field collisions with organization.id & elastic maintained integrations #2250
Description
Description of the issue:
organization.id is a common field that can be used in multi-tenant environments. However, there are multiple elastic managed pipelines (o365 audit, cisco meraki, google workspace, zscaler, and possibly more)
that try to set organization.id and fails if the organization.id already exists. It should be noted in the ECS documentation to not set this field upfront or pipelines should be changed. i will create an integrations bug report (which is where those pipelines are maintained).
reference o365audit pipeline
https://github.com/elastic/integrations/blob/b50c74066d3cca005259bcfccd7543b9dc4a107b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml#L73
https://www.elastic.co/guide/en/ecs/current/ecs-organization.html#field-organization-id
Any additional context or examples: