[System] extend system integraation to ingest auth and security events

[alexreal1314]

closes https://github.com/elastic/security-team/issues/16356

What Changed

New data stream: logs-system.security-default — Windows Security event log events generated for every employee with a Windows laptop device.

Existing data streams (logs-system.auth-default, logs-system.syslog-default) are unchanged and continue to generate Linux SSH authentication and syslog events for org hosts.

---

Windows Security events (logs-system.security-default)

All successful login attempts (excluding service accounts):

FROM logs-system.security-default
| WHERE event.action IN ("logged-in", "logged-in-explicit")
  AND event.outcome == "success"
  AND user.name NOT IN ("SYSTEM", "NETWORK SERVICE", "LOCAL SERVICE")
| KEEP @timestamp, event.action, event.code, user.name, host.name, host.id, source.ip, winlog.logon.type
| SORT @timestamp DESC

Failed brute-force attempts with source IP breakdown:

FROM logs-system.security-default
| WHERE event.action == "logon-failed"
| STATS attempts = COUNT(*) BY source.ip, user.name
| SORT attempts DESC

Distribution of all Windows authentication event types:

FROM logs-system.security-default
| WHERE event.category == "authentication"
| STATS count = COUNT(*) BY event.action, event.code, event.outcome
| SORT count DESC

NTLM credential validation failures:

FROM logs-system.security-default
| WHERE event.action == "credential-validated" AND event.outcome == "failure"
| KEEP @timestamp, user.name, host.name, winlog.event_data.Status
| SORT @timestamp DESC

---

Linux SSH events (logs-system.auth-default)

Successful SSH logins by employee:

FROM logs-system.auth-default
| WHERE message LIKE "*Accepted*"
| KEEP @timestamp, message
| SORT @timestamp DESC

Failed SSH brute-force attempts:

FROM logs-system.auth-default
| WHERE message LIKE "*Invalid user*"
| KEEP @timestamp, message
| SORT @timestamp DESC

---

Querying both indexes together:

FROM logs-system.auth-default, logs-system.security-default
| KEEP @timestamp, message, data_stream.dataset
| SORT @timestamp DESC
| LIMIT 50

[Copilot]

Pull request overview

Extends the existing System org-data integration to also generate Windows Security Event Log–style documents and ingest them into the system.security data stream, in addition to the existing Linux system.auth and system.syslog streams.

Changes:

• Adds a new security data stream (logs-system.security-default) to the System integration.
• Generates Windows security/authentication-related events (e.g., 4624/4625/4634/4648/4776) from employees’ Windows laptop devices.
• Refactors timestamp sorting into a shared comparator applied to all three document arrays.

---

You can also share your feedback on Copilot code review. Take the survey.