.2.10/21946 (192.0.2.10/21946) to outside:203.0.113.5/443 (203.0.113.5/443)\"\
     \n}"

diff --git a/pipelines/community/transform_ocsf/cisco_combo_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_combo_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-19T14:09:53.030684+00:00\",\n  \"hostname\": \"router-29\"\
     ,\n  \"device_ip\": \"30.133.137.140\",\n  \"facility\": \"LOCAL4\",\n  \"severity\": \"info\",\n\
     \  \"mnemonic\": \"STATE\",\n  \"facility_mnemonic\": \"TRACKING\",\n  \"sequence_number\": 342870,\n\

diff --git a/pipelines/community/transform_ocsf/cisco_duo/metadata.yaml b/pipelines/community/transform_ocsf/cisco_duo/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:40:52Z\",\n  \"time\": 1776656452716,\n  \"class_uid\"\
     : 3002,\n  \"class_name\": \"Authentication\",\n  \"category_uid\": 3,\n  \"category_name\": \"Identity\
     \ & Access Management\",\n  \"activity_id\": 1,\n  \"activity_name\": \"Logon\",\n  \"type_uid\":\

diff --git a/pipelines/community/transform_ocsf/cisco_firewall/metadata.yaml b/pipelines/community/transform_ocsf/cisco_firewall/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"<165>Apr 20 03:40:52 ftd-241 : FTD-1-430003: SrcIP: 192.168.110.231,\
     \ DstIP: 203.0.113.236, ConnectionDuration: 1292, InitiatorBytes: 44088, ResponderBytes: 19778\",\n\
     \  \"timestamp\": \"2026-04-20T03:40:52.719548Z\",\n  \"vendor\": \"Cisco\",\n  \"product\": \"Firewall\

diff --git a/pipelines/community/transform_ocsf/cisco_fmc_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_fmc_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:32:52.723426+00:00\",\n  \"event_id\": 9448853,\n\
     \  \"event_type\": \"DNS\",\n  \"event_subtype\": \"DNS_EVENT\",\n  \"severity\": \"Info\",\n  \"\
     action\": \"Drop\",\n  \"device_name\": \"ENTERPRISE-FTD-SECURITY-1\",\n  \"device_ip\": \"86.29.233.254\"\

diff --git a/pipelines/community/transform_ocsf/cisco_ios_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_ios_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-19T15:49:52.728587+00:00\",\n  \"hostname\": \"switch-2\"\
     ,\n  \"device_ip\": \"49.78.43.47\",\n  \"facility\": \"LOCAL4\",\n  \"severity\": \"warning\",\n\
     \  \"mnemonic\": \"THRESHOLD_VIOLATION\",\n  \"facility_mnemonic\": \"SFF8472\",\n  \"sequence_number\"\

diff --git a/pipelines/community/transform_ocsf/cisco_ironport/metadata.yaml b/pipelines/community/transform_ocsf/cisco_ironport/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:30:52Z\",\n  \"hostname\": \"VOYAGER-ESA-PROD\"\
     ,\n  \"facility\": \"mail\",\n  \"severity\": \"warn\",\n  \"message_id\": \"1307521\",\n  \"from_address\"\
     : \"miles.obrien@ferengi-commerce.net\",\n  \"to_address\": \"miles.obrien@starfleet.corp\",\n  \"\

diff --git a/pipelines/community/transform_ocsf/cisco_isa3000_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_isa3000_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-19T19:28:52.737044+00:00\",\n  \"hostname\": \"ISA3000-4\"\
     ,\n  \"device_ip\": \"192.168.5.42\",\n  \"event_type\": \"MODBUS\",\n  \"action\": \"READ_COILS\"\
     ,\n  \"severity\": \"INFO\",\n  \"message_id\": \"ISA-489417\",\n  \"source_ip\": \"10.90.203.8\"\

diff --git a/pipelines/community/transform_ocsf/cisco_ise_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_ise_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"EventTimestamp\": \"2026-04-19T19:51:52.742714+00:00\",\n  \"MessageCode\": \"\
     5400\",\n  \"ACSServer\": \"ise-psn-1\",\n  \"AccessService\": \"Guest Access\",\n  \"UserName\":\
     \ \"user94@company.com\",\n  \"IdentityGroup\": \"Executives\",\n  \"NetworkDeviceName\": \"nad-switch-2\"\

diff --git a/pipelines/community/transform_ocsf/cisco_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-19T19:27:52.744586+00:00\",\n  \"hostname\": \"firewall-22\"\
     ,\n  \"device_ip\": \"73.247.139.85\",\n  \"facility\": \"LOCAL1\",\n  \"severity\": \"info\",\n \
     \ \"mnemonic\": \"UPDOWN\",\n  \"facility_mnemonic\": \"LINK\",\n  \"sequence_number\": 940259,\n\

diff --git a/pipelines/community/transform_ocsf/cisco_meraki/metadata.yaml b/pipelines/community/transform_ocsf/cisco_meraki/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:40:52Z\",\n  \"syslog_priority\": 135,\n  \"unix_timestamp\"\
     : 1776656452,\n  \"hostname\": \"meraki-mx64\",\n  \"log_type\": \"ip_flow\",\n  \"src_ip\": \"10.0.84.250\"\
     ,\n  \"dst_ip\": \"93.184.150.1\",\n  \"protocol\": \"icmp\",\n  \"src_port\": 17356,\n  \"dst_port\"\

diff --git a/pipelines/community/transform_ocsf/cisco_meraki_flow_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_meraki_flow_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:40:52.751732Z\",\n  \"vendor\": \"Cisco\",\n  \"\
     product\": \"Meraki Flow Logs\",\n  \"version\": \"1.0\",\n  \"event_type\": \"security_event\",\n\
     \  \"message\": \"Sample Cisco Meraki Flow Logs event at 2026-04-20T03:40:52.751732Z\",\n  \"severity\"\

diff --git a/pipelines/community/transform_ocsf/cisco_meraki_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_meraki_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-20T03:40:52Z\",\n  \"syslog_priority\": 135,\n  \"unix_timestamp\"\
     : 1776656452,\n  \"hostname\": \"meraki-mx64\",\n  \"log_type\": \"vpn_firewall\",\n  \"src_ip\":\
     \ \"10.0.34.12\",\n  \"dst_ip\": \"93.184.232.81\",\n  \"protocol\": \"tcp\",\n  \"src_port\": 64270,\n\

diff --git a/pipelines/community/transform_ocsf/cisco_networks_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_networks_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"timestamp\": \"2026-04-19T23:56:52.753336+00:00\",\n  \"hostname\": \"asa-43\"\
     ,\n  \"device_ip\": \"187.202.143.67\",\n  \"facility\": \"LOCAL3\",\n  \"severity\": \"info\",\n\
     \  \"mnemonic\": \"SUCCESS\",\n  \"facility_mnemonic\": \"SEC_LOGIN\",\n  \"sequence_number\": 150664,\n\

diff --git a/pipelines/community/transform_ocsf/cisco_umbrella_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_umbrella_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Other - {Explain: Cisco Umbrella S3 log export or HTTPS API}"
+  auth_type: "IAM Role"
   sample_record: "{\n  \"raw\": \"\\\"2026-04-20 03:40:52\\\",\\\"Finance\\u2011Dept\\\",\\\"10.0.1.55\\\
     \",\\\"8.8.8.8\\\",\\\"93.184.216.34\\\",\\\"text/html\\\",\\\"Allowed\\\",\\\"http://example.com/pdf\\\
     \",\\\"http://ref.example.com\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"302\\\",\\\

diff --git a/pipelines/community/transform_ocsf/citrix_netscaler_logs/metadata.yaml b/pipelines/community/transform_ocsf/citrix_netscaler_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "Syslog"
+  auth_type: "N/A"
   sample_record: "{\n  \"raw\": \"timestamp=2026-04-20T03:40:53.033780+00:00,hostname=f5-bigip-1,device_ip=212.126.91.220,module=APM,event_type=SESSION_TERMINATED,severity=INFO,facility=LOCAL0,priority=21,slot=1.1,tmm=2,virtual_server=vs_api_5,pool=pool_web_4,client_ip=5.208.9.191,server_ip=10.29.4.69,client_port=49852,server_port=8443,protocol=HTTP,username=user84,session_id=sess_942865417,access_profile=ap_portal,authentication_method=RADIUS,virtual_server_name=/Common/vs_portal,client_type=VPN\
     \ Client,geo_location=CA,bytes_in=7321,bytes_out=92900,packets_in=664,packets_out=883,class_uid=4001,class_name=Network\
     \ Activity,category_uid=4,category_name=Network Activity,activity_id=6,activity_name=Traffic,type_uid=400106,severity_id=1,status_id=2\"\

diff --git a/pipelines/community/transform_ocsf/cloudflare_general_logs/metadata.yaml b/pipelines/community/transform_ocsf/cloudflare_general_logs/metadata.yaml
@@ -14,6 +14,8 @@ metadata_details:
   format: source-specific JSON/KV/syslog
   ocsf_version: 1.3.0
   ingestion_method: Observo OCSFSerializer (Lua-based transform)
+  ingest_mode: "API Call"
+  auth_type: "API Key & Secret"
   sample_record: "{\n  \"Datetime\": 1776656032763,\n  \"ZoneID\": 581915883679421473,\n  \"ZoneName\"\
     : \"starfleet.corp\",\n  \"ClientIP\": \"121.81.128.32\",\n  \"ClientRequestHost\": \"enterprise.starfleet.corp\"\
     ,\n  \"ClientRequestMethod\": \"POST\",\n  \"ClientRequestURI\": \"/bridge/admin\",\n  \"ClientRequestUserAgent\"\