So far, what I've done is dump the schema for the Windows Security event log using this: (get-winevent -listprovider microsoft-windows-security-auditing).events. Then, I parsed the XML results into columns of field name, input data type and output data type (e.g. SubjectUserName, win:UnicodeString, xs:String), and did the equivalent of a "sort | uniq -c | sort" to determine which were the most common (and probably the most important to get right).
I used the output datatypes to make assumptions about how to map each field, and when encountering multiples of the same field, determine which should be multi-fields.
Then I went through each and identified field names that should map to current ECS top-level fields. For example, what Winlogbeat would currently call "event_data.ProcessName," "event_data.LogonProcessName," and "event_data.NewProcessName" should probably all renamed to process.name. Some of these are fully qualified paths and others are just the process name, so these should probably be both text and keyword fields.
I tried to reference example logs and reference the 'common names' of the nicely formatted non-XML version of the event log everyone is more familiar with when making an assumption about how and when to map fields to ECS.
Last, I don' t know if it's necessary, but I converted the Windows field names to all-lowercase, underscore-separated field names that are more consistent with how fields are named in ECS. So, TargetLinkedLogonId can be renamed to target_linked_logon_id. Again, may not be worth the overhead to convert these, but it's there.
Currently I have a spreadsheet with all 600+ fields mapped this way and the plan is to write a script to generate a mapping and a filter that will do the renaming. I assume there's a better way to do this, and if there's interested in doing something like this for ECS, I'd love to see Winlogbeat logs normalized and would be happy to redirect some of my efforts in a way that's more congruent with how Elastic is implementing ECS with other beats.
The end-goal is to map every field to its appropriate data type, internally normalize Windows event log fields among themselves, and normalize fields to their respective ECS fields as well. And then, hopefully, not have Elastic come up with something that replaces it in 12 months.
Aside from what I've written above, I found some use for a few additional top-level fields when dealing with Windows events, whether to normalize Windows event log fields with themselves, or more generally. One was SID and the other was LDAP. I can also dump schemas for just about any other even provider and do something similar. Sysmon is probably next-up though.
Probably a bit more than you were asking for and I don't have anything ready for a PR yet. I probably need a bit of direction/guidance to get to that point (wrt what's helpful to others, is it better to just publish mappings and filters, or go the ECS route, etc).