fix(system.security) revert removal of winlog.event_data fields (#14756)

Revert the preserve_duplicate_custom_fields change from #14756 because it
causes unintended breaking changes to existing installations by removing
winlog.event_data fields that previously existed by default. As a secondary
effect, this leads to false positives in some detection rules that use those
fields as exclusions.

Author: w0rk3r

packages/system/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.2"
+  changes:
+    - description: Reverts removal of winlog.event_data fields used in detection rules.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14756
 - version: "2.5.1"
   changes:
     - description: Fix condition in handlebar file of security data stream.

packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json

@@ -34,9 +34,6 @@
                 },
                 "level": "information"
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "winlog": {
                 "channel": "Security",
                 "computer_name": "WIN-41OB2LO92CR.wlbeat.local",

packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json

@@ -40,9 +40,6 @@
                     "Administrator"
                 ]
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "user": {
                 "domain": "WLBEAT",
                 "id": "S-1-5-21-101361758-2486510592-3018839910-500",

packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json

@@ -34,9 +34,6 @@
                 },
                 "level": "error"
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "winlog": {
                 "channel": "Security",
                 "computer_name": "WIN-41OB2LO92CR.wlbeat.local",

packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json

@@ -34,9 +34,6 @@
                 },
                 "level": "information"
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "winlog": {
                 "channel": "Security",
                 "computer_name": "WIN-41OB2LO92CR.wlbeat.local",

packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json

@@ -41,9 +41,6 @@
                     "SERVER2$"
                 ]
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "user": {
                 "domain": "TEST1.LOCAL",
                 "effective": {

packages/system/data_stream/security/_dev/test/pipeline/test-4658.json-expected.json

@@ -42,9 +42,6 @@
                     "SERVER2$"
                 ]
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "user": {
                 "domain": "TEST1",
                 "id": "S-1-5-20",

packages/system/data_stream/security/_dev/test/pipeline/test-4659.json-expected.json

@@ -43,9 +43,6 @@
                     "administrator"
                 ]
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "user": {
                 "domain": "TEST1",
                 "id": "S-1-5-21-1280187532-2219128962-763009249-500",

packages/system/data_stream/security/_dev/test/pipeline/test-4660.json-expected.json

@@ -42,9 +42,6 @@
                     "administrator"
                 ]
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "user": {
                 "domain": "TEST1",
                 "id": "S-1-5-21-1280187532-2219128962-763009249-500",

packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json

@@ -31,9 +31,6 @@
                     "dadmin"
                 ]
             },
-            "tags": [
-                "preserve_duplicate_custom_fields"
-            ],
             "user": {
                 "domain": "CONTOSO",
                 "id": "S-1-5-21-3457937927-2839227994-823803824-1104",