aws.cloudtrail: improve CloudTrail user identity processing

[chemamartinez]

Proposed commit message

For CloudTrail events, it has been updated how IAM users are handled.

In particular, for the user identity IAMUser type, the user.name and user.id are
populated with the user fields that made the action/request.

For the user identity AssumedRole, we have to differentiate between the effective
user (assumed role), for which user.effective.* fields are populated. And the real
user name, which is extracted from the userIdentity.arn field.

References:

• https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html
• https://www.elastic.co/docs/reference/ecs/ecs-user-usage#ecs-user-usage-combining

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

• Relates https://github.com/elastic/enhancements/issues/25241

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 6b2aa19

cc @chemamartinez