diff --git a/packages/sysdig/_dev/build/docs/README.md b/packages/sysdig/_dev/build/docs/README.md
index 6cde4bbd425..165fbfabf8e 100644
--- a/packages/sysdig/_dev/build/docs/README.md
+++ b/packages/sysdig/_dev/build/docs/README.md
@@ -2,12 +2,14 @@
 This integration allows for the shipping of [Sysdig](https://sysdig.com/) logs to Elastic for security, observability and organizational awareness. Logs can then be analyzed by using either the dashboard included with the integration or via the creation of custom dashboards within Kibana.
 
 ## Data Streams
-The Sysdig integration collects two type of logs:
+The Sysdig integration collects three types of logs:
 
 **Alerts** The Alerts data stream collected by the Sysdig integration is comprised of Sysdig Alerts. See more details about Sysdig Alerts in [Sysdig's Alerts Documentation](https://docs.sysdig.com/en/docs/sysdig-monitor/alerts/). A complete list of potential fields used by this integration can be found in the [Logs reference](#logs-reference)
 
 **Event** The event data stream collected through the Sysdig integration consists of Sysdig Security Events. See more details about Security Events in [Sysdig's Events Feed Documentation](https://docs.sysdig.com/en/docs/sysdig-secure/threats/activity/events-feed/).
 
+**CSPM** The CSPM data stream collected through the Sysdig integration consists of Sysdig compliance results. See more details about compliance results in [Sysdig's Compliance documentation](https://docs.sysdig.com/en/sysdig-secure/compliance/).
+
 ## Requirements
 
 ### Agent-based installation
@@ -28,7 +30,7 @@ The HTTP input allows the Elastic Agent to receive Sysdig Alerts via HTTP webhoo
 
 **Required:** To configure Sysdig to output JSON, you must set up as webhook notification channel as outlined in the [Sysdig Documentation](https://docs.sysdig.com/en/docs/administration/administration-settings/outbound-integrations/notifications-management/set-up-notification-channels/configure-a-webhook-channel/).
 
-### To collect data from the Sysdig Next Gen API:
+### To collect data from the Sysdig API:
 
 - Retrieve the API Token by following [Sysdig's API Token Guide](https://docs.sysdig.com/en/retrieve-the-sysdig-api-token).
 
@@ -66,3 +68,13 @@ This is the `event` dataset.
 {{event "event"}}
 
 {{fields "event"}}
+
+### CSPM
+
+This is the `CSPM` dataset.
+
+#### Example
+
+{{event "cspm"}}
+
+{{fields "cspm"}}
diff --git a/packages/sysdig/_dev/deploy/docker/files/config.yml b/packages/sysdig/_dev/deploy/docker/files/config.yml
index f99d3b91c68..21a31b8b051 100644
--- a/packages/sysdig/_dev/deploy/docker/files/config.yml
+++ b/packages/sysdig/_dev/deploy/docker/files/config.yml
@@ -517,3 +517,367 @@ rules:
             }
           }
           `}}
+  - path: /api/cspm/v1/compliance/requirements
+    methods: ['GET']
+    query_params:
+      pageNumber: 1
+      pageSize: 2
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+              "data": [
+                  {
+                      "name": "AWS Controls",
+                      "pass": false,
+                      "severity": "High",
+                      "policyId": "52",
+                      "policyName": "All Posture Findings",
+                      "controls": [
+                          {
+                              "id": "21344",
+                              "name": "Lambda - Enable Encryption at Rest for Environment Variables using Customer Master Keys",
+                              "description": "Ensure that your Amazon Lambda environment variables are using customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption and decryption process. The environment variables defined for your Amazon Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code.",
+                              "target": "AWS",
+                              "type": 8,
+                              "pass": false,
+                              "severity": "High",
+                              "objectsCount": 2879,
+                              "remediationId": "21344",
+                              "lastUpdate": "1752149383",
+                              "acceptedCount": 0,
+                              "resourceKind": "AWS_LAMBDA_FUNCTION",
+                              "isManual": false,
+                              "resourceApiEndpoint": "/api/cspm/v1/cloud/resources?controlId=21344&providerType=AWS&resourceKind=AWS_LAMBDA_FUNCTION&filter=policyId=52 and zones.id=119",
+                              "supportedDistributions": [
+                                  {
+                                      "name": "AWS",
+                                      "minVersion": 0,
+                                      "maxVersion": 0
+                                  }
+                              ],
+                              "platform": "",
+                              "authors": "Sysdig",
+                              "passingCount": 0
+                          },
+                          {
+                              "id": "21447",
+                              "name": "CloudFormation - Stack Policy",
+                              "description": "Ensure CloudFormation stack policies are set to prevent accidental updates to stack resources.",
+                              "target": "AWS",
+                              "type": 8,
+                              "pass": false,
+                              "severity": "High",
+                              "objectsCount": 40,
+                              "remediationId": "21447",
+                              "lastUpdate": "1752149383",
+                              "acceptedCount": 0,
+                              "resourceKind": "AWS_CLOUDFORMATION_STACK",
+                              "isManual": false,
+                              "resourceApiEndpoint": "/api/cspm/v1/cloud/resources?controlId=21447&providerType=AWS&resourceKind=AWS_CLOUDFORMATION_STACK&filter=policyId=52 and zones.id=119",
+                              "supportedDistributions": [
+                                  {
+                                      "name": "AWS",
+                                      "minVersion": 0,
+                                      "maxVersion": 0
+                                  }
+                              ],
+                              "platform": "",
+                              "authors": "Sysdig",
+                              "passingCount": 0
+                          }
+                      ],
+                      "failedControls": 136,
+                      "highSeverityCount": 3147,
+                      "mediumSeverityCount": 20805,
+                      "lowSeverityCount": 2926,
+                      "acceptedCount": 0,
+                      "description": "All Amazon Web Services Controls.",
+                      "requirementId": "637489",
+                      "zone": {
+                          "id": "119",
+                          "name": "Entire Infrastructure"
+                      },
+                      "passingCount": 23735
+                  },
+                  {
+                      "name": "Linux Controls",
+                      "pass": false,
+                      "severity": "High",
+                      "policyId": "52",
+                      "policyName": "All Posture Findings",
+                      "controls": [
+                          {
+                              "id": "34001",
+                              "name": "Gpgcheck enabled",
+                              "description": "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.",
+                              "target": "Linux",
+                              "type": 7,
+                              "pass": false,
+                              "severity": "High",
+                              "objectsCount": 5,
+                              "remediationId": "34001",
+                              "lastUpdate": "1752149383",
+                              "acceptedCount": 0,
+                              "resourceKind": "host",
+                              "isManual": false,
+                              "resourceApiEndpoint": "/api/cspm/v1/clusteranalysis/resources?controlId=34001&benchmarkType=0&resourceKind=host&filter=policyId=52 and zones.id=119",
+                              "supportedDistributions": [],
+                              "platform": "",
+                              "authors": "Sysdig",
+                              "passingCount": 0
+                          }
+                      ],
+                      "failedControls": 528,
+                      "highSeverityCount": 1749,
+                      "mediumSeverityCount": 460,
+                      "lowSeverityCount": 20,
+                      "acceptedCount": 0,
+                      "description": "All Linux Controls.",
+                      "requirementId": "637486",
+                      "zone": {
+                          "id": "119",
+                          "name": "Entire Infrastructure"
+                      },
+                      "passingCount": 803
+                  }
+              ],
+              "totalCount": "5"
+          }
+          `}}
+  - path: /api/cspm/v1/compliance/requirements
+    methods: ['GET']
+    query_params:
+      pageNumber: 2
+      pageSize: 2
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+              "data": [
+                  {
+                      "name": "CM-7 LEAST FUNCTIONALITY",
+                      "pass": false,
+                      "severity": "High",
+                      "policyId": "27",
+                      "policyName": "FedRAMP (Federal Risk and Authorization Management Program) High Baseline",
+                      "controls": [
+                          {
+                              "id": "16071",
+                              "name": "Networking - Disallowed Public Access to Administration Ports (ACL)",
+                              "description": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
+                              "target": "AWS",
+                              "type": 8,
+                              "pass": false,
+                              "severity": "High",
+                              "objectsCount": 19,
+                              "remediationId": "16071",
+                              "lastUpdate": "1752149383",
+                              "acceptedCount": 0,
+                              "resourceKind": "AWS_NETWORK_ACL",
+                              "isManual": false,
+                              "resourceApiEndpoint": "/api/cspm/v1/cloud/resources?controlId=16071&providerType=AWS&resourceKind=AWS_NETWORK_ACL&filter=policyId=27 and zones.id=119",
+                              "supportedDistributions": [
+                                  {
+                                      "name": "aws",
+                                      "minVersion": 0,
+                                      "maxVersion": 0
+                                  }
+                              ],
+                              "platform": "",
+                              "authors": "Sysdig",
+                              "passingCount": 0
+                          }
+                      ],
+                      "failedControls": 197,
+                      "highSeverityCount": 654,
+                      "mediumSeverityCount": 158,
+                      "lowSeverityCount": 41,
+                      "acceptedCount": 2782,
+                      "description": "The organization:\n a. Configures the information system to provide only essential capabilities; and\n b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].\n\nSupplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.\n\nReferences: DoD Instruction 8551.01.\n\n\n*FedRAMP-Defined Assignment / Selection Parameters*:\n\nCM-7 (b) [United States Government Configuration Baseline (USGCB)]\n\n*Additional FedRAMP Requirements and Guidance*:\n\nCM-7 (b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.\nCM-7 Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.\n(Partially derived from AC-17(8).)",
+                      "requirementId": "511163",
+                      "zone": {
+                          "id": "119",
+                          "name": "Entire Infrastructure"
+                      },
+                      "passingCount": 2163
+                  },
+                  {
+                      "name": "CM-6 CONFIGURATION SETTINGS",
+                      "pass": false,
+                      "severity": "High",
+                      "policyId": "27",
+                      "policyName": "FedRAMP (Federal Risk and Authorization Management Program) High Baseline",
+                      "controls": [
+                          {
+                              "id": "16071",
+                              "name": "Networking - Disallowed Public Access to Administration Ports (ACL)",
+                              "description": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
+                              "target": "AWS",
+                              "type": 8,
+                              "pass": false,
+                              "severity": "High",
+                              "objectsCount": 19,
+                              "remediationId": "16071",
+                              "lastUpdate": "1752149383",
+                              "acceptedCount": 0,
+                              "resourceKind": "AWS_NETWORK_ACL",
+                              "isManual": false,
+                              "resourceApiEndpoint": "/api/cspm/v1/cloud/resources?controlId=16071&providerType=AWS&resourceKind=AWS_NETWORK_ACL&filter=policyId=27 and zones.id=119",
+                              "supportedDistributions": [
+                                  {
+                                      "name": "aws",
+                                      "minVersion": 0,
+                                      "maxVersion": 0
+                                  }
+                              ],
+                              "platform": "",
+                              "authors": "Sysdig",
+                              "passingCount": 0
+                          },
+                          {
+                              "id": "21",
+                              "name": "Container with RunAsUser root or not set",
+                              "description": "Running containers as root can result in pod escape",
+                              "target": "Kubernetes",
+                              "type": 1,
+                              "pass": false,
+                              "severity": "High",
+                              "objectsCount": 15,
+                              "remediationId": "13",
+                              "lastUpdate": "1752149383",
+                              "acceptedCount": 58,
+                              "resourceKind": "workload",
+                              "isManual": false,
+                              "resourceApiEndpoint": "/api/cspm/v1/kube/resources?controlId=21&resourceKind=workload&filter=policyId=27 and zones.id=119",
+                              "supportedDistributions": [
+                                  {
+                                      "name": "Vanilla",
+                                      "minVersion": 0,
+                                      "maxVersion": 0
+                                  }
+                              ],
+                              "platform": "",
+                              "authors": "Sysdig",
+                              "passingCount": 4
+                          }
+                      ],
+                      "failedControls": 188,
+                      "highSeverityCount": 636,
+                      "mediumSeverityCount": 157,
+                      "lowSeverityCount": 40,
+                      "acceptedCount": 1911,
+                      "description": "The organization:\n a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;\n b. Implements the configuration settings;\n c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and\n d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.\n\nSupplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.\n\nCommon secure configurations (also referred to as security configuration checklists, lockdown\nand hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4.\n\nReferences: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov.\n\n\n*FedRAMP-Defined Assignment / Selection Parameters*:\n\nCM-6 (a) [United States Government Configuration Baseline (USGCB)]\n\n*Additional FedRAMP Requirements and Guidance*:\n\nCM-6 (a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.\nCM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).\nCM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc",
+                      "requirementId": "511160",
+                      "zone": {
+                          "id": "119",
+                          "name": "Entire Infrastructure"
+                      },
+                      "passingCount": 1788
+                  }
+              ],
+              "totalCount": "5"
+          }
+          `}}
+  - path: /api/cspm/v1/compliance/requirements
+    methods: ['GET']
+    query_params:
+      pageNumber: 3
+      pageSize: 2
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+              "data": [
+                  {
+                      "name": "CM-7 LEAST FUNCTIONALITY",
+                      "pass": false,
+                      "severity": "High",
+                      "policyId": "27",
+                      "policyName": "FedRAMP (Federal Risk and Authorization Management Program) High Baseline",
+                      "controls": [
+                          {
+                              "id": "16071",
+                              "name": "Networking - Disallowed Public Access to Administration Ports (ACL)",
+                              "description": "Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.",
+                              "target": "AWS",
+                              "type": 8,
+                              "pass": false,
+                              "severity": "High",
+                              "objectsCount": 19,
+                              "remediationId": "16071",
+                              "lastUpdate": "1752231595",
+                              "acceptedCount": 0,
+                              "resourceKind": "AWS_NETWORK_ACL",
+                              "isManual": false,
+                              "resourceApiEndpoint": "/api/cspm/v1/cloud/resources?controlId=16071&providerType=AWS&resourceKind=AWS_NETWORK_ACL&filter=policyId=27 and zones.id=119",
+                              "supportedDistributions": [
+                                  {
+                                      "name": "aws",
+                                      "minVersion": 0,
+                                      "maxVersion": 0
+                                  }
+                              ],
+                              "platform": "",
+                              "authors": "Sysdig",
+                              "passingCount": 0
+                          }
+                      ],
+                      "failedControls": 192,
+                      "highSeverityCount": 639,
+                      "mediumSeverityCount": 155,
+                      "lowSeverityCount": 42,
+                      "acceptedCount": 2793,
+                      "description": "The organization:\n a. Configures the information system to provide only essential capabilities; and\n b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].\n\nSupplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.\n\nReferences: DoD Instruction 8551.01.\n\n\n*FedRAMP-Defined Assignment / Selection Parameters*:\n\nCM-7 (b) [United States Government Configuration Baseline (USGCB)]\n\n*Additional FedRAMP Requirements and Guidance*:\n\nCM-7 (b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.\nCM-7 Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.\n(Partially derived from AC-17(8).)",
+                      "requirementId": "511163",
+                      "zone": {
+                          "id": "119",
+                          "name": "Entire Infrastructure"
+                      },
+                      "passingCount": 2183
+                  }
+              ],
+              "totalCount": "5"
+          }
+          `}}
+  - path: /api/cspm/v1/compliance/requirements
+    methods: ['GET']
+    query_params:
+      pageNumber: 4
+      pageSize: 2
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+              "data": [],
+              "totalCount": "5"
+          }
+          `}}
diff --git a/packages/sysdig/changelog.yml b/packages/sysdig/changelog.yml
index 6ea24a51d65..0337fe960ac 100644
--- a/packages/sysdig/changelog.yml
+++ b/packages/sysdig/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.1.0"
+  changes:
+    - description: Add support for cspm datastream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14907
 - version: "2.0.0"
   changes:
     - description: Fix the conflicting data types for `sysdig.event.category` by changing the alerts data stream from `text` to `keyword`.
diff --git a/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-common-config.yml b/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..37e8fa225fd
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_duplicate_custom_fields
diff --git a/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log b/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log
new file mode 100644
index 00000000000..f811a2e6df8
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log
@@ -0,0 +1,10 @@
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.","id":"16011","isManual":false,"lastUpdate":"1736935526","name":"IAM - Defined Users MFA (AWS)","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"16011","resourceApiEndpoint":"/api/cspm/v1/cloud/resources?controlId=16011\u0026providerType=AWS\u0026resourceKind=AWS_USER\u0026filter=policyId=15 and zones.id=17769377","resourceKind":"AWS_USER","severity":"High","supportedDistributions":[{"maxVersion":0,"minVersion":0,"name":"aws"}],"target":"AWS","type":9},"description":"Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.","failedControls":0,"highSeverityCount":0,"lowSeverityCount":0,"mediumSeverityCount":0,"name":"1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password","pass":true,"passingCount":0,"policyId":"15","policyName":"CIS Amazon Web Services Foundations Benchmark","requirementId":"16009","severity":"High","zone":{"id":"17769377","name":"Entire Infrastructure"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"The mandatory access controls provided by the default SELinux policy are a critical mechanism to prevent containers from accessing sensitive data or modifying system files that belong to the host or to other containers.","id":"22011","isManual":false,"lastUpdate":"1752475015","name":"SELinux Configured (Bottlerocket)","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"22011","resourceApiEndpoint":"/api/cspm/v1/clusteranalysis/resources?controlId=22011\u0026benchmarkType=0\u0026resourceKind=host\u0026filter=policyId=35 and zones.id=38551039","resourceKind":"host","severity":"High","supportedDistributions":[],"target":"Linux","type":7},"description":"Adversaries may attempt to dump the contents of \u003ccode\u003e/etc/passwd\u003c/code\u003e and \u003ccode\u003e/etc/shadow\u003c/code\u003e to enable offline password cracking. Most modern Linux operating systems use a combination of \u003ccode\u003e/etc/passwd\u003c/code\u003e and \u003ccode\u003e/etc/shadow\u003c/code\u003e to store user account information including password hashes in \u003ccode\u003e/etc/shadow\u003c/code\u003e. By default, \u003ccode\u003e/etc/shadow\u003c/code\u003e is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\n\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) \u003ccode\u003e# /usr/bin/unshadow /etc/passwd /etc/shadow \u003e /tmp/crack.password.db\u003c/code\u003e","failedControls":24,"highSeverityCount":56,"lowSeverityCount":3,"mediumSeverityCount":45,"name":"T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow","pass":false,"passingCount":707,"policyId":"35","policyName":"MITRE ATT\u0026CK for Enterprise","requirementId":"535110","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"Ensure that the Containerd socket file permissions are set to 660 or more restrictive.","id":"5061","isManual":false,"lastUpdate":"1752475015","name":"/run/containerd/containerd.sock permissions set to an appropiate value","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"5061","resourceApiEndpoint":"/api/cspm/v1/clusteranalysis/resources?controlId=5061\u0026benchmarkType=1\u0026resourceKind=host\u0026filter=policyId=35 and zones.id=38551039","resourceKind":"host","severity":"High","supportedDistributions":[],"target":"Docker","type":6},"description":"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension \u003ccode\u003e.timer\u003c/code\u003e that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the \u003ccode\u003esystemctl\u003c/code\u003e command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach \u003ccode\u003e.timer\u003c/code\u003e file must have a corresponding \u003ccode\u003e.service\u003c/code\u003e file with the same name, e.g., \u003ccode\u003eexample.timer\u003c/code\u003e and \u003ccode\u003eexample.service\u003c/code\u003e. \u003ccode\u003e.service\u003c/code\u003e files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to \u003ccode\u003e/etc/systemd/system/\u003c/code\u003e and \u003ccode\u003e/usr/lib/systemd/system\u003c/code\u003e while user level are written to \u003ccode\u003e~/.config/systemd/user/\u003c/code\u003e.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.","failedControls":19,"highSeverityCount":55,"lowSeverityCount":3,"mediumSeverityCount":32,"name":"T1053.006 Scheduled Task/Job: Systemd Timers","pass":false,"passingCount":693,"policyId":"35","policyName":"MITRE ATT\u0026CK for Enterprise","requirementId":"534827","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
+{"acceptedCount":59,"control":{"acceptedCount":0,"authors":"Sysdig","description":"Enabling HTTPS-only traffic will redirect all non-secure HTTP request to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection, which is both encrypted and authenticated. So it is important to support HTTPS for the security benefits.","id":"17125","isManual":false,"lastUpdate":"1752475015","name":"AppService - Required HTTPS Only","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"17125","resourceApiEndpoint":"/api/cspm/v1/cloud/resources?controlId=17125\u0026providerType=Azure\u0026resourceKind=microsoft.web/sites\u0026filter=policyId=27 and zones.id=119","resourceKind":"microsoft.web/sites","severity":"High","supportedDistributions":[{"maxVersion":0,"minVersion":0,"name":"azure"}],"target":"Azure","type":8},"description":"The information system, for password-based authentication:\n (a)  Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];\n (b)  Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];\n (c)  Stores and transmits only encrypted representations of passwords;\n (d)  Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];\n (e)  Prohibits password reuse for [Assignment: organization-defined number] generations; and\n (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.\n\nSupplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6.\n\n\n*FedRAMP-Defined Assignment / Selection Parameters*:\n\nIA-5 (1) (b) [at least fifty percent (50%)]\nIA-5 (1) (e) [twenty four (24)]\n\n*Additional FedRAMP Requirements and Guidance*:\n\nIA-5 (1) (a), and (d) Additional FedRAMP Requirements and Guidance:\nGuidance: If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant","failedControls":30,"highSeverityCount":53,"lowSeverityCount":1,"mediumSeverityCount":30,"name":"IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION","pass":false,"passingCount":284,"policyId":"27","policyName":"FedRAMP (Federal Risk and Authorization Management Program) High Baseline","requirementId":"511228","severity":"High","zone":{"id":"119","name":"Entire Infrastructure"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"Removing unfettered reading of objects in a bucket reduces an organization's exposure to data loss.","id":"26143","isManual":false,"lastUpdate":"1752475015","name":"Object Storage - Bucket not publicly accessible","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"26143","resourceApiEndpoint":"/api/cspm/v1/cloud/resources?controlId=26143\u0026providerType=OCI\u0026resourceKind=OCI_OBJECTSTORAGE_BUCKET\u0026filter=policyId=64 and zones.id=38551039","resourceKind":"OCI_OBJECTSTORAGE_BUCKET","severity":"High","supportedDistributions":[{"maxVersion":0,"minVersion":0,"name":"OCI"}],"target":"OCI","type":8},"description":"","failedControls":18,"highSeverityCount":53,"lowSeverityCount":3,"mediumSeverityCount":33,"name":"PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties","pass":false,"passingCount":692,"policyId":"64","policyName":"NIST Cybersecurity Framework (CSF)","requirementId":"1237014","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.","id":"15056","isManual":false,"lastUpdate":"1752475015","name":"Storage - Disabled Anonymous and Public Access","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"15056","resourceApiEndpoint":"/api/cspm/v1/cloud/resources?controlId=15056\u0026providerType=GCP\u0026resourceKind=storage.googleapis.com/Bucket/IAM_POLICY\u0026filter=policyId=63 and zones.id=38551039","resourceKind":"storage.googleapis.com/Bucket/IAM_POLICY","severity":"High","supportedDistributions":[{"maxVersion":0,"minVersion":0,"name":"GCP"}],"target":"GCP","type":8},"description":"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.","failedControls":24,"highSeverityCount":56,"lowSeverityCount":3,"mediumSeverityCount":38,"name":"A.5.15 Access control","pass":false,"passingCount":707,"policyId":"63","policyName":"ISO/IEC 27001:2022","requirementId":"78932","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"This policy control controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.\n\nThe recommended state for this control is: `Enabled`.","id":"33129","isManual":false,"lastUpdate":"1752475015","name":"Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"33129","resourceApiEndpoint":"/api/cspm/v1/clusteranalysis/resources?controlId=33129\u0026benchmarkType=0\u0026resourceKind=host\u0026filter=policyId=63 and zones.id=38551039","resourceKind":"host","severity":"High","supportedDistributions":[{"maxVersion":0,"minVersion":0,"name":"WINDOWS"}],"target":"Windows","type":7},"description":"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.","failedControls":24,"highSeverityCount":56,"lowSeverityCount":3,"mediumSeverityCount":38,"name":"A.5.15 Access control","pass":false,"passingCount":707,"policyId":"63","policyName":"ISO/IEC 27001:2022","requirementId":"78932","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system.","id":"4008","isManual":false,"lastUpdate":"1752475015","name":"Network - Access to CNI Files","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"4008","resourceApiEndpoint":"/api/cspm/v1/clusteranalysis/resources?controlId=4008\u0026benchmarkType=2\u0026resourceKind=host\u0026filter=policyId=63 and zones.id=38551039","resourceKind":"host","severity":"High","supportedDistributions":[{"maxVersion":1.23,"minVersion":0,"name":"Vanilla"}],"target":"Kubernetes","type":5},"description":"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.","failedControls":24,"highSeverityCount":56,"lowSeverityCount":3,"mediumSeverityCount":38,"name":"A.5.15 Access control","pass":false,"passingCount":707,"policyId":"63","policyName":"ISO/IEC 27001:2022","requirementId":"78932","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.","id":"21010","isManual":false,"lastUpdate":"1752475015","name":"Kubelet - Access to kubelet.conf restricted to appropriate permissions","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"21010","resourceApiEndpoint":"/api/cspm/v1/clusteranalysis/resources?controlId=21010\u0026benchmarkType=2\u0026resourceKind=host\u0026filter=policyId=32 and zones.id=38551039","resourceKind":"host","severity":"Low","supportedDistributions":[{"maxVersion":0,"minVersion":1.24,"name":"Vanilla"}],"target":"Kubernetes","type":5},"description":"Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).","failedControls":16,"highSeverityCount":52,"lowSeverityCount":3,"mediumSeverityCount":32,"name":"164.312(a)(1) Standard: Access control","pass":false,"passingCount":686,"policyId":"32","policyName":"HIPAA (Health Insurance Portability and Accountability Act) Security Rule","requirementId":"528988","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
+{"acceptedCount":0,"control":{"acceptedCount":0,"authors":"Sysdig","description":"Ensure that docker exec commands are not used with the user=root option.","id":"5095","isManual":false,"lastUpdate":"1752475015","name":"No docker exec command with --user=root option set","objectsCount":0,"pass":true,"passingCount":0,"platform":"","remediationId":"5095","resourceApiEndpoint":"/api/cspm/v1/clusteranalysis/resources?controlId=5095\u0026benchmarkType=1\u0026resourceKind=host\u0026filter=policyId=63 and zones.id=38551039","resourceKind":"host","severity":"Medium","supportedDistributions":[],"target":"Docker","type":6},"description":"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.","failedControls":24,"highSeverityCount":56,"lowSeverityCount":3,"mediumSeverityCount":38,"name":"A.5.15 Access control","pass":false,"passingCount":707,"policyId":"63","policyName":"ISO/IEC 27001:2022","requirementId":"78932","severity":"High","zone":{"id":"38551039","name":"RegionA-CloudProvider"}}
diff --git a/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json b/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json
new file mode 100644
index 00000000000..e9f2f315970
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json
@@ -0,0 +1,702 @@
+{
+    "expected": [
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.\",\"id\":\"16011\",\"isManual\":false,\"lastUpdate\":\"1736935526\",\"name\":\"IAM - Defined Users MFA (AWS)\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"16011\",\"resourceApiEndpoint\":\"/api/cspm/v1/cloud/resources?controlId=16011\\u0026providerType=AWS\\u0026resourceKind=AWS_USER\\u0026filter=policyId=15 and zones.id=17769377\",\"resourceKind\":\"AWS_USER\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":0,\"name\":\"aws\"}],\"target\":\"AWS\",\"type\":9},\"description\":\"Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.\",\"failedControls\":0,\"highSeverityCount\":0,\"lowSeverityCount\":0,\"mediumSeverityCount\":0,\"name\":\"1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password\",\"pass\":true,\"passingCount\":0,\"policyId\":\"15\",\"policyName\":\"CIS Amazon Web Services Foundations Benchmark\",\"requirementId\":\"16009\",\"severity\":\"High\",\"zone\":{\"id\":\"17769377\",\"name\":\"Entire Infrastructure\"}}",
+                "outcome": "success",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "15",
+                "name": "CIS Amazon Web Services Foundations Benchmark"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.",
+                        "id": "16011",
+                        "is_manual": false,
+                        "last_update": "2025-01-15T10:05:26.000Z",
+                        "name": "IAM - Defined Users MFA (AWS)",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "16011",
+                        "resource_api_endpoint": "/api/cspm/v1/cloud/resources?controlId=16011&providerType=AWS&resourceKind=AWS_USER&filter=policyId=15 and zones.id=17769377",
+                        "resource_kind": "AWS_USER",
+                        "severity": "High",
+                        "supported_distributions": [
+                            {
+                                "max_version": "0",
+                                "min_version": "0",
+                                "name": "aws"
+                            }
+                        ],
+                        "target": "AWS",
+                        "type": 9
+                    },
+                    "description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.",
+                    "failed_controls": 0,
+                    "high_severity_count": 0,
+                    "low_severity_count": 0,
+                    "medium_severity_count": 0,
+                    "name": "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password",
+                    "pass": true,
+                    "passing_count": 0,
+                    "policy_id": "15",
+                    "policy_name": "CIS Amazon Web Services Foundations Benchmark",
+                    "requirement_id": "16009",
+                    "severity": "High",
+                    "zone": {
+                        "id": "17769377",
+                        "name": "Entire Infrastructure"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"The mandatory access controls provided by the default SELinux policy are a critical mechanism to prevent containers from accessing sensitive data or modifying system files that belong to the host or to other containers.\",\"id\":\"22011\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"SELinux Configured (Bottlerocket)\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"22011\",\"resourceApiEndpoint\":\"/api/cspm/v1/clusteranalysis/resources?controlId=22011\\u0026benchmarkType=0\\u0026resourceKind=host\\u0026filter=policyId=35 and zones.id=38551039\",\"resourceKind\":\"host\",\"severity\":\"High\",\"supportedDistributions\":[],\"target\":\"Linux\",\"type\":7},\"description\":\"Adversaries may attempt to dump the contents of \\u003ccode\\u003e/etc/passwd\\u003c/code\\u003e and \\u003ccode\\u003e/etc/shadow\\u003c/code\\u003e to enable offline password cracking. Most modern Linux operating systems use a combination of \\u003ccode\\u003e/etc/passwd\\u003c/code\\u003e and \\u003ccode\\u003e/etc/shadow\\u003c/code\\u003e to store user account information including password hashes in \\u003ccode\\u003e/etc/shadow\\u003c/code\\u003e. By default, \\u003ccode\\u003e/etc/shadow\\u003c/code\\u003e is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\\n\\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) \\u003ccode\\u003e# /usr/bin/unshadow /etc/passwd /etc/shadow \\u003e /tmp/crack.password.db\\u003c/code\\u003e\",\"failedControls\":24,\"highSeverityCount\":56,\"lowSeverityCount\":3,\"mediumSeverityCount\":45,\"name\":\"T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow\",\"pass\":false,\"passingCount\":707,\"policyId\":\"35\",\"policyName\":\"MITRE ATT\\u0026CK for Enterprise\",\"requirementId\":\"535110\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "35",
+                "name": "MITRE ATT&CK for Enterprise"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "The mandatory access controls provided by the default SELinux policy are a critical mechanism to prevent containers from accessing sensitive data or modifying system files that belong to the host or to other containers.",
+                        "id": "22011",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "SELinux Configured (Bottlerocket)",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "22011",
+                        "resource_api_endpoint": "/api/cspm/v1/clusteranalysis/resources?controlId=22011&benchmarkType=0&resourceKind=host&filter=policyId=35 and zones.id=38551039",
+                        "resource_kind": "host",
+                        "severity": "High",
+                        "target": "Linux",
+                        "type": 7
+                    },
+                    "description": "Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\n\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>",
+                    "failed_controls": 24,
+                    "high_severity_count": 56,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 45,
+                    "name": "T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow",
+                    "pass": false,
+                    "passing_count": 707,
+                    "policy_id": "35",
+                    "policy_name": "MITRE ATT&CK for Enterprise",
+                    "requirement_id": "535110",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Ensure that the Containerd socket file permissions are set to 660 or more restrictive.\",\"id\":\"5061\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"/run/containerd/containerd.sock permissions set to an appropiate value\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"5061\",\"resourceApiEndpoint\":\"/api/cspm/v1/clusteranalysis/resources?controlId=5061\\u0026benchmarkType=1\\u0026resourceKind=host\\u0026filter=policyId=35 and zones.id=38551039\",\"resourceKind\":\"host\",\"severity\":\"High\",\"supportedDistributions\":[],\"target\":\"Docker\",\"type\":6},\"description\":\"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension \\u003ccode\\u003e.timer\\u003c/code\\u003e that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the \\u003ccode\\u003esystemctl\\u003c/code\\u003e command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\\n\\nEach \\u003ccode\\u003e.timer\\u003c/code\\u003e file must have a corresponding \\u003ccode\\u003e.service\\u003c/code\\u003e file with the same name, e.g., \\u003ccode\\u003eexample.timer\\u003c/code\\u003e and \\u003ccode\\u003eexample.service\\u003c/code\\u003e. \\u003ccode\\u003e.service\\u003c/code\\u003e files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to \\u003ccode\\u003e/etc/systemd/system/\\u003c/code\\u003e and \\u003ccode\\u003e/usr/lib/systemd/system\\u003c/code\\u003e while user level are written to \\u003ccode\\u003e~/.config/systemd/user/\\u003c/code\\u003e.\\n\\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.\",\"failedControls\":19,\"highSeverityCount\":55,\"lowSeverityCount\":3,\"mediumSeverityCount\":32,\"name\":\"T1053.006 Scheduled Task/Job: Systemd Timers\",\"pass\":false,\"passingCount\":693,\"policyId\":\"35\",\"policyName\":\"MITRE ATT\\u0026CK for Enterprise\",\"requirementId\":\"534827\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "T1053.006 Scheduled Task/Job: Systemd Timers",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "35",
+                "name": "MITRE ATT&CK for Enterprise"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "Ensure that the Containerd socket file permissions are set to 660 or more restrictive.",
+                        "id": "5061",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "/run/containerd/containerd.sock permissions set to an appropiate value",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "5061",
+                        "resource_api_endpoint": "/api/cspm/v1/clusteranalysis/resources?controlId=5061&benchmarkType=1&resourceKind=host&filter=policyId=35 and zones.id=38551039",
+                        "resource_kind": "host",
+                        "severity": "High",
+                        "target": "Docker",
+                        "type": 6
+                    },
+                    "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.",
+                    "failed_controls": 19,
+                    "high_severity_count": 55,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 32,
+                    "name": "T1053.006 Scheduled Task/Job: Systemd Timers",
+                    "pass": false,
+                    "passing_count": 693,
+                    "policy_id": "35",
+                    "policy_name": "MITRE ATT&CK for Enterprise",
+                    "requirement_id": "534827",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":59,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Enabling HTTPS-only traffic will redirect all non-secure HTTP request to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection, which is both encrypted and authenticated. So it is important to support HTTPS for the security benefits.\",\"id\":\"17125\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"AppService - Required HTTPS Only\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"17125\",\"resourceApiEndpoint\":\"/api/cspm/v1/cloud/resources?controlId=17125\\u0026providerType=Azure\\u0026resourceKind=microsoft.web/sites\\u0026filter=policyId=27 and zones.id=119\",\"resourceKind\":\"microsoft.web/sites\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":0,\"name\":\"azure\"}],\"target\":\"Azure\",\"type\":8},\"description\":\"The information system, for password-based authentication:\\n (a)  Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];\\n (b)  Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];\\n (c)  Stores and transmits only encrypted representations of passwords;\\n (d)  Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];\\n (e)  Prohibits password reuse for [Assignment: organization-defined number] generations; and\\n (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.\\n\\nSupplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6.\\n\\n\\n*FedRAMP-Defined Assignment / Selection Parameters*:\\n\\nIA-5 (1) (b) [at least fifty percent (50%)]\\nIA-5 (1) (e) [twenty four (24)]\\n\\n*Additional FedRAMP Requirements and Guidance*:\\n\\nIA-5 (1) (a), and (d) Additional FedRAMP Requirements and Guidance:\\nGuidance: If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant\",\"failedControls\":30,\"highSeverityCount\":53,\"lowSeverityCount\":1,\"mediumSeverityCount\":30,\"name\":\"IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION\",\"pass\":false,\"passingCount\":284,\"policyId\":\"27\",\"policyName\":\"FedRAMP (Federal Risk and Authorization Management Program) High Baseline\",\"requirementId\":\"511228\",\"severity\":\"High\",\"zone\":{\"id\":\"119\",\"name\":\"Entire Infrastructure\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "27",
+                "name": "FedRAMP (Federal Risk and Authorization Management Program) High Baseline"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 59,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "Enabling HTTPS-only traffic will redirect all non-secure HTTP request to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection, which is both encrypted and authenticated. So it is important to support HTTPS for the security benefits.",
+                        "id": "17125",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "AppService - Required HTTPS Only",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "17125",
+                        "resource_api_endpoint": "/api/cspm/v1/cloud/resources?controlId=17125&providerType=Azure&resourceKind=microsoft.web/sites&filter=policyId=27 and zones.id=119",
+                        "resource_kind": "microsoft.web/sites",
+                        "severity": "High",
+                        "supported_distributions": [
+                            {
+                                "max_version": "0",
+                                "min_version": "0",
+                                "name": "azure"
+                            }
+                        ],
+                        "target": "Azure",
+                        "type": 8
+                    },
+                    "description": "The information system, for password-based authentication:\n (a)  Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];\n (b)  Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];\n (c)  Stores and transmits only encrypted representations of passwords;\n (d)  Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];\n (e)  Prohibits password reuse for [Assignment: organization-defined number] generations; and\n (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.\n\nSupplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6.\n\n\n*FedRAMP-Defined Assignment / Selection Parameters*:\n\nIA-5 (1) (b) [at least fifty percent (50%)]\nIA-5 (1) (e) [twenty four (24)]\n\n*Additional FedRAMP Requirements and Guidance*:\n\nIA-5 (1) (a), and (d) Additional FedRAMP Requirements and Guidance:\nGuidance: If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant",
+                    "failed_controls": 30,
+                    "high_severity_count": 53,
+                    "low_severity_count": 1,
+                    "medium_severity_count": 30,
+                    "name": "IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION",
+                    "pass": false,
+                    "passing_count": 284,
+                    "policy_id": "27",
+                    "policy_name": "FedRAMP (Federal Risk and Authorization Management Program) High Baseline",
+                    "requirement_id": "511228",
+                    "severity": "High",
+                    "zone": {
+                        "id": "119",
+                        "name": "Entire Infrastructure"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Removing unfettered reading of objects in a bucket reduces an organization's exposure to data loss.\",\"id\":\"26143\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"Object Storage - Bucket not publicly accessible\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"26143\",\"resourceApiEndpoint\":\"/api/cspm/v1/cloud/resources?controlId=26143\\u0026providerType=OCI\\u0026resourceKind=OCI_OBJECTSTORAGE_BUCKET\\u0026filter=policyId=64 and zones.id=38551039\",\"resourceKind\":\"OCI_OBJECTSTORAGE_BUCKET\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":0,\"name\":\"OCI\"}],\"target\":\"OCI\",\"type\":8},\"description\":\"\",\"failedControls\":18,\"highSeverityCount\":53,\"lowSeverityCount\":3,\"mediumSeverityCount\":33,\"name\":\"PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties\",\"pass\":false,\"passingCount\":692,\"policyId\":\"64\",\"policyName\":\"NIST Cybersecurity Framework (CSF)\",\"requirementId\":\"1237014\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "64",
+                "name": "NIST Cybersecurity Framework (CSF)"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "Removing unfettered reading of objects in a bucket reduces an organization's exposure to data loss.",
+                        "id": "26143",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "Object Storage - Bucket not publicly accessible",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "26143",
+                        "resource_api_endpoint": "/api/cspm/v1/cloud/resources?controlId=26143&providerType=OCI&resourceKind=OCI_OBJECTSTORAGE_BUCKET&filter=policyId=64 and zones.id=38551039",
+                        "resource_kind": "OCI_OBJECTSTORAGE_BUCKET",
+                        "severity": "High",
+                        "supported_distributions": [
+                            {
+                                "max_version": "0",
+                                "min_version": "0",
+                                "name": "OCI"
+                            }
+                        ],
+                        "target": "OCI",
+                        "type": 8
+                    },
+                    "failed_controls": 18,
+                    "high_severity_count": 53,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 33,
+                    "name": "PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties",
+                    "pass": false,
+                    "passing_count": 692,
+                    "policy_id": "64",
+                    "policy_name": "NIST Cybersecurity Framework (CSF)",
+                    "requirement_id": "1237014",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.\",\"id\":\"15056\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"Storage - Disabled Anonymous and Public Access\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"15056\",\"resourceApiEndpoint\":\"/api/cspm/v1/cloud/resources?controlId=15056\\u0026providerType=GCP\\u0026resourceKind=storage.googleapis.com/Bucket/IAM_POLICY\\u0026filter=policyId=63 and zones.id=38551039\",\"resourceKind\":\"storage.googleapis.com/Bucket/IAM_POLICY\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":0,\"name\":\"GCP\"}],\"target\":\"GCP\",\"type\":8},\"description\":\"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.\",\"failedControls\":24,\"highSeverityCount\":56,\"lowSeverityCount\":3,\"mediumSeverityCount\":38,\"name\":\"A.5.15 Access control\",\"pass\":false,\"passingCount\":707,\"policyId\":\"63\",\"policyName\":\"ISO/IEC 27001:2022\",\"requirementId\":\"78932\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "A.5.15 Access control",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "63",
+                "name": "ISO/IEC 27001:2022"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "Allowing anonymous or public access grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data. Hence, ensure that anonymous or public access to a bucket is not allowed.",
+                        "id": "15056",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "Storage - Disabled Anonymous and Public Access",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "15056",
+                        "resource_api_endpoint": "/api/cspm/v1/cloud/resources?controlId=15056&providerType=GCP&resourceKind=storage.googleapis.com/Bucket/IAM_POLICY&filter=policyId=63 and zones.id=38551039",
+                        "resource_kind": "storage.googleapis.com/Bucket/IAM_POLICY",
+                        "severity": "High",
+                        "supported_distributions": [
+                            {
+                                "max_version": "0",
+                                "min_version": "0",
+                                "name": "GCP"
+                            }
+                        ],
+                        "target": "GCP",
+                        "type": 8
+                    },
+                    "description": "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.",
+                    "failed_controls": 24,
+                    "high_severity_count": 56,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 38,
+                    "name": "A.5.15 Access control",
+                    "pass": false,
+                    "passing_count": 707,
+                    "policy_id": "63",
+                    "policy_name": "ISO/IEC 27001:2022",
+                    "requirement_id": "78932",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"This policy control controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.\\n\\nThe recommended state for this control is: `Enabled`.\",\"id\":\"33129\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"33129\",\"resourceApiEndpoint\":\"/api/cspm/v1/clusteranalysis/resources?controlId=33129\\u0026benchmarkType=0\\u0026resourceKind=host\\u0026filter=policyId=63 and zones.id=38551039\",\"resourceKind\":\"host\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":0,\"name\":\"WINDOWS\"}],\"target\":\"Windows\",\"type\":7},\"description\":\"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.\",\"failedControls\":24,\"highSeverityCount\":56,\"lowSeverityCount\":3,\"mediumSeverityCount\":38,\"name\":\"A.5.15 Access control\",\"pass\":false,\"passingCount\":707,\"policyId\":\"63\",\"policyName\":\"ISO/IEC 27001:2022\",\"requirementId\":\"78932\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "A.5.15 Access control",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "63",
+                "name": "ISO/IEC 27001:2022"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "This policy control controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.\n\nThe recommended state for this control is: `Enabled`.",
+                        "id": "33129",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "33129",
+                        "resource_api_endpoint": "/api/cspm/v1/clusteranalysis/resources?controlId=33129&benchmarkType=0&resourceKind=host&filter=policyId=63 and zones.id=38551039",
+                        "resource_kind": "host",
+                        "severity": "High",
+                        "supported_distributions": [
+                            {
+                                "max_version": "0",
+                                "min_version": "0",
+                                "name": "WINDOWS"
+                            }
+                        ],
+                        "target": "Windows",
+                        "type": 7
+                    },
+                    "description": "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.",
+                    "failed_controls": 24,
+                    "high_severity_count": 56,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 38,
+                    "name": "A.5.15 Access control",
+                    "pass": false,
+                    "passing_count": 707,
+                    "policy_id": "63",
+                    "policy_name": "ISO/IEC 27001:2022",
+                    "requirement_id": "78932",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system.\",\"id\":\"4008\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"Network - Access to CNI Files\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"4008\",\"resourceApiEndpoint\":\"/api/cspm/v1/clusteranalysis/resources?controlId=4008\\u0026benchmarkType=2\\u0026resourceKind=host\\u0026filter=policyId=63 and zones.id=38551039\",\"resourceKind\":\"host\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":1.23,\"minVersion\":0,\"name\":\"Vanilla\"}],\"target\":\"Kubernetes\",\"type\":5},\"description\":\"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.\",\"failedControls\":24,\"highSeverityCount\":56,\"lowSeverityCount\":3,\"mediumSeverityCount\":38,\"name\":\"A.5.15 Access control\",\"pass\":false,\"passingCount\":707,\"policyId\":\"63\",\"policyName\":\"ISO/IEC 27001:2022\",\"requirementId\":\"78932\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "A.5.15 Access control",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "63",
+                "name": "ISO/IEC 27001:2022"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system.",
+                        "id": "4008",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "Network - Access to CNI Files",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "4008",
+                        "resource_api_endpoint": "/api/cspm/v1/clusteranalysis/resources?controlId=4008&benchmarkType=2&resourceKind=host&filter=policyId=63 and zones.id=38551039",
+                        "resource_kind": "host",
+                        "severity": "High",
+                        "supported_distributions": [
+                            {
+                                "max_version": "1.23",
+                                "min_version": "0",
+                                "name": "Vanilla"
+                            }
+                        ],
+                        "target": "Kubernetes",
+                        "type": 5
+                    },
+                    "description": "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.",
+                    "failed_controls": 24,
+                    "high_severity_count": 56,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 38,
+                    "name": "A.5.15 Access control",
+                    "pass": false,
+                    "passing_count": 707,
+                    "policy_id": "63",
+                    "policy_name": "ISO/IEC 27001:2022",
+                    "requirement_id": "78932",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\",\"id\":\"21010\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"Kubelet - Access to kubelet.conf restricted to appropriate permissions\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"21010\",\"resourceApiEndpoint\":\"/api/cspm/v1/clusteranalysis/resources?controlId=21010\\u0026benchmarkType=2\\u0026resourceKind=host\\u0026filter=policyId=32 and zones.id=38551039\",\"resourceKind\":\"host\",\"severity\":\"Low\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":1.24,\"name\":\"Vanilla\"}],\"target\":\"Kubernetes\",\"type\":5},\"description\":\"Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).\",\"failedControls\":16,\"highSeverityCount\":52,\"lowSeverityCount\":3,\"mediumSeverityCount\":32,\"name\":\"164.312(a)(1) Standard: Access control\",\"pass\":false,\"passingCount\":686,\"policyId\":\"32\",\"policyName\":\"HIPAA (Health Insurance Portability and Accountability Act) Security Rule\",\"requirementId\":\"528988\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "164.312(a)(1) Standard: Access control",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "32",
+                "name": "HIPAA (Health Insurance Portability and Accountability Act) Security Rule"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.",
+                        "id": "21010",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "Kubelet - Access to kubelet.conf restricted to appropriate permissions",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "21010",
+                        "resource_api_endpoint": "/api/cspm/v1/clusteranalysis/resources?controlId=21010&benchmarkType=2&resourceKind=host&filter=policyId=32 and zones.id=38551039",
+                        "resource_kind": "host",
+                        "severity": "Low",
+                        "supported_distributions": [
+                            {
+                                "max_version": "0",
+                                "min_version": "1.24",
+                                "name": "Vanilla"
+                            }
+                        ],
+                        "target": "Kubernetes",
+                        "type": 5
+                    },
+                    "description": "Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).",
+                    "failed_controls": 16,
+                    "high_severity_count": 52,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 32,
+                    "name": "164.312(a)(1) Standard: Access control",
+                    "pass": false,
+                    "passing_count": 686,
+                    "policy_id": "32",
+                    "policy_name": "HIPAA (Health Insurance Portability and Accountability Act) Security Rule",
+                    "requirement_id": "528988",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "kind": "event",
+                "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Ensure that docker exec commands are not used with the user=root option.\",\"id\":\"5095\",\"isManual\":false,\"lastUpdate\":\"1752475015\",\"name\":\"No docker exec command with --user=root option set\",\"objectsCount\":0,\"pass\":true,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"5095\",\"resourceApiEndpoint\":\"/api/cspm/v1/clusteranalysis/resources?controlId=5095\\u0026benchmarkType=1\\u0026resourceKind=host\\u0026filter=policyId=63 and zones.id=38551039\",\"resourceKind\":\"host\",\"severity\":\"Medium\",\"supportedDistributions\":[],\"target\":\"Docker\",\"type\":6},\"description\":\"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.\",\"failedControls\":24,\"highSeverityCount\":56,\"lowSeverityCount\":3,\"mediumSeverityCount\":38,\"name\":\"A.5.15 Access control\",\"pass\":false,\"passingCount\":707,\"policyId\":\"63\",\"policyName\":\"ISO/IEC 27001:2022\",\"requirementId\":\"78932\",\"severity\":\"High\",\"zone\":{\"id\":\"38551039\",\"name\":\"RegionA-CloudProvider\"}}",
+                "outcome": "failure",
+                "severity": 73,
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "A.5.15 Access control",
+            "observer": {
+                "product": "Sysdig Secure",
+                "vendor": "Sysdig"
+            },
+            "rule": {
+                "id": "63",
+                "name": "ISO/IEC 27001:2022"
+            },
+            "sysdig": {
+                "cspm": {
+                    "accepted_count": 0,
+                    "control": {
+                        "accepted_count": 0,
+                        "authors": "Sysdig",
+                        "description": "Ensure that docker exec commands are not used with the user=root option.",
+                        "id": "5095",
+                        "is_manual": false,
+                        "last_update": "2025-07-14T06:36:55.000Z",
+                        "name": "No docker exec command with --user=root option set",
+                        "objects_count": 0,
+                        "pass": true,
+                        "passing_count": 0,
+                        "remediation_id": "5095",
+                        "resource_api_endpoint": "/api/cspm/v1/clusteranalysis/resources?controlId=5095&benchmarkType=1&resourceKind=host&filter=policyId=63 and zones.id=38551039",
+                        "resource_kind": "host",
+                        "severity": "Medium",
+                        "target": "Docker",
+                        "type": 6
+                    },
+                    "description": "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi- ness and information security requirements.",
+                    "failed_controls": 24,
+                    "high_severity_count": 56,
+                    "low_severity_count": 3,
+                    "medium_severity_count": 38,
+                    "name": "A.5.15 Access control",
+                    "pass": false,
+                    "passing_count": 707,
+                    "policy_id": "63",
+                    "policy_name": "ISO/IEC 27001:2022",
+                    "requirement_id": "78932",
+                    "severity": "High",
+                    "zone": {
+                        "id": "38551039",
+                        "name": "RegionA-CloudProvider"
+                    }
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        }
+    ]
+}
diff --git a/packages/sysdig/data_stream/cspm/_dev/test/system/test-default-config.yml b/packages/sysdig/data_stream/cspm/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..99749f1ae1c
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/_dev/test/system/test-default-config.yml
@@ -0,0 +1,11 @@
+input: cel
+service: sysdig
+vars:
+  url: http://{{Hostname}}:{{Port}}
+  api_token: xxxx
+data_stream:
+  vars:
+    preserve_original_event: true
+    batch_size: 2
+assert:
+  hit_count: 7
diff --git a/packages/sysdig/data_stream/cspm/agent/stream/cel.yml.hbs b/packages/sysdig/data_stream/cspm/agent/stream/cel.yml.hbs
new file mode 100644
index 00000000000..9f884d8fb5f
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/agent/stream/cel.yml.hbs
@@ -0,0 +1,87 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+  enabled: {{enable_request_tracer}}
+  filename: "../../logs/cel/http-request-trace-*.ndjson"
+  maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if max_executions}}
+max_executions: {{max_executions}}
+{{/if}}
+resource.url: {{url}}
+state:
+  batch_size: {{batch_size}}
+  api_token: {{api_token}}
+redact:
+  fields:
+    - api_token
+program: |
+  request("GET",
+    state.url.trim_right("/") + "/api/cspm/v1/compliance/requirements?" + {
+      "pageNumber": [string(state.?page_number.orValue(1))],
+      "pageSize": [string(state.batch_size)],
+    }.format_query()
+  ).with({
+    "Header":{
+      "Authorization": ["Bearer " + state.api_token],
+    },
+  }).do_request().as(resp, resp.StatusCode == 200 ?
+    resp.Body.decode_json().as(body, {
+      "events": has(body.data) && size(body.data) > 0 ?
+        // Create an event for each control with its parent's field.
+        body.data.map(result,
+          result.controls.map(con, {
+            "message": result.with({"control": con}).drop("controls").encode_json()
+          })
+        ).flatten()
+      :
+        [],
+      "page_number": int(state.?page_number.orValue(1)) + 1,
+      "batch_size": state.batch_size,
+      "api_token": state.api_token,
+      "want_more": has(body.data) && size(body.data) > 0,
+    })
+  :
+    {
+      "events": {
+        "error": {
+          "code": string(resp.StatusCode),
+          "id": string(resp.Status),
+          "message": "GET " + state.url.trim_right("/") + "/api/cspm/v1/compliance/requirements: " + (
+            size(resp.Body) != 0 ?
+              string(resp.Body)
+            :
+              string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+          ),
+        },
+      },
+      "batch_size": state.batch_size,
+      "api_token": state.api_token,
+      "want_more": false
+    }
+  )
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/sysdig/data_stream/cspm/elasticsearch/ingest_pipeline/default.yml b/packages/sysdig/data_stream/cspm/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..d009022c94e
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,426 @@
+---
+description: Pipeline for processing CSPM compliance results logs.
+processors:
+  - set:
+      field: ecs.version
+      tag: set_ecs_version
+      value: 8.17.0
+  - terminate:
+      tag: data_collection_error
+      if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+      description: error message set and no data to process.
+
+  # parse the event JSON
+  - rename:
+      field: message
+      tag: rename_message_to_event_original
+      target_field: event.original
+      ignore_missing: true
+      description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+      if: ctx.event?.original == null
+  - remove:
+      field: message
+      tag: remove_message
+      ignore_missing: true
+      description: The `message` field is no longer required if the document has an `event.original` field.
+      if: ctx.event?.original != null
+  - json:
+      field: event.original
+      tag: json_event_original
+      target_field: json
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+  # rename to snake case
+  - script:
+      tag: script_convert_camelcase_to_snake_case
+      lang: painless
+      description: Convert camelCase to snake_case
+      source: |
+        // Helper function to convert camelCase to snake_case
+        String camelToSnake(String str) {
+          def result = "";
+          def lastCharWasUpperCase = false;
+          for (int i = 0; i < str.length(); i++) {
+            char c = str.charAt(i);
+            if (Character.isUpperCase(c)) {
+              if (i > 0 && !lastCharWasUpperCase) {
+                result += "_";
+              }
+              result += Character.toLowerCase(c);
+              lastCharWasUpperCase = true;
+            } else {
+              result += c;
+              lastCharWasUpperCase = false;
+            }
+          }
+          return result;
+        }
+        // Recursive function to handle nested fields
+        def convertToSnakeCase(def obj) {
+          if (obj instanceof Map) {
+            // Convert each key in the map
+            def newObj = [:];
+            for (entry in obj.entrySet()) {
+              // Skip fields that contain '@' in their name
+              if (!entry.getKey().contains("@")) {
+                String newKey = camelToSnake(entry.getKey());
+                newObj[newKey] = convertToSnakeCase(entry.getValue());
+              }
+            }
+            return newObj;
+          } else if (obj instanceof List) {
+            // If it's a list, process each item recursively
+            def newList = [];
+            for (item in obj) {
+              newList.add(convertToSnakeCase(item));
+            }
+            return newList;
+          } else {
+            return obj;
+          }
+        }
+        // Apply the conversion
+        ctx.sysdig = ctx.sysdig ?: [:];
+        if (ctx.json != null) {
+          ctx.sysdig.cspm = convertToSnakeCase(ctx.json);
+        }
+
+  # convert values
+  - convert:
+      field: sysdig.cspm.accepted_count
+      tag: convert_accepted_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.accepted_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.control.accepted_count
+      tag: convert_control_accepted_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.control.accepted_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.control.id
+      tag: convert_control_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: sysdig.cspm.control.is_manual
+      tag: convert_control_is_manual_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.control.is_manual
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: sysdig.cspm.control.last_update
+      tag: date_control_last_update
+      target_field: sysdig.cspm.control.last_update
+      formats:
+        - epoch_second
+      if: ctx.sysdig?.cspm?.control?.last_update != null && ctx.sysdig.cspm.control.last_update != ''
+      on_failure:
+        - remove:
+            field: sysdig.cspm.control.last_update
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.control.objects_count
+      tag: convert_control_objects_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.control.objects_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.control.pass
+      tag: convert_control_pass_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.control.pass
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.control.passing_count
+      tag: convert_control_passing_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.control.passing_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.control.remediation_id
+      tag: convert_control_remediation_id_to_string
+      type: string
+      ignore_missing: true
+  - foreach:
+      field: sysdig.cspm.control.supported_distributions
+      tag: foreach_control_supported_distributions
+      if: ctx.sysdig?.cspm?.control?.supported_distributions instanceof List
+      processor:
+        convert:
+          field: _ingest._value.max_version
+          tag: covert_max_version_to_string
+          type: string
+          ignore_missing: true
+  - foreach:
+      field: sysdig.cspm.control.supported_distributions
+      tag: foreach_control_supported_distributions
+      if: ctx.sysdig?.cspm?.control?.supported_distributions instanceof List
+      processor:
+        convert:
+          field: _ingest._value.min_version
+          tag: covert_min_version_to_string
+          type: string
+          ignore_missing: true
+  - convert:
+      field: sysdig.cspm.control.type
+      tag: convert_control_type_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.control.type
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.failed_controls
+      tag: convert_failed_controls_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.failed_controls
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.high_severity_count
+      tag: convert_high_severity_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.high_severity_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.low_severity_count
+      tag: convert_low_severity_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.low_severity_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.medium_severity_count
+      tag: convert_medium_severity_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.medium_severity_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.pass
+      tag: convert_pass_to_boolean
+      type: boolean
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.pass
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.passing_count
+      tag: convert_passing_count_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: sysdig.cspm.passing_count
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: sysdig.cspm.policy_id
+      tag: convert_policy_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: sysdig.cspm.requirement_id
+      tag: convert_requirement_id_to_string
+      type: string
+      ignore_missing: true
+  - convert:
+      field: sysdig.cspm.zone.id
+      tag: convert_zone_id_to_string
+      type: string
+      ignore_missing: true
+
+  # populate ECS fields
+  - set:
+      field: message
+      tag: set_message_from_cspm_name
+      copy_from: sysdig.cspm.name
+      ignore_empty_value: true
+
+  # event.*
+  - set:
+      field: event.kind
+      tag: set_event_kind
+      value: event
+  - append:
+      field: event.type
+      tag: append_info_into_event_type
+      value: info
+  - script:
+      description: Set event severity based on severity.
+      if: ctx.sysdig?.cspm?.severity != null
+      lang: painless
+      params:
+        low: 21
+        medium: 47
+        high: 73
+      source: |-
+        ctx.event = ctx.event ?: [:];
+        ctx.event.severity = params.get(ctx.sysdig.cspm.severity.toLowerCase());
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: event.outcome
+      tag: set_event_outcome_to_success
+      value: success
+      if: ctx.sysdig?.cspm?.pass == true
+  - set:
+      field: event.outcome
+      tag: set_event_outcome_to_failure
+      value: failure
+      if: ctx.sysdig?.cspm?.pass == false
+  - set:
+      field: event.outcome
+      tag: set_event_outcome_to_unknown
+      value: unknown
+      if: ctx.event?.outcome == null
+
+  # observer.*
+  - set:
+      field: observer.vendor
+      tag: set_observer_vendor
+      value: Sysdig
+  - set:
+      field: observer.product
+      tag: set_observer_product
+      value: Sysdig Secure
+
+  # rule.*
+  - set:
+      field: rule.id
+      tag: set_rule_id_from_cspm_policy_id
+      copy_from: sysdig.cspm.policy_id
+      ignore_empty_value: true
+  - set:
+      field: rule.name
+      tag: set_rule_name_from_cspm_policy_name
+      copy_from: sysdig.cspm.policy_name
+      ignore_empty_value: true
+
+  - remove:
+      field:
+        - sysdig.cspm.name
+        - sysdig.cspm.policy_id
+        - sysdig.cspm.policy_name
+      tag: remove_custom_duplicate_fields
+      ignore_missing: true
+      if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+  - remove:
+      field: json
+      tag: remove_json
+      ignore_missing: true
+  - script:
+      tag: script_to_drop_null_values
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |-
+        void handleMap(Map map) {
+          map.values().removeIf(v -> {
+            if (v instanceof Map) {
+              handleMap(v);
+            } else if (v instanceof List) {
+              handleList(v);
+            }
+            return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+          });
+        }
+        void handleList(List list) {
+          list.removeIf(v -> {
+            if (v instanceof Map) {
+              handleMap(v);
+            } else if (v instanceof List) {
+              handleList(v);
+            }
+            return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+          });
+        }
+        handleMap(ctx);
+  - set:
+      field: event.kind
+      tag: set_pipeline_error_into_event_kind
+      value: pipeline_error
+      if: ctx.error?.message != null
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
+      if: ctx.error?.message != null
+on_failure:
+  - append:
+      field: error.message
+      value: |-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+  - set:
+      field: event.kind
+      tag: set_pipeline_error_to_event_kind
+      value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/sysdig/data_stream/cspm/fields/base-fields.yml b/packages/sysdig/data_stream/cspm/fields/base-fields.yml
new file mode 100644
index 00000000000..5e2d259333f
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: event.module
+  type: constant_keyword
+  external: ecs
+  value: sysdig
+- name: event.dataset
+  type: constant_keyword
+  external: ecs
+  value: sysdig.cspm
+- name: "@timestamp"
+  external: ecs
diff --git a/packages/sysdig/data_stream/cspm/fields/beats.yml b/packages/sysdig/data_stream/cspm/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
diff --git a/packages/sysdig/data_stream/cspm/fields/fields.yml b/packages/sysdig/data_stream/cspm/fields/fields.yml
new file mode 100644
index 00000000000..2f9151f8ea6
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/fields/fields.yml
@@ -0,0 +1,112 @@
+- name: sysdig
+  type: group
+  fields:
+    - name: cspm
+      type: group
+      fields:
+        - name: accepted_count
+          type: long
+          description: Number of accepted resources.
+        - name: control
+          type: group
+          fields:
+            - name: accepted_count
+              type: long
+              description: Number of accepted resources.
+            - name: authors
+              type: keyword
+            - name: description
+              type: keyword
+              description: Control description.
+            - name: id
+              type: keyword
+              description: Control ID.
+            - name: is_manual
+              type: boolean
+              description: Does control need to be checked manually.
+            - name: last_update
+              type: date
+            - name: name
+              type: keyword
+              description: Control name.
+            - name: objects_count
+              type: long
+              description: Number of failing resources.
+            - name: pass
+              type: boolean
+              description: Is control passing.
+            - name: passing_count
+              type: long
+            - name: platform
+              type: keyword
+            - name: remediation_id
+              type: keyword
+            - name: resource_api_endpoint
+              type: keyword
+              description: API endpoint for listing the evaluated resources for this control.
+            - name: resource_kind
+              type: keyword
+              description: Kind of resource evaluated by the control.
+            - name: severity
+              type: keyword
+              description: Control severity.
+            - name: supported_distributions
+              type: group
+              fields:
+                - name: max_version
+                  type: keyword
+                  description: Distribution max version.
+                - name: min_version
+                  type: keyword
+                  description: Distribution min version.
+                - name: name
+                  type: keyword
+                  description: Distribution name.
+            - name: target
+              type: keyword
+            - name: type
+              type: long
+        - name: description
+          type: keyword
+          description: Requirement description.
+        - name: failed_controls
+          type: long
+          description: Number of failing controls.
+        - name: high_severity_count
+          type: long
+          description: Number of failing resources for high-severity controls.
+        - name: low_severity_count
+          type: long
+          description: Number of failing resources for low-severity controls.
+        - name: medium_severity_count
+          type: long
+          description: Number of failing resources for medium-severity controls.
+        - name: name
+          type: match_only_text
+          description: Requirement name.
+        - name: pass
+          type: boolean
+          description: Is requirement passing.
+        - name: passing_count
+          type: long
+        - name: policy_id
+          type: keyword
+          description: Policy ID.
+        - name: policy_name
+          type: keyword
+          description: Policy name.
+        - name: requirement_id
+          type: keyword
+          description: Requirement ID.
+        - name: severity
+          type: keyword
+          description: Highest control severity.
+        - name: zone
+          type: group
+          fields:
+            - name: id
+              type: keyword
+              description: Zone ID.
+            - name: name
+              type: keyword
+              description: Zone name.
diff --git a/packages/sysdig/data_stream/cspm/manifest.yml b/packages/sysdig/data_stream/cspm/manifest.yml
new file mode 100644
index 00000000000..90c6ec655b6
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/manifest.yml
@@ -0,0 +1,86 @@
+title: CSPM Compliance Results
+type: logs
+streams:
+  - input: cel
+    title: CSPM Compliance Results
+    description: Collecting CSPM compliance results via API.
+    template_path: cel.yml.hbs
+    enabled: false
+    vars:
+      - name: interval
+        type: text
+        title: Interval
+        description: Duration between requests to the Sysdig API. Supported units for this parameter are h/m/s.
+        default: 24h
+        multi: false
+        required: true
+        show_user: true
+      - name: batch_size
+        type: integer
+        title: Batch Size
+        multi: false
+        required: true
+        show_user: false
+        description: Batch size for the response of the Sysdig API.
+        default: 50
+      - name: max_executions
+        type: integer
+        title: Maximum Pages Per Interval
+        description: Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.
+        multi: false
+        required: false
+        show_user: false
+        default: 1000
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+        multi: false
+        required: true
+        show_user: false
+        default: 120s
+      - name: enable_request_tracer
+        type: bool
+        title: Enable request tracing
+        multi: false
+        required: false
+        show_user: false
+        default: false
+        description: >-
+          The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
+          Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
+          tracer will delete any stored traces.
+          See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
+          for details.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - sysdig-cspm
+      - name: preserve_original_event
+        required: false
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: preserve_duplicate_custom_fields
+        required: false
+        show_user: false
+        title: Preserve duplicate custom fields
+        description: Preserve sysdig.cspm fields that were copied to Elastic Common Schema (ECS) fields.
+        type: bool
+        multi: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/sysdig/data_stream/cspm/sample_event.json b/packages/sysdig/data_stream/cspm/sample_event.json
new file mode 100644
index 00000000000..99eadf3ad3c
--- /dev/null
+++ b/packages/sysdig/data_stream/cspm/sample_event.json
@@ -0,0 +1,95 @@
+{
+    "@timestamp": "2025-08-12T09:58:09.947Z",
+    "agent": {
+        "ephemeral_id": "f18befa1-0f74-40b4-bd7f-c93d017adbf8",
+        "id": "c8b0424f-06be-4430-8217-b26e28f1be36",
+        "name": "elastic-agent-85044",
+        "type": "filebeat",
+        "version": "8.16.0"
+    },
+    "data_stream": {
+        "dataset": "sysdig.cspm",
+        "namespace": "30853",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.17.0"
+    },
+    "elastic_agent": {
+        "id": "c8b0424f-06be-4430-8217-b26e28f1be36",
+        "snapshot": false,
+        "version": "8.16.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "sysdig.cspm",
+        "ingested": "2025-08-12T09:58:12Z",
+        "kind": "event",
+        "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Ensure that your Amazon Lambda environment variables are using customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption and decryption process. The environment variables defined for your Amazon Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code.\",\"id\":\"21344\",\"isManual\":false,\"lastUpdate\":\"1752149383\",\"name\":\"Lambda - Enable Encryption at Rest for Environment Variables using Customer Master Keys\",\"objectsCount\":2879,\"pass\":false,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"21344\",\"resourceApiEndpoint\":\"/api/cspm/v1/cloud/resources?controlId=21344\\u0026providerType=AWS\\u0026resourceKind=AWS_LAMBDA_FUNCTION\\u0026filter=policyId=52 and zones.id=119\",\"resourceKind\":\"AWS_LAMBDA_FUNCTION\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":0,\"name\":\"AWS\"}],\"target\":\"AWS\",\"type\":8},\"description\":\"All Amazon Web Services Controls.\",\"failedControls\":136,\"highSeverityCount\":3147,\"lowSeverityCount\":2926,\"mediumSeverityCount\":20805,\"name\":\"AWS Controls\",\"pass\":false,\"passingCount\":23735,\"policyId\":\"52\",\"policyName\":\"All Posture Findings\",\"requirementId\":\"637489\",\"severity\":\"High\",\"zone\":{\"id\":\"119\",\"name\":\"Entire Infrastructure\"}}",
+        "outcome": "failure",
+        "severity": 73,
+        "type": [
+            "info"
+        ]
+    },
+    "input": {
+        "type": "cel"
+    },
+    "message": "AWS Controls",
+    "observer": {
+        "product": "Sysdig Secure",
+        "vendor": "Sysdig"
+    },
+    "rule": {
+        "id": "52",
+        "name": "All Posture Findings"
+    },
+    "sysdig": {
+        "cspm": {
+            "accepted_count": 0,
+            "control": {
+                "accepted_count": 0,
+                "authors": "Sysdig",
+                "description": "Ensure that your Amazon Lambda environment variables are using customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption and decryption process. The environment variables defined for your Amazon Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code.",
+                "id": "21344",
+                "is_manual": false,
+                "last_update": "2025-07-10T12:09:43.000Z",
+                "name": "Lambda - Enable Encryption at Rest for Environment Variables using Customer Master Keys",
+                "objects_count": 2879,
+                "pass": false,
+                "passing_count": 0,
+                "remediation_id": "21344",
+                "resource_api_endpoint": "/api/cspm/v1/cloud/resources?controlId=21344&providerType=AWS&resourceKind=AWS_LAMBDA_FUNCTION&filter=policyId=52 and zones.id=119",
+                "resource_kind": "AWS_LAMBDA_FUNCTION",
+                "severity": "High",
+                "supported_distributions": [
+                    {
+                        "max_version": "0",
+                        "min_version": "0",
+                        "name": "AWS"
+                    }
+                ],
+                "target": "AWS",
+                "type": 8
+            },
+            "description": "All Amazon Web Services Controls.",
+            "failed_controls": 136,
+            "high_severity_count": 3147,
+            "low_severity_count": 2926,
+            "medium_severity_count": 20805,
+            "pass": false,
+            "passing_count": 23735,
+            "requirement_id": "637489",
+            "severity": "High",
+            "zone": {
+                "id": "119",
+                "name": "Entire Infrastructure"
+            }
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "sysdig-cspm"
+    ]
+}
diff --git a/packages/sysdig/docs/README.md b/packages/sysdig/docs/README.md
index b9884c83405..25b7cfb4e41 100644
--- a/packages/sysdig/docs/README.md
+++ b/packages/sysdig/docs/README.md
@@ -2,12 +2,14 @@
 This integration allows for the shipping of [Sysdig](https://sysdig.com/) logs to Elastic for security, observability and organizational awareness. Logs can then be analyzed by using either the dashboard included with the integration or via the creation of custom dashboards within Kibana.
 
 ## Data Streams
-The Sysdig integration collects two type of logs:
+The Sysdig integration collects three types of logs:
 
 **Alerts** The Alerts data stream collected by the Sysdig integration is comprised of Sysdig Alerts. See more details about Sysdig Alerts in [Sysdig's Alerts Documentation](https://docs.sysdig.com/en/docs/sysdig-monitor/alerts/). A complete list of potential fields used by this integration can be found in the [Logs reference](#logs-reference)
 
 **Event** The event data stream collected through the Sysdig integration consists of Sysdig Security Events. See more details about Security Events in [Sysdig's Events Feed Documentation](https://docs.sysdig.com/en/docs/sysdig-secure/threats/activity/events-feed/).
 
+**CSPM** The CSPM data stream collected through the Sysdig integration consists of Sysdig compliance results. See more details about compliance results in [Sysdig's Compliance documentation](https://docs.sysdig.com/en/sysdig-secure/compliance/).
+
 ## Requirements
 
 ### Agent-based installation
@@ -28,7 +30,7 @@ The HTTP input allows the Elastic Agent to receive Sysdig Alerts via HTTP webhoo
 
 **Required:** To configure Sysdig to output JSON, you must set up as webhook notification channel as outlined in the [Sysdig Documentation](https://docs.sysdig.com/en/docs/administration/administration-settings/outbound-integrations/notifications-management/set-up-notification-channels/configure-a-webhook-channel/).
 
-### To collect data from the Sysdig Next Gen API:
+### To collect data from the Sysdig API:
 
 - Retrieve the API Token by following [Sysdig's API Token Guide](https://docs.sysdig.com/en/retrieve-the-sysdig-api-token).
 
@@ -751,3 +753,158 @@ An example event for `event` looks as following:
 | sysdig.event.source_details.type | The type of component that generated the raw event. Possible values are cloud, git, iam, kubernetes, workload. | keyword |
 | sysdig.event.timestamp | The event timestamp in nanoseconds. | date |
 
+
+### CSPM
+
+This is the `CSPM` dataset.
+
+#### Example
+
+An example event for `cspm` looks as following:
+
+```json
+{
+    "@timestamp": "2025-08-12T09:58:09.947Z",
+    "agent": {
+        "ephemeral_id": "f18befa1-0f74-40b4-bd7f-c93d017adbf8",
+        "id": "c8b0424f-06be-4430-8217-b26e28f1be36",
+        "name": "elastic-agent-85044",
+        "type": "filebeat",
+        "version": "8.16.0"
+    },
+    "data_stream": {
+        "dataset": "sysdig.cspm",
+        "namespace": "30853",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.17.0"
+    },
+    "elastic_agent": {
+        "id": "c8b0424f-06be-4430-8217-b26e28f1be36",
+        "snapshot": false,
+        "version": "8.16.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "sysdig.cspm",
+        "ingested": "2025-08-12T09:58:12Z",
+        "kind": "event",
+        "original": "{\"acceptedCount\":0,\"control\":{\"acceptedCount\":0,\"authors\":\"Sysdig\",\"description\":\"Ensure that your Amazon Lambda environment variables are using customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption and decryption process. The environment variables defined for your Amazon Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code.\",\"id\":\"21344\",\"isManual\":false,\"lastUpdate\":\"1752149383\",\"name\":\"Lambda - Enable Encryption at Rest for Environment Variables using Customer Master Keys\",\"objectsCount\":2879,\"pass\":false,\"passingCount\":0,\"platform\":\"\",\"remediationId\":\"21344\",\"resourceApiEndpoint\":\"/api/cspm/v1/cloud/resources?controlId=21344\\u0026providerType=AWS\\u0026resourceKind=AWS_LAMBDA_FUNCTION\\u0026filter=policyId=52 and zones.id=119\",\"resourceKind\":\"AWS_LAMBDA_FUNCTION\",\"severity\":\"High\",\"supportedDistributions\":[{\"maxVersion\":0,\"minVersion\":0,\"name\":\"AWS\"}],\"target\":\"AWS\",\"type\":8},\"description\":\"All Amazon Web Services Controls.\",\"failedControls\":136,\"highSeverityCount\":3147,\"lowSeverityCount\":2926,\"mediumSeverityCount\":20805,\"name\":\"AWS Controls\",\"pass\":false,\"passingCount\":23735,\"policyId\":\"52\",\"policyName\":\"All Posture Findings\",\"requirementId\":\"637489\",\"severity\":\"High\",\"zone\":{\"id\":\"119\",\"name\":\"Entire Infrastructure\"}}",
+        "outcome": "failure",
+        "severity": 73,
+        "type": [
+            "info"
+        ]
+    },
+    "input": {
+        "type": "cel"
+    },
+    "message": "AWS Controls",
+    "observer": {
+        "product": "Sysdig Secure",
+        "vendor": "Sysdig"
+    },
+    "rule": {
+        "id": "52",
+        "name": "All Posture Findings"
+    },
+    "sysdig": {
+        "cspm": {
+            "accepted_count": 0,
+            "control": {
+                "accepted_count": 0,
+                "authors": "Sysdig",
+                "description": "Ensure that your Amazon Lambda environment variables are using customer-managed Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the data encryption and decryption process. The environment variables defined for your Amazon Lambda functions are key-value pairs that are used to store configuration settings without the need to change function code.",
+                "id": "21344",
+                "is_manual": false,
+                "last_update": "2025-07-10T12:09:43.000Z",
+                "name": "Lambda - Enable Encryption at Rest for Environment Variables using Customer Master Keys",
+                "objects_count": 2879,
+                "pass": false,
+                "passing_count": 0,
+                "remediation_id": "21344",
+                "resource_api_endpoint": "/api/cspm/v1/cloud/resources?controlId=21344&providerType=AWS&resourceKind=AWS_LAMBDA_FUNCTION&filter=policyId=52 and zones.id=119",
+                "resource_kind": "AWS_LAMBDA_FUNCTION",
+                "severity": "High",
+                "supported_distributions": [
+                    {
+                        "max_version": "0",
+                        "min_version": "0",
+                        "name": "AWS"
+                    }
+                ],
+                "target": "AWS",
+                "type": 8
+            },
+            "description": "All Amazon Web Services Controls.",
+            "failed_controls": 136,
+            "high_severity_count": 3147,
+            "low_severity_count": 2926,
+            "medium_severity_count": 20805,
+            "pass": false,
+            "passing_count": 23735,
+            "requirement_id": "637489",
+            "severity": "High",
+            "zone": {
+                "id": "119",
+                "name": "Entire Infrastructure"
+            }
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "sysdig-cspm"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| sysdig.cspm.accepted_count | Number of accepted resources. | long |
+| sysdig.cspm.control.accepted_count | Number of accepted resources. | long |
+| sysdig.cspm.control.authors |  | keyword |
+| sysdig.cspm.control.description | Control description. | keyword |
+| sysdig.cspm.control.id | Control ID. | keyword |
+| sysdig.cspm.control.is_manual | Does control need to be checked manually. | boolean |
+| sysdig.cspm.control.last_update |  | date |
+| sysdig.cspm.control.name | Control name. | keyword |
+| sysdig.cspm.control.objects_count | Number of failing resources. | long |
+| sysdig.cspm.control.pass | Is control passing. | boolean |
+| sysdig.cspm.control.passing_count |  | long |
+| sysdig.cspm.control.platform |  | keyword |
+| sysdig.cspm.control.remediation_id |  | keyword |
+| sysdig.cspm.control.resource_api_endpoint | API endpoint for listing the evaluated resources for this control. | keyword |
+| sysdig.cspm.control.resource_kind | Kind of resource evaluated by the control. | keyword |
+| sysdig.cspm.control.severity | Control severity. | keyword |
+| sysdig.cspm.control.supported_distributions.max_version | Distribution max version. | keyword |
+| sysdig.cspm.control.supported_distributions.min_version | Distribution min version. | keyword |
+| sysdig.cspm.control.supported_distributions.name | Distribution name. | keyword |
+| sysdig.cspm.control.target |  | keyword |
+| sysdig.cspm.control.type |  | long |
+| sysdig.cspm.description | Requirement description. | keyword |
+| sysdig.cspm.failed_controls | Number of failing controls. | long |
+| sysdig.cspm.high_severity_count | Number of failing resources for high-severity controls. | long |
+| sysdig.cspm.low_severity_count | Number of failing resources for low-severity controls. | long |
+| sysdig.cspm.medium_severity_count | Number of failing resources for medium-severity controls. | long |
+| sysdig.cspm.name | Requirement name. | match_only_text |
+| sysdig.cspm.pass | Is requirement passing. | boolean |
+| sysdig.cspm.passing_count |  | long |
+| sysdig.cspm.policy_id | Policy ID. | keyword |
+| sysdig.cspm.policy_name | Policy name. | keyword |
+| sysdig.cspm.requirement_id | Requirement ID. | keyword |
+| sysdig.cspm.severity | Highest control severity. | keyword |
+| sysdig.cspm.zone.id | Zone ID. | keyword |
+| sysdig.cspm.zone.name | Zone name. | keyword |
+
diff --git a/packages/sysdig/manifest.yml b/packages/sysdig/manifest.yml
index fc1e83d43e8..aa814d2ad3f 100644
--- a/packages/sysdig/manifest.yml
+++ b/packages/sysdig/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.4.0
 name: sysdig
 title: "Sysdig"
-version: "2.0.0"
+version: "2.1.0"
 description: "Collect logs from Sysdig using Elastic Agent."
 type: integration
 categories: