drop elastic ecs json export · parse normalized event schema · runs locally
ecs fields · @timestamp · local export only
heuristic screener · vendor schema varies · not definitive proof