FIX: Elastic Agent Security Events dashboard should reference user.effective.name #14325

salt/soc/defaults.yaml

@@ -1256,7 +1256,7 @@ soc:
         -  soc_timestamp
         -  event.dataset
         -  host.name
-        -  user.name
+        -  user.effective.name
         -  process.executable
         -  event.action
         -  event.outcome
@@ -1918,7 +1918,7 @@ soc:
               query: 'event.dataset:endpoint.events.registry | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby event.action | groupby registry.path'
             - name: Elastic Agent Security Events
               description: Security events from Elastic Agents
-              query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome'
+              query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.effective.name | groupby user.effective.name | groupby -sankey user.effective.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome'
             - name: Host Overview
               description: Overview of all host data types
               query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file  AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby -sankey event.type host.name | groupby host.name | groupby user.name | groupby file.name | groupby process.executable'