ECS 1.9 user.changes.*, user.effective.*, user.target.*

[janniten]

What does this PR do?

In ECS 1.9 user.changes.*, user.effective.*, and user.target.* were introduced in order to capture better those events in where many users are involved. This fields allows us to model complex user's relationships.

See improvements sections in https://github.com/elastic/ecs/releases

Why is it important?

According to the usage described in https://www.elastic.co/guide/en/ecs/current/ecs-user-usage.html modifications to the winlogbeat security module are introduced in this PR in order to model user's relationship in an event.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• In the modified copyTargetUser I could simplify the code adding only {from: "winlog.event_data.TargetSid", to: "user.id"} but instead of that I check later for the existence of the field. If its better to do int in the .Convert please let me know

Use cases

The events affected are

EventID	User Field	Comments
4648	user.effective.*	This event captures the semantic of RunAs. Originally the user.* was completed with the information of the winlog.event_data.TargetUser.*, but according to the documentation user.* is the actual user who is executing the RunAs, so I've change to the user.* to be complete with the winlog.event_data.SubjectUser and the winlog.event_data.TargetUser.* copied to user.effective.*. From the doc Use the user fields at the root to capture who is requesting the privilege change, and user.effective to capture the requested privilege level, whether or not the privilege change was successful
4688	user.effective.*	In Windows 10/ Windows Server 2016 the some fields (winlog.event_data.TargetUser.*) where added in order to capture when a process is started under a different account. By default, a new process runs under the same account and logon session as the creator process
4720	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4722	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4723	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4724	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4725	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4726	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4728	user.target.*	Group Management Events user.target.* is completed with member information
4729	user.target.*	Group Management Events user.target.* is completed with member information
4732	user.target.*	Group Management Events user.target.* is completed with member information
4733	user.target.*	Group Management Events user.target.* is completed with member information
4738	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4740	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4746	user.target.*	Group Management Events user.target.* is completed with member information
4747	user.target.*	Group Management Events user.target.* is completed with member information
4751	user.target.*	Group Management Events user.target.* is completed with member information
4752	user.target.*	Group Management Events user.target.* is completed with member information
4756	user.target.*	Group Management Events user.target.* is completed with member information
4757	user.target.*	Group Management Events user.target.* is completed with member information
4761	user.target.*	Group Management Events user.target.* is completed with member information
4762	user.target.*	Group Management Events user.target.* is completed with member information
4767	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4768	fix	Fixed targetSid Field
4771	fix	Fixed targetSid Field
4781	user.target.* and user.changes.*	User Management Events where the winlog.event_data.OldTargetUser.*  ->  user.target.* and winlog.event_data.NewTargetUser.*

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ecs_1.9 upstream/ecs_1.9
git merge upstream/master
git push upstream ecs_1.9

[botelastic]

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[janniten]

ECS 1.9 new fields in order to capture n-ary user relationships

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jsoriano]

@janniten thanks for this PR! there are some merge conflicts, could you please take a look?

cc @elastic/security-external-integrations

[janniten]

@jsoriano I don't know what had happened with my code... something really strange.
I know that it is not desirable to close a PR and open a new one, but I think in this case is safer.
So, I'll close this PR, open a new one and put the code related to ECS 1.9.
#26509