Currently we can collect all provisioning audit logs from Elastic, but we miss the systemID in the document. This field is currently available in the "provisioning-source-import" bucket but love to also have this value in the "provisioning-audit" bucket.
The systemName is present but can change over time, so this could be a problem when grouping incidents, or even lookup incidents for a given system.
There is also a CorrelationID in this document, maybe these identifiers could be stored separately so these are actually usable for us to filter on, like the importID which seems to be in there.