Hi @GuyCo , No parsing is done by the Add-Ons, infact ES installation best prectices hint to complete data ingestion, using Add-Ons, before ES installation. ES is the SIEM, but the Data ingestion and normalization is done by the Add-Ons. The only normalization that is done by ES is data loading in Data Models, that's done using the normalization done in Add-Ons. In other words, if you don't make a correct parsing and normalization, ES cannot read your data and cannot load them in Data Models and cannot use them in Correlation searches. Ciao. Giuseppe
... View more