diff --git a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
index 0bbe9e8609c7..c10a35aa0c62 100644
--- a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -31,47 +31,47 @@ processors:
       value: [configuration]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('created') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('created') == true
       value: [creation]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('deleted') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('deleted') == true
       value: [deletion]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('updated') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('updated') == true
       value: [change]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('user') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('user') == true
       value: [user]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('group') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('group') == true
       value: [group]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('allowed') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('allowed') == true
       value: [info]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('denied') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('denied') == true
       value: [denied]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('started') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('started') == true
       value: [start]
   - append:
       field: event.type
-      if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('access_allowed') == true
       value: [access]
   - append:
       field: event.category
-      if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('password.check_succeeded') == true
       value: [authentication]
   - append:
       field: event.category
-      if: ctx.json?.action?.type?.toLowerCase().contains('email') == true
+      if: ctx.json?.action?.type?.toLowerCase()?.contains('email') == true
       value: [email]
   - set:
       field: event.type