system: improve event.{action,category,outcome} enrichment for auth datastream

[efd6]

What does this PR do?

Enriches event fields for pam session and auth messages and for process-related auth messages.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes [System.auth] Adding ECS category fields #6550

Screenshots

[efd6]

ISTM that these should be "session-opened" and "session-closed" since this is not a login, but if these are the terms that are used in the security solution they are OK as is.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-07-18T06:42:04.822+0000

• Duration: 15 min 33 sec

Test stats 🧪

Test	Results
Failed	0
Passed	146
Skipped	0
Total	146

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (4/4)	💚 2.778
Classes	100.0% (4/4)	💚 2.778
Methods	60.759% (48/79)	👎 -31.388
Lines	99.86% (2852/2856)	👍 8.712
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[lalit-satapathy]

LGTM codeowner; as it is security datastream

[kcreddy]

LGTM 👍🏼

[elasticmachine]

Package system - 1.37.0 containing this change is available at https://epr.elastic.co/search?package=system