I've been working on events 4624 (An account was successfully logged on), 4634 (An account was logged off), 4672 (Special privileges assigned to new logon) in order to correlate logon information about Administrators users logged in our Domain Controllers.
When trying to fit those events into ECS I found that there are some fields needed for correlation that are not populated.
user.name field is populated from TargetUserName (4624 and 4634) and from SubjectUserName (4672)
In this case the field in ECS exists (user.name), but how do I map event 4672? Should I to add a new convertAuthentication function in the winlogbeat-security.js? How is the best way to do it? How it should be according to the module design?
In order to correlate Logons/Logout session I found that the fields TargetLogonID (4624 and 4634) and SubjectUserName (4672) must be populated in a common field.
The logonID enables to correlates logon with logoff, for example, from Microsoft documentation
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID value.
What is the correct way to introduce new fields in the ECS?