[Winlogbeat] Update Sysmon module for v12/13

[andrewkroh]

Sysmon v12 added event ID 24 which is a ClipboardChanged event. The Winlogbeat Sysmon module should be updated to handle this event ID.

When the clipboard changes the contents are archived to file and an event is generated with information about the activity. The event includes a hash that can be used to access the archived file.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[willemdh]

@andrewkroh In the meantime Sysmon13 has been released.

This update to Sysmon adds a process image tampering event that reports when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access. These indicators are triggered by process hollowing and process herpaderping. This release also includes several bug fixes, including fixes for minor memory leaks.

[MikePaquette]

@jamiehynds Is this on your radar?

[jamiehynds]

@MikePaquette absolutely - I've added it to our planning board.

@andrewkroh what do we need to proceed we adding support for new events added in Sysmon v12/13? I assume some sample events in XML?

[andrewkroh]

https://github.com/elastic/beats/issues/18094 can be used as a guide for this update. Basically add support for the two new event IDs and then diff the schema to look for changes to the existing IDs. For any event IDs that are new or changed, export sample events to an .evtx file to create tests for.

Then lastly, sync the changes to the package in elastic/integrations.

[botelastic[bot]]

This issue doesn't have a Team:<team> label.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jamiehynds]

Closing this issue in favor of: https://github.com/elastic/beats/issues/24217