Add Windows auth field evidence gates

[bozicovichsantiago20-oss]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: log-analysis
Skill path: skills/secops/log-analysis/

What Was Wrong

The skill listed Windows Event IDs 4624 and 4625 as key authentication events, but it did not require analysts to inspect the fields that determine whether those events are suspicious or benign. Event ID alone can over-alert on expired passwords, disabled accounts, lockouts, service-account drift, scheduled tasks, local loopback/null source fields, or expected server access.

Fixes #980.

What This PR Fixes

• Adds required context for Windows authentication fields on 4624/4625 investigations.
• Adds a Windows authentication field evidence gate before severity assignment.
• Requires LogonType, Status/SubStatus, FailureReason, LogonProcess, AuthenticationPackage, source/workstation, account class, privileged membership, and host role evidence.
• Adds common 4625 SubStatus examples for bad password, unknown user, lockout, disabled account, expired password, and denied logon type.
• Adds decision rules for Suspicious, Benign / Expected, and Needs More Context outcomes.
• Extends the output format with a Windows Auth Field Evidence table, including privileged-membership context.
• Updates the Event ID context pitfall to require field-level evidence.
• Adds direct Microsoft references for Event ID 4624 and Event ID 4625.
• Bumps the skill version to 1.0.1, including the report template version line.

Evidence

Before:

Event IDs 4624 and 4625 were described as important signals, but no field-level evidence matrix was required before classifying the event.

After:

4624/4625 findings must record LogonType, Status/SubStatus, FailureReason, LogonProcess, AuthenticationPackage, source/workstation, account class, privileged membership, host role, and a defensible assessment.

Test Cases Added/Updated

• Added Windows authentication field evidence gate inline in SKILL.md
• Added 4625 SubStatus triage examples inline in SKILL.md
• Added report output table for Windows auth field evidence
• Added Microsoft Event ID 4624/4625 references
• Updated common pitfall guidance for field-level Event ID interpretation

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.

Validation

• git diff --check
• markdown fence balance check
• content assertions for version, report version line, Windows auth evidence gate, privileged membership, 4625 SubStatus examples, Windows Auth Field Evidence output, and Needs More Context decision rule
• reference URL checks returned HTTP 200 for Microsoft Event ID 4624, Microsoft Event ID 4625, and MITRE ATT&CK DS0028