[BUG] winlog.event_id alias field for windows log type has duplicate mappings which returns incorrect log index field in mapping view API

[amsiglan]

What is the bug?
winlog.event_id ecs field has three different raw fields associated with it which can lead to incorrect field being returned by the mappings/view API. This causes an issue when user tries to create a detector with rule(s) that require mapping between the ecs field to a log index field.

For e.g. if the log index has field EventID, then the mapping view API should be able to automatically map winlog.event_id to EventID and send that mapping as part of the response but it ends up sending mapping between winlog.event_id to event_uid or some other field not present in the index.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Create a windows index with EventID field
2. Go to create detector page and select the windows index and the windows log type.
3. In the field mappings section, under the mapped fields tab you will find winlog.event_id is not mapped to EventID

What is the expected behavior?
winlog.event_id should be mapped to the field present in the log index.

What is your host/environment?
Security analytics 2.11