Improve user mappings

Author: marc-gr

packages/system/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.5.0"
+  changes:
+    - description: Better user mappings for security events
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1944
 - version: "1.4.2"
   changes:
     - description: Prevent pipeline script error

packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json

@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:04.767568644Z",
+                "ingested": "2021-10-19T11:55:16.331823600Z",
                 "code": "4746",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testdistlocal1",
                         "domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json

@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:04.888936317Z",
+                "ingested": "2021-10-19T11:55:16.621125Z",
                 "code": "4747",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testdistlocal1",
                         "domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json

@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.313669028Z",
+                "ingested": "2021-10-19T11:55:17.565769200Z",
                 "code": "4751",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testglobal1",
                         "domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json

@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.414207722Z",
+                "ingested": "2021-10-19T11:55:17.906691Z",
                 "code": "4752",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testglobal1",
                         "domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json

@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.791134249Z",
+                "ingested": "2021-10-19T11:55:18.871413700Z",
                 "code": "4761",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testuni2",
                         "domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json

@@ -64,7 +64,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:05.889044291Z",
+                "ingested": "2021-10-19T11:55:19.143941900Z",
                 "code": "4762",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -84,6 +84,7 @@
                 "domain": "TEST",
                 "target": {
                     "name": "Administrator",
+                    "domain": "SAAS",
                     "group": {
                         "name": "testuni2",
                         "domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json

@@ -77,7 +77,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:06.837533884Z",
+                "ingested": "2021-10-19T11:55:21.246497500Z",
                 "code": "4768",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -92,7 +92,8 @@
             },
             "user": {
                 "name": "at_adm",
-                "domain": "TEST.SAAS"
+                "domain": "TEST.SAAS",
+                "id": "S-1-5-21-1717121054-434620538-60925301-2794"
             }
         }
     ]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json

@@ -73,7 +73,7 @@
                 "name": "DC_TEST2k12.TEST.SAAS"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:07.159369727Z",
+                "ingested": "2021-10-19T11:55:22.001023400Z",
                 "code": "4771",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -87,7 +87,8 @@
                 "outcome": "failure"
             },
             "user": {
-                "name": "MPUIG"
+                "name": "MPUIG",
+                "id": "S-1-5-21-1717121054-434620538-60925301-3057"
             }
         }
     ]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json

@@ -62,7 +62,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.468417917Z",
+                "ingested": "2021-10-19T11:55:27.016591Z",
                 "code": "4722",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -78,8 +78,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1000"
+                }
             }
         },
         {
@@ -144,7 +149,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.468420621Z",
+                "ingested": "2021-10-19T11:55:27.016600700Z",
                 "code": "4722",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -160,8 +165,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest0609",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1006"
+                }
             }
         }
     ]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json

@@ -62,7 +62,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.676454372Z",
+                "ingested": "2021-10-19T11:55:27.450128800Z",
                 "code": "4723",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -78,8 +78,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "Administrator",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                }
             }
         },
         {
@@ -144,7 +149,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.676457128Z",
+                "ingested": "2021-10-19T11:55:27.450137Z",
                 "code": "4723",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -160,8 +165,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "Administrator",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                }
             }
         }
     ]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json

@@ -62,7 +62,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.855345755Z",
+                "ingested": "2021-10-19T11:55:27.912761300Z",
                 "code": "4724",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -78,8 +78,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "elastictest1",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1005"
+                }
             }
         },
         {
@@ -144,7 +149,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:09.855372883Z",
+                "ingested": "2021-10-19T11:55:27.912770100Z",
                 "code": "4724",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -160,8 +165,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest0609",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1006"
+                }
             }
         }
     ]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json

@@ -62,7 +62,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:10.021979420Z",
+                "ingested": "2021-10-19T11:55:28.349650400Z",
                 "code": "4725",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -78,8 +78,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1000"
+                }
             }
         },
         {
@@ -144,7 +149,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:10.021981930Z",
+                "ingested": "2021-10-19T11:55:28.349659100Z",
                 "code": "4725",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -160,8 +165,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest0609",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1006"
+                }
             }
         }
     ]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json

@@ -63,7 +63,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:10.186637182Z",
+                "ingested": "2021-10-19T11:55:28.808472500Z",
                 "code": "4726",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -79,8 +79,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest23",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1001"
+                }
             }
         },
         {
@@ -146,7 +151,7 @@
                 "name": "WIN-41OB2LO92CR"
             },
             "event": {
-                "ingested": "2021-07-30T21:06:10.186639172Z",
+                "ingested": "2021-10-19T11:55:28.808476700Z",
                 "code": "4726",
                 "provider": "Microsoft-Windows-Security-Auditing",
                 "kind": "event",
@@ -162,8 +167,13 @@
             },
             "user": {
                 "name": "Administrator",
+                "id": "S-1-5-21-101361758-2486510592-3018839910-500",
                 "domain": "WIN-41OB2LO92CR",
-                "id": "S-1-5-21-101361758-2486510592-3018839910-500"
+                "target": {
+                    "name": "audittest",
+                    "domain": "WIN-41OB2LO92CR",
+                    "id": "S-1-5-21-101361758-2486510592-3018839910-1000"
+                }
             }
         }
     ]