Extract Windows event logs messages attributes

[roshanmaskey]

Windows event log contains details about the event in the message field (EventData XML attribute). Extracting the information in the EventData would enable analysts to query/filter event logs based on the attributes in EventData.

The figure below shows the high-level schema.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  </System>
  <EventData>
  </EventData>
</Event>

Plaso extracts the fields and stores the values as a list in the field strings.

"strings": [ "S-1-5-18", "WIN-MDLVGLNGOM0$", "WORKGROUP", "0x00000000000003e7", "S-1-5-18", "SYSTEM", "NT AUTHORITY", "0x00000000000003e7", "5", "Advapi ", "Negotiate", "-", "{00000000-0000-0000-0000-000000000000}", "-", "-", "0", "0x000000000000026c", "C:\\Windows\\System32\\services.exe", "-", "-", "%%1833", "-", "-", "-", "%%1843", "0x0000000000000000", "%%1842" ]

This PR maps the extracted event log strings to the respective attributes using winevt.yaml (data/winevt.yaml`)

Checks

• [x] All tests succeed.
• [x] Unit tests added.
• [x] e2e tests added.
• [ ] Documentation updated.

Closing issues

Put closes #2911 in your comment to auto-close the issue that your PR fixes (if such).

[jaegeral]

fwiw, I think once this is in, it could mean we can make a lot of those field mappings better in https://github.com/google/timesketch/blob/master/data/sigma_config.yaml

[jkppr]

Notes from offline sync:

• This PR will merge the new feature extraction plugins currently including the (old) regex extractor and the new winevt mapping extractor.
• The old feature extractor analyzer will be removed in a next separate PR.
• Documentation will be updated in a separate PR as well.