elastic
diff --git a/‎packages/system/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/system/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json‎
Lines changed: 2 additions & 1 deletion b/‎packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json‎
Lines changed: 2 additions & 1 deletion b/‎packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json‎
Lines changed: 2 additions & 1 deletion b/‎packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json‎
Lines changed: 2 additions & 1 deletion b/‎packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json‎
Lines changed: 2 additions & 1 deletion b/‎packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json‎
Lines changed: 2 additions & 1 deletion b/‎packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json‎
Lines changed: 3 additions & 2 deletions b/‎packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json‎
Lines changed: 3 additions & 2 deletions b/‎packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json‎
Lines changed: 14 additions & 4 deletions b/‎packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json‎
Lines changed: 14 additions & 4 deletions
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.5.0"
+  changes:
+    - description: Better user mappings for security events
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1944
 - version: "1.4.2"
   changes:
     - description: Prevent pipeline script error
 
@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:04.767568644Z",
+                "ingested": "2021-10-19T11:55:16.331823600Z",
                 "code": "4746",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testdistlocal1",
                         "domain": "TEST",
 
@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:04.888936317Z",
+                "ingested": "2021-10-19T11:55:16.621125Z",
                 "code": "4747",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testdistlocal1",
                         "domain": "TEST",
 
@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.313669028Z",
+                "ingested": "2021-10-19T11:55:17.565769200Z",
                 "code": "4751",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testglobal1",
                         "domain": "TEST",
 
@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.414207722Z",
+                "ingested": "2021-10-19T11:55:17.906691Z",
                 "code": "4752",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testglobal1",
                         "domain": "TEST",
 
@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.791134249Z",
+                "ingested": "2021-10-19T11:55:18.871413700Z",
                 "code": "4761",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testuni2",
                         "domain": "TEST",
 
@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.889044291Z",
+                "ingested": "2021-10-19T11:55:19.143941900Z",
                 "code": "4762",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testuni2",
                         "domain": "TEST",
 
@@ -77,7 +77,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:06.837533884Z",
+                "ingested": "2021-10-19T11:55:21.246497500Z",
                 "code": "4768",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -92,7 +92,8 @@
             },
             "user": {
                 "name": "at_adm",
-                "domain": "TEST.SAAS"
+                "domain": "TEST.SAAS",
+                "id": "S-1-5-21-1717121054-434620538-60925301-2794"
             }
         }
     ]
 
@@ -73,7 +73,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:07.159369727Z",
+                "ingested": "2021-10-19T11:55:22.001023400Z",
                 "code": "4771",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -87,7 +87,8 @@
                 "outcome": "failure"
             },
             "user": {
-                "name": "MPUIG"
+                "name": "MPUIG",
+                "id": "S-1-5-21-1717121054-434620538-60925301-3057"
             }
         }
     ]
 
@@ -62,7 +62,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.468417917Z",
+                "ingested": "2021-10-19T11:55:27.016591Z",
                 "code": "4722",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -78,8 +78,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1000"
+                }
             }
         },
         {
@@ -144,7 +149,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.468420621Z",
+                "ingested": "2021-10-19T11:55:27.016600700Z",
                 "code": "4722",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -160,8 +165,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest0609",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1006"
+                }
             }
         }
     ]
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@`
`77`	`77`	`"name": "DC_TEST2k12.TEST.SAAS"`
`78`	`78`	`},`
`79`	`79`	`"event": {`
`80`		`- "ingested": "2021-07-30T21:06:06.837533884Z",`
	`80`	`+ "ingested": "2021-10-19T11:55:21.246497500Z",`
`81`	`81`	`"code": "4768",`
`82`	`82`	`"provider": "Microsoft-Windows-Security-Auditing",`
`83`	`83`	`"kind": "event",`
`@@ -92,7 +92,8 @@`
`92`	`92`	`},`
`93`	`93`	`"user": {`
`94`	`94`	`"name": "at_adm",`
`95`		`- "domain": "TEST.SAAS"`
	`95`	`+ "domain": "TEST.SAAS",`
	`96`	`+ "id": "S-1-5-21-1717121054-434620538-60925301-2794"`
`96`	`97`	`}`
`97`	`98`	`}`
`98`	`99`	`]`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@`
`73`	`73`	`"name": "DC_TEST2k12.TEST.SAAS"`
`74`	`74`	`},`
`75`	`75`	`"event": {`
`76`		`- "ingested": "2021-07-30T21:06:07.159369727Z",`
	`76`	`+ "ingested": "2021-10-19T11:55:22.001023400Z",`
`77`	`77`	`"code": "4771",`
`78`	`78`	`"provider": "Microsoft-Windows-Security-Auditing",`
`79`	`79`	`"kind": "event",`
`@@ -87,7 +87,8 @@`
`87`	`87`	`"outcome": "failure"`
`88`	`88`	`},`
`89`	`89`	`"user": {`
`90`		`- "name": "MPUIG"`
	`90`	`+ "name": "MPUIG",`
	`91`	`+ "id": "S-1-5-21-1717121054-434620538-60925301-3057"`
`91`	`92`	`}`
`92`	`93`	`}`
`93`	`94`	`]`