Hello,

In the Azure integration the Audit logs for Signin events used to have the user.name and user.domain in separated fields, after the changes made on this PR, this was changed and those fields were not correctly populated anymore.

The user.domain does not exist anymore and the field user.name is now the same as user.email which comes from azure.signinlogs.properties.user_principal_name

So, before we had something like this:

• user.name: userName
• user.domain: userDomain

Now we have this:

• user.name: userName@userDomain
• user.domain: does not exist.

This makes correlation more complicated as other tools will have userName on user.name and if you have multiple domains, the field user.domain can not be used anymore for filtering.