@JordanSh in the designs we have the Source column as Elastic CSPM. But as in the latest sync we discussed having vendor and product separately in the future and the fact that logically observer.vendor: Elastic makes more sense I added just Elastic as value for both findings and vulnerabilties. Wdyt? Having conditional logic to have Elastic CSPM and Elastic KSPM based on the posture type is not complicated, but it doesn't look like the correct values for the vendor field

Makes sense to me, currently I used Elastic CSP for both cspm and kspm, but Elastic works as well. I do think that the final decision should be made by our product. Maybe we can set an early meeting just to discuss this topic instead of waiting for the weekly sync

as discussed at the last sync we are going with the value Elastic

Values that are always the same in every event are best set through a constant_keyword mapping with a static value. It's better for storage efficiency.

that makes sense, one question though, what is the process of changing this value in the future in case it is needed? If i understand correctly the constant_keyword mapping would reject any other value and it will be a breaking change to the mapping which is complicated to implement. What is the update strategy in such cases?

I see that there are a lot of already existing cases where observer.vendor is set through the pipeline, so I'm assuming it's not a big performance concern. I'd leave it as keyword for now as from the product side we have ongoing discussion for the values of the observer.vendor, so I don't want to corner ourselves with setting constant_keyword now