[osquerybeat] Fix what events are published for diff queries

[marc-gr]

Proposed commit message

Fix osquerybeat differential results handling with two bugs:

• "removed" events to show current values instead of previous values
• Security monitoring degradation for drift detection and compliance auditing use cases

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

None. This is a bug fix that corrects incorrect behavior. Users will now receive accurate differential results where "removed" events contain the previous values and "added" events contain the new values.

Related issues

• Closes [Osquerybeat] Osquerybeat Uses Wrong Data Source for "removed" Differential Results #48427

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @marc-gr? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[github-actions]

@Mergifyio backport 8.19 9.2 9.3

[mergify]

backport 8.19 9.2 9.3

✅ Backports have been created

Details

• #48760 [8.19](backport #48438) [osquerybeat] Fix what events are published for diff queries has been created for branch 8.19
• #48761 [9.2](backport #48438) [osquerybeat] Fix what events are published for diff queries has been created for branch 9.2
• #48762 [9.3](backport #48438) [osquerybeat] Fix what events are published for diff queries has been created for branch 9.3