From 71d916b74a743df255a835b363a03ce81655e09c Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Tue, 26 Jan 2021 08:55:13 +0100
Subject: [PATCH 01/11] Add Winlogbeat Security Module Doc

---
 winlogbeat/docs/modules/security.asciidoc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc
index 7be1d811d04..0c735e5728e 100644
--- a/winlogbeat/docs/modules/security.asciidoc
+++ b/winlogbeat/docs/modules/security.asciidoc
@@ -16,6 +16,7 @@ The module has transformations for the following event IDs:
 * 4634 - An account was logged off.
 * 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
+* 4670 - Permissions on an object were changed.
 * 4672 - Special privileges assigned to new logon.
 * 4673 - A privileged service was called.
 * 4674 - An operation was attempted on a privileged object.
@@ -27,6 +28,12 @@ The module has transformations for the following event IDs:
 * 4700 - A scheduled task was enabled.
 * 4701 - A scheduled task was disabled.
 * 4702 - A scheduled task was updated.
+* 4706 - A new trust was created to a domain.
+* 4707 - A trust to a domain was removed.
+* 4713 - Kerberos policy was changed.
+* 4716 - Trusted domain information was modified.
+* 4717 - System security access was granted to an account.
+* 4718 - System security access was removed from an account.
 * 4719 - System audit policy was changed.
 * 4720 - A user account was created.
 * 4722 - A user account was enabled.
@@ -45,6 +52,7 @@ The module has transformations for the following event IDs:
 * 4735 - A security-enabled local group was changed.
 * 4737 - A security-enabled global group was changed.
 * 4738 - An user account was changed.
+* 4739 - Domain Policy was changed.
 * 4740 - An user account was locked out.
 * 4741 - A computer account was created.
 * 4742 - A computer account was changed.
@@ -105,6 +113,14 @@ The module has transformations for the following event IDs:
 * 4781 - The name of an account was changed.
 * 4798 - A user's local group membership was enumerated.
 * 4799 - A security-enabled local group membership was enumerated.
+* 4817 - Auditing settings on object were changed.
+* 4902 - The Per-user audit policy table was created.
+* 4904 - An attempt was made to register a security event source.
+* 4905 - An attempt was made to unregister a security event source.
+* 4906 - The CrashOnAuditFail value has changed.
+* 4907 - Auditing settings on object were changed.
+* 4908 - Special Groups Logon table modified.
+* 4912 - Per User Audit Policy was changed.
 * 4964 - Special groups have been assigned to a new logon.
 
 More event IDs will be added.

From 8a5db71eac2da532c1153faf1bcac6ccde777dea Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Sun, 27 Jun 2021 20:02:38 +0200
Subject: [PATCH 02/11] ECS 1.9 new user fields

---
 .../security/config/winlogbeat-security.js    | 81 +++++++++++++++----
 1 file changed, 66 insertions(+), 15 deletions(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 181e2612b46..659ce997da5 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1910,8 +1910,13 @@ var security = (function () {
         if (targetUserId) {
             if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId);
             else evt.Put("user.id", targetUserId);
+        } else {
+            targetUserId = evt.Get("winlog.event_data.TargetSid");
+            if (targetUserId) {
+                if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId);
+                else evt.Put("user.id", targetUserId);
+            }
         }
-
         var targetUserName = evt.Get("winlog.event_data.TargetUserName");
         if (targetUserName) {
             if (/.@*/.test(targetUserName)) {
@@ -1930,6 +1935,49 @@ var security = (function () {
         }
     }
 
+    var copyTargetUserToEffective = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.TargetUserSid", to: "user.effective.id"},
+                {from: "winlog.event_data.TargetUserName", to: "user.effective.name"},
+                {from: "winlog.event_data.TargetDomainName", to: "user.effective.domain"},
+            ],
+            ignore_missing: true,
+        })
+        .Add(function(evt) {
+            var user = evt.Get("winlog.event_data.TargetUserName");
+            if (user) {
+                if (/.@*/.test(user)) {
+                    user = user.split('@')[0];
+                    evt.Put('user.effective.name', user);
+                }
+                evt.AppendTo('related.user', user);
+            }
+        })
+        .Build();
+
+    var copyTargetUserToTarget = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.TargetSid", to: "user.target.id"},
+                {from: "winlog.event_data.TargetUserName", to: "user.target.name"},
+                {from: "winlog.event_data.TargetDomainName", to: "user.target.domain"},
+            ],
+            ignore_missing: true,
+        })
+        .Add(function(evt) {
+            var user = evt.Get("winlog.event_data.TargetUserName");
+            if (user) {
+                if (/.@*/.test(user)) {
+                    user = user.split('@')[0];
+                    evt.Put('user.target.name', user);
+                }
+                evt.AppendTo('related.user', user);
+            }
+        })
+        .Build();
+
+
     var copyMemberToUser = function(evt) {
         var member = evt.Get("winlog.event_data.MemberName");
         if (!member) {
@@ -1940,6 +1988,11 @@ var security = (function () {
 
         evt.AppendTo("related.user", userName);
         evt.Put("user.target.name", userName);
+
+        var domainName = member.split(',')[3];
+        if (domainName) {
+            evt.Put("user.target.domain", domainName.replace('DC=', '').replace('dc=', ''));
+        }
     }
 
     var copyTargetUserToGroup = new processor.Chain()
@@ -2130,10 +2183,11 @@ var security = (function () {
 
     // Handles both 4648
     var event4648 = new processor.Chain()
-        .Add(copyTargetUser)
+        .Add(copySubjectUser)
         .Add(copySubjectUserLogonId)
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
+        .Add(copyTargetUserToEffective)
         .Add(function(evt) {
             var user = evt.Get("winlog.event_data.SubjectUserName");
             if (user) {
@@ -2173,16 +2227,8 @@ var security = (function () {
         .Add(copySubjectUser)
         .Add(copySubjectUserLogonId)
         .Add(renameNewProcessFields)
+        .Add(copyTargetUserToEffective)
         .Add(addEventFields)
-        .Add(function(evt) {
-            var user = evt.Get("winlog.event_data.TargetUserName");
-            if (user) {
-                var res = /^-$/.test(user);
-                    if (!res) {
-                        evt.AppendTo('related.user', user);
-                    }
-            }
-        })
         .Build();
 
     var event4689 = new processor.Chain()
@@ -2206,10 +2252,7 @@ var security = (function () {
         .Add(renameCommonAuthFields)
         .Add(addUACDescription)
         .Add(addEventFields)
-        .Add(function(evt) {
-            var user = evt.Get("winlog.event_data.TargetUserName");
-            evt.AppendTo('related.user', user);
-        })
+        .Add(copyTargetUserToTarget)
         .Build();
 
     var userRenamed = new processor.Chain()
@@ -2221,6 +2264,13 @@ var security = (function () {
             evt.AppendTo('related.user', userNew);
             var userOld = evt.Get("winlog.event_data.OldTargetUserName");
             evt.AppendTo('related.user', userOld);
+            if (userOld) {
+                evt.Put('user.target.name', userOld);
+                evt.Put('user.target.domain', domain);
+            }
+            if (userNew) {
+                evt.Put('user.changes.name', userNew);
+            }
         })
         .Build();
 
@@ -2359,6 +2409,7 @@ var security = (function () {
         .Add(copySubjectUserLogonId)
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
+        .Add(copyTargetUserToTarget)
         .Add(function(evt) {
             var oldSd = evt.Get("winlog.event_data.OldSd");
             var newSd = evt.Get("winlog.event_data.NewSd");

From f7acd39b7a32f52e9493ef9eab145f85d9b02ab4 Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Sun, 27 Jun 2021 20:09:00 +0200
Subject: [PATCH 03/11] Add Documentation

---
 CHANGELOG.next.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 105956aa9de..1da0aa46692 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -509,6 +509,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
 - Protect against accessing an undefined variable in Security module. {pull}22937[22937]
 - Fix related.ip field in renameCommonAuthFields {pull}24892[24892]
+- Add ECS 1.9 new users fields {pull}26509[26509]
 
 *Functionbeat*
 

From 4788f663c2b3c4128976c70201c7a4383d71fd56 Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
Date: Sat, 17 Jul 2021 20:43:09 +0200
Subject: [PATCH 04/11] Update
 x-pack/winlogbeat/module/security/config/winlogbeat-security.js

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
---
 x-pack/winlogbeat/module/security/config/winlogbeat-security.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 659ce997da5..a72e584e5bf 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1947,7 +1947,7 @@ var security = (function () {
         .Add(function(evt) {
             var user = evt.Get("winlog.event_data.TargetUserName");
             if (user) {
-                if (/.@*/.test(user)) {
+                if (user.indexOf('@')>0) {
                     user = user.split('@')[0];
                     evt.Put('user.effective.name', user);
                 }

From 6e84cafe0f9b043aa34f04e111d50a6398efe076 Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
Date: Sat, 17 Jul 2021 20:43:21 +0200
Subject: [PATCH 05/11] Update
 x-pack/winlogbeat/module/security/config/winlogbeat-security.js

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
---
 .../module/security/config/winlogbeat-security.js          | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index a72e584e5bf..7c723090937 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1907,15 +1907,10 @@ var security = (function () {
 
     var copyTargetUser = function(evt) {
         var targetUserId = evt.Get("winlog.event_data.TargetUserSid");
+        if (!targetUserId) targetUserId = evt.Get("winlog.event_data.TargetSid");
         if (targetUserId) {
             if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId);
             else evt.Put("user.id", targetUserId);
-        } else {
-            targetUserId = evt.Get("winlog.event_data.TargetSid");
-            if (targetUserId) {
-                if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId);
-                else evt.Put("user.id", targetUserId);
-            }
         }
         var targetUserName = evt.Get("winlog.event_data.TargetUserName");
         if (targetUserName) {

From 2167b1242c7d0c46a4857e809375482f50db3007 Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Tue, 20 Jul 2021 17:55:04 +0200
Subject: [PATCH 06/11] Suggeted changes by adriansr

---
 x-pack/winlogbeat/module/security/config/winlogbeat-security.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 7c723090937..7082683fec4 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1914,7 +1914,7 @@ var security = (function () {
         }
         var targetUserName = evt.Get("winlog.event_data.TargetUserName");
         if (targetUserName) {
-            if (/.@*/.test(targetUserName)) {
+            if (targetUserName.indexOf('@')>0) {
                 targetUserName = targetUserName.split('@')[0];
             }
 

From 3c67931c4379cf74ccb4732d7199a2e1466117d7 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Thu, 14 Oct 2021 12:28:20 +0200
Subject: [PATCH 07/11] Regenerate golden files

---
 .../security/config/winlogbeat-security.js       |  3 +--
 .../security/test/testdata/4746.evtx.golden.json |  1 +
 .../security/test/testdata/4747.evtx.golden.json |  1 +
 .../security/test/testdata/4751.evtx.golden.json |  1 +
 .../security/test/testdata/4752.evtx.golden.json |  1 +
 .../security/test/testdata/4761.evtx.golden.json |  1 +
 .../security/test/testdata/4762.evtx.golden.json |  1 +
 .../security-windows2012_4768.evtx.golden.json   |  1 +
 .../security-windows2012_4771.evtx.golden.json   |  1 +
 ...ows2016_4720_Account_Created.evtx.golden.json | 14 ++++++++++++--
 ...ows2016_4722_Account_Enabled.evtx.golden.json | 14 ++++++++++++--
 ...ows2016_4723_Password_Change.evtx.golden.json | 14 ++++++++++++--
 ...dows2016_4724_Password_Reset.evtx.golden.json | 14 ++++++++++++--
 ...ws2016_4725_Account_Disabled.evtx.golden.json | 14 ++++++++++++--
 ...ows2016_4726_Account_Deleted.evtx.golden.json | 14 ++++++++++++--
 .../security-windows2016_4728.evtx.golden.json   |  1 +
 .../security-windows2016_4729.evtx.golden.json   |  1 +
 .../security-windows2016_4732.evtx.golden.json   |  1 +
 .../security-windows2016_4733.evtx.golden.json   |  1 +
 ...ows2016_4738_Account_Changed.evtx.golden.json | 14 ++++++++++++--
 ...2016_4740_Account_Locked_Out.evtx.golden.json |  7 ++++++-
 .../security-windows2016_4756.evtx.golden.json   |  1 +
 .../security-windows2016_4757.evtx.golden.json   |  1 +
 ...ws2016_4767_Account_Unlocked.evtx.golden.json |  7 ++++++-
 ...ows2016_4781_Account_Renamed.evtx.golden.json | 16 ++++++++++++++--
 .../security-windows2016_4798.evtx.golden.json   |  7 ++++++-
 ...ows2019_4688_Process_Created.evtx.golden.json | 10 +++++++++-
 27 files changed, 140 insertions(+), 22 deletions(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 7082683fec4..6300e7a2861 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1963,7 +1963,7 @@ var security = (function () {
         .Add(function(evt) {
             var user = evt.Get("winlog.event_data.TargetUserName");
             if (user) {
-                if (/.@*/.test(user)) {
+                if (user.indexOf('@')>0) {
                     user = user.split('@')[0];
                     evt.Put('user.target.name', user);
                 }
@@ -2261,7 +2261,6 @@ var security = (function () {
             evt.AppendTo('related.user', userOld);
             if (userOld) {
                 evt.Put('user.target.name', userOld);
-                evt.Put('user.target.domain', domain);
             }
             if (userNew) {
                 evt.Put('user.changes.name', userNew);
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json
index d3dbd3d19b5..b6187500440 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2903",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json
index 41b67ea75f6..712f63844ee 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2903",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json
index e838da29e54..f2d158c8ef9 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2904",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json
index 37544b89cbe..4da882d11c7 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2904",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json
index 3c7563a75de..4c79ebb81e2 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2905",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json
index 5ff88d4e7c6..e473bc5a443 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2905",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
index 819570bff67..d91d0349720 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
@@ -31,6 +31,7 @@
     },
     "user": {
       "domain": "TEST.SAAS",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm"
     },
     "winlog": {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json
index 37ac84f9b32..ccfaf136948 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json
@@ -30,6 +30,7 @@
       "port": 53366
     },
     "user": {
+      "id": "S-1-5-21-1717121054-434620538-60925301-3057",
       "name": "MPUIG"
     },
     "winlog": {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
index 57911917d9b..5c8382b776e 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "name": "elastictest1"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -126,7 +131,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+        "name": "audittest0609"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json
index c2ae405fbe2..9e50bcb1a04 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+        "name": "audittest"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -99,7 +104,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+        "name": "audittest0609"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json
index aec326c4990..73cf17f61eb 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json
@@ -28,7 +28,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "name": "Administrator"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -94,7 +99,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "name": "Administrator"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json
index c77b35a2bce..5c5cbe31da8 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "name": "elastictest1"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -99,7 +104,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+        "name": "audittest0609"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json
index 1acefb2632e..c25e266f83a 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+        "name": "audittest"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -99,7 +104,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+        "name": "audittest0609"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json
index 113921ddf11..7e9c82f86f6 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1001",
+        "name": "audittest23"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -100,7 +105,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+        "name": "audittest"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
index 56f68012be8..59c58efcf4b 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
@@ -35,6 +35,7 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "domain": "local",
         "group": {
           "domain": "WLBEAT",
           "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
index e8700a9ab47..e3ac9be9101 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
@@ -35,6 +35,7 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "domain": "local",
         "group": {
           "domain": "WLBEAT",
           "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
index e25f589d6ab..1d97aa773ea 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
@@ -35,6 +35,7 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "domain": "local",
         "group": {
           "domain": "WLBEAT",
           "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
index 2c2db1bcc5a..9225f75661f 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
@@ -35,6 +35,7 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "domain": "local",
         "group": {
           "domain": "WLBEAT",
           "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
index f32e127117b..786a77df8db 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "name": "elastictest1"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -125,7 +130,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+        "name": "audittest0609"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json
index 6dc0514e838..1c91cbf9cee 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WORKGROUP",
       "id": "S-1-5-18",
-      "name": "WIN-41OB2LO92CR$"
+      "name": "WIN-41OB2LO92CR$",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "name": "elastictest1"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
index f9ac68771e9..5ffb623eb18 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
@@ -35,6 +35,7 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "domain": "local",
         "group": {
           "domain": "WLBEAT",
           "id": "S-1-5-21-101361758-2486510592-3018839910-1113",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
index b4a7d4639c9..40cbe2246a4 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
@@ -35,6 +35,7 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "domain": "local",
         "group": {
           "domain": "WLBEAT",
           "id": "S-1-5-21-101361758-2486510592-3018839910-1113",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json
index c4bfe8b056f..75feedba72a 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "name": "elastictest1"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json
index 91b49e271f6..95d2603832a 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json
@@ -30,9 +30,15 @@
       ]
     },
     "user": {
+      "changes": {
+        "name": "audittest06"
+      },
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "name": "audittest0609"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -101,9 +107,15 @@
       ]
     },
     "user": {
+      "changes": {
+        "name": "audittest0609"
+      },
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "name": "audittest06"
+      }
     },
     "winlog": {
       "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
index 655861b92d7..385560f46b0 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
@@ -31,7 +31,12 @@
     "user": {
       "domain": "WORKGROUP",
       "id": "S-1-5-18",
-      "name": "WIN-41OB2LO92CR$"
+      "name": "WIN-41OB2LO92CR$",
+      "target": {
+        "domain": "WIN-41OB2LO92CR",
+        "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "name": "elastictest1"
+      }
     },
     "winlog": {
       "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}",
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
index 309f889abb5..1c6ac89d0dc 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
@@ -37,10 +37,18 @@
       "pid": 4556
     },
     "related": {
-      "user": "vagrant"
+      "user": [
+        "vagrant",
+        "-"
+      ]
     },
     "user": {
       "domain": "VAGRANT",
+      "effective": {
+        "domain": "-",
+        "id": "S-1-0-0",
+        "name": "-"
+      },
       "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
       "name": "vagrant"
     },

From 6a94aa44e2ee88e4cd4232d9127f2058af78a44f Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Mon, 18 Oct 2021 10:15:05 +0200
Subject: [PATCH 08/11] Fix changelog and remove
 ~/go/src/github.com/elastic/integrations/packages/cisco_meraki values

---
 CHANGELOG.next.asciidoc                          |  3 +--
 .../security/config/winlogbeat-security.js       | 16 +++++++++++++++-
 ...ows2019_4688_Process_Created.evtx.golden.json |  8 ++------
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 27db9f80acc..356e497ceeb 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -439,9 +439,8 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
 - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
 - Protect against accessing an undefined variable in Security module. {pull}22937[22937]
-- Fix related.ip field in renameCommonAuthFields {pull}24892[24892]
-- Add ECS 1.9 new users fields {pull}26509[26509]
 - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
+- Add ECS 1.9 new users fields {pull}26509[26509]
 
 *Functionbeat*
 
diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 6300e7a2861..2dee1f4cbf7 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1946,9 +1946,23 @@ var security = (function () {
                     user = user.split('@')[0];
                     evt.Put('user.effective.name', user);
                 }
-                evt.AppendTo('related.user', user);
             }
         })
+        .Add(function(evt) {
+            var removeIfEmptyOrHyphen = function(evt, key) {
+                var val = evt.Get(key);
+                if (!val || val === "-") {
+                    evt.Delete("user.effective.name");
+                    return true;
+                }
+                return false;
+            };
+            if (!removeIfEmptyOrHyphen(evt, "user.effective.name")) {
+                evt.AppendTo("related.user", user);
+            }
+            removeIfEmptyOrHyphen(evt, "user.effective.domain");
+            removeIfEmptyOrHyphen(evt, "user.effective.id");
+        })
         .Build();
 
     var copyTargetUserToTarget = new processor.Chain()
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
index 1c6ac89d0dc..a55bb985658 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
@@ -37,17 +37,13 @@
       "pid": 4556
     },
     "related": {
-      "user": [
-        "vagrant",
-        "-"
-      ]
+      "user": "vagrant"
     },
     "user": {
       "domain": "VAGRANT",
       "effective": {
         "domain": "-",
-        "id": "S-1-0-0",
-        "name": "-"
+        "id": "S-1-0-0"
       },
       "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
       "name": "vagrant"

From 8d3c8002dfd86a029163cddb77586881fc6fe79f Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Mon, 18 Oct 2021 10:18:32 +0200
Subject: [PATCH 09/11] Fix typo

---
 x-pack/winlogbeat/module/security/config/winlogbeat-security.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 2dee1f4cbf7..0b9a1612ba0 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1952,7 +1952,7 @@ var security = (function () {
             var removeIfEmptyOrHyphen = function(evt, key) {
                 var val = evt.Get(key);
                 if (!val || val === "-") {
-                    evt.Delete("user.effective.name");
+                    evt.Delete(key);
                     return true;
                 }
                 return false;

From 782721b2f2693dbc46779fbc2870d051b1a237f2 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Mon, 18 Oct 2021 10:20:11 +0200
Subject: [PATCH 10/11] Regenerate test files

---
 .../security-windows2019_4688_Process_Created.evtx.golden.json   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
index a55bb985658..0b5f968db41 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
@@ -42,7 +42,6 @@
     "user": {
       "domain": "VAGRANT",
       "effective": {
-        "domain": "-",
         "id": "S-1-0-0"
       },
       "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",

From 8941a651c42f5ff6319186ca61cac4e0ae2ba026 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Mon, 18 Oct 2021 13:42:42 +0200
Subject: [PATCH 11/11] Check for empty values on target user

---
 .../security/config/winlogbeat-security.js    | 26 ++++++++++++-------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 0b9a1612ba0..76ef1f0b21e 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1930,6 +1930,15 @@ var security = (function () {
         }
     }
 
+    var removeIfEmptyOrHyphen = function(evt, key) {
+        var val = evt.Get(key);
+        if (!val || val === "-") {
+            evt.Delete(key);
+            return true;
+        }
+        return false;
+    }
+
     var copyTargetUserToEffective = new processor.Chain()
         .Convert({
             fields: [
@@ -1949,16 +1958,8 @@ var security = (function () {
             }
         })
         .Add(function(evt) {
-            var removeIfEmptyOrHyphen = function(evt, key) {
-                var val = evt.Get(key);
-                if (!val || val === "-") {
-                    evt.Delete(key);
-                    return true;
-                }
-                return false;
-            };
             if (!removeIfEmptyOrHyphen(evt, "user.effective.name")) {
-                evt.AppendTo("related.user", user);
+                evt.AppendTo("related.user", evt.Get("user.effective.name"));
             }
             removeIfEmptyOrHyphen(evt, "user.effective.domain");
             removeIfEmptyOrHyphen(evt, "user.effective.id");
@@ -1984,6 +1985,13 @@ var security = (function () {
                 evt.AppendTo('related.user', user);
             }
         })
+        .Add(function(evt) {
+            if (!removeIfEmptyOrHyphen(evt, "user.target.name")) {
+                evt.AppendTo("related.user", evt.Get("user.target.name"));
+            }
+            removeIfEmptyOrHyphen(evt, "user.target.domain");
+            removeIfEmptyOrHyphen(evt, "user.target.id");
+        })
         .Build();