windows: make pipeline routing robust to channel letter case

[efd6]

Proposed commit message

Apparently some events from Windows servers and workstations in Security channel have a lowercase channel name. This has not been observed in other channels, but defensively apply the same care there.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• For [Winlogbeat] Lowercase Security channel name  beats#36670

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-22T21:37:42.383+0000

• Duration: 18 min 15 sec

Test stats 🧪

Test	Results
Failed	0
Passed	150
Skipped	0
Total	150

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (8/8)	💚
Files	91.667% (11/12)	👎 -3.901
Classes	91.667% (11/12)	👎 -3.901
Methods	85.156% (109/128)	👎 -6.194
Lines	91.55% (5840/6379)	👍 4.248
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[andrewkroh]

This looks good to me.

But this has me thinking that we should be routing based exclusively on the provider name instead of the channel. The channel names may be customized in the case of forwarded events. Sometimes users will setup their WEC with custom channels so you might have something named "WEC-Security" that holds the data produced by Microsoft-Windows-Security-Auditing. WDYT?

[efd6]

That seem reasonable. Here or later?

[andrewkroh]

Later. That will give me time to write up an issue tomorrow and think through some use cases relating to WEC. The goal is to make sure that WEC users can get the same behavior as if they had directly collected the logs from a host using Agent. So checking that we consistently apply event.{dataset,module} so that rules, queries, and dashboards work the same with WEC. Make sure that this forwarded dataset has a configurable channel name. And probably more after I think this through.

[elasticmachine]

Package windows - 1.40.0 containing this change is available at https://epr.elastic.co/search?package=windows