Server send security events with WEF and in Authentication tab I don't found all accesses

Hi all

I'm using Elastic Stack v7.4.0 and I have a single winlogbeat on the Windows Server that receive with WEF all event of security of differents other server.

So I just correct by logstash, that I used to filter all traffic to Elasticsearch, the content of field host.name with the value of winlog.computer_name.

Now I see in the host tab all servers but in authentication I don't see the accesses. I collect the information of different DC. What could I do? At the moment I see the user access in the field winlog.event_data.TargetUserName. Could I move the content of field winlog.event_data.TargetUserName in user.name?

Thank you
Franco