I'm working now with Events related to creation, changing and deletion of computers in windows Active directory.
In these events the fields TargetUserSID, TargetUserName and TargetDomainName represents the SID,Name and Domain of the computer (object) being created, modified or deleted.
When I analyze the events I thought that mapping these fields to ECS host.id, host.name and host.domain (https://github.com/elastic/ecs/pull/591) was a the way to go.
But then I realize that the host.* fields are used and mapped in all the other cases with the source host of the events and therefore is not a good idea to use the host.* fields in this case.
Should be better to use an specific winlog fields?
For example: winlog.computer.id, winlog.computer.name and winlog.computer.name?
What do you think?