authelia: set target_user meta and align bf user-enum distinct key

[Copilot]

Description

Authelia brute-force alerts were missing targeted username context because the parser only populated evt.Meta.user while brute-force context expects evt.Meta.target_user. This updates the parser/scenario path to emit and use target_user consistently for Authelia brute-force detections.

• Parser metadata
  • Added target_user in LePresidente/authelia-logs from parsed username.
• Scenario semantics
  • Updated LePresidente/authelia-bf_user-enum to deduplicate on evt.Meta.target_user instead of evt.Meta.user.
• Regression coverage
  • Extended existing Authelia parser/scenario asserts to validate target_user is present on parsed events and alert events.

# parsers/s01-parse/LePresidente/authelia-logs.yaml
statics:
  - meta: user
    expression: evt.Parsed.user
  - meta: target_user
    expression: evt.Parsed.user

# scenarios/LePresidente/authelia-bf.yaml
distinct: evt.Meta.target_user

Checklist

• I have read the contributing guide
• I have tested my changes locally
• For new parsers or scenarios, tests have been added
• I have run the hub linter and no issues were reported (see contributing guide)
• Automated tests are passing
• AI was used to generate any/all content of this PR

[github-actions]

Hello @Copilot and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.