update docs

elastic · Sep 2, 2022 · 5c5311f · 5c5311f
1 parent 5c77032
commit 5c5311f
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 1 deletion.
diff --git a/packages/cisco_umbrella/_dev/build/build.yml b/packages/cisco_umbrella/_dev/build/build.yml
@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: [email protected]-rc1
+    reference: [email protected]
diff --git a/packages/cisco_umbrella/_dev/build/docs/README.md b/packages/cisco_umbrella/_dev/build/docs/README.md
@@ -11,6 +11,8 @@ datasets for receiving logs from an AWS S3 bucket using an SQS notification queu
 
 When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically.
 
+The field `cisco.umbrella.identity` is described by the documentation as `An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user). It is important to define how granular the identities will be.`.  This will depend on the customer environment and maybe configurable. Due to this variability, this field isn't normalized into ECS fields by default.  A custom ingest pipeline can be used to perform this normalization.  This pipeline can be added to the integration config in the `identities_pipeline` option which defaults to `cisco-umbrella-identities-customization`. This option does not need to be used and will not error if it is not set or doesn't exist.
+
 The `log` dataset collects Cisco Umbrella logs.
 
 {{event "log"}}

diff --git a/packages/cisco_umbrella/docs/README.md b/packages/cisco_umbrella/docs/README.md
@@ -11,6 +11,8 @@ datasets for receiving logs from an AWS S3 bucket using an SQS notification queu
 
 When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically.
 
+The field `cisco.umbrella.identity` is described by the documentation as `An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user). It is important to define how granular the identities will be.`.  This will depend on the customer environment and maybe configurable. Due to this variability, this field isn't normalized into ECS fields by default.  A custom ingest pipeline can be used to perform this normalization.  This pipeline can be added to the integration config in the `identities_pipeline` option which defaults to `cisco-umbrella-identities-customization`. This option does not need to be used and will not error if it is not set or doesn't exist.
+
 The `log` dataset collects Cisco Umbrella logs.
 
 An example event for `log` looks as following: