Make Entra OCSF user mapping more consistent

[jbfeldman-dd]

What does this PR do?

• Correctly map fields to ocsf.actor.user. in OCSF classes 3005 and 3006, making log mapping more consistent
• Maps user IDs (and not UPNs) ocsf.user.uid and ocsf.actor.user.uid consistently, improving log mapping consistency

Motivation

Feedback that mapping to ocsf.actor.user fields was inconsistent

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
• If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

[github-actions]

⚠️ Recommendation: Add qa/skip-qa label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

[siigil]

What's the reason behind needing to map per-event category for these logs? Wondering if we're likely to miss some mappings as new events (or event categories) are added, unless there's a similar default-mapping.

[jbfeldman-dd]

OCSF validation output

INFO:root:Summary of validation results: {
  "total_logs": 7,
  "total_errors": 0,
  "total_warnings": 7,
  "version_earlier": 7
}
INFO:root:Error messages: {}
INFO:root:Warning messages: {
  "Event version \"1.5.0\" at \"metadata.version\" is earlier than schema version \"1.7.0-dev\". Validating against later schema versions can yield deprecation warnings and other (minor) validation messages that would not occur when validating against the same version.": 7
}