[Security Solution] Refactor RDP ML job for field changes

[randomuserid]

Describe the bug:

The RDP job windows_rare_user_type10_remote_login needs a field change, event.type for type 10 RDP auth events is now start. The job will need to be either versioned, replaced or forked.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[spong]

Note: Detection ML Job Setting UI only goes back two weeks, larger lookbacks need to be done via ML App.

[randomuserid]

So I have the OK from @blaklaybul to make an update to the data feed query for this job, which should not require shipping a new job. I am going to plan and get this into 7.13.1 - or 7.13.2 at worst.

[randomuserid]

Some research is needed here. At present, both successful and unsuccessful auth events appear to be mapped to event.type:start in the authentication category. Maybe use event.action but we mostly stopped using that field last fall?

[randomuserid]

So it looks like event.outcome is mapped to success for event 4624 (a windows login.) However, we need to use either
winlog.logon.type or winlog.event_data.LogonType today to match a remote RDP login for a few reasons. Eventually, these fields will be deprecated when new fields like session.type are implemented, and this query will break again and need to be refactored.

The quickest fix here would be to do this, which evals true on newer events as well as the older events from when the query was first written. This makes it winlogbeat specific, but the job already is winlogbeat specific - the winlog* fields are beats fields, and the manifest is tied to the winlogbeat index - so we will need to ship a new version of this job to be portable across data types, that cannot be done by changing the data feed query.

{
  "query": {
    "bool": {
      "filter": [
      {"term": {"winlog.event_data.LogonType": "10"}},
      {"term": {"event.code": "4624"}}
      ],
      "must": [
        {
          "bool": {
            "should": [
              {
                "match": {
                  "event.type": {
                    "query": "authentication_success",
                    "operator": "OR"
                  }
                }
              },
              {
                "match": {
                  "event.action": {
                    "query": "logged-in",
                    "operator": "OR"
                  }
                }
              }
            ]
          }
        }
      ]
    }
  }
}