Porting refactor of ScanXML

[skalupa]

Describe the change Originally developed internally by @phutelmyer, this PR ports in a refactor of ScanXML as well as additional functionality for IOCs, and new tests. From the documentation:

• ScanXml was refactored to include better error handling, typing, docstrings, and functionality.
• Users are able to set extract_tag keys, such as Data, which will look for tags with that name, and then submit that - content back into Strelka for analysis.
• The XML content is now scanned for IOCs/ IOCs are extracted into the self.event.iocs field.
• New tests were created to test new extraction functionality.

Describe testing procedures Porting of the Scanner was tested locally with a local version of Strelka UI and a test xml file.

Sample output

{
  "elapsed": 0.004173,
  "flags": [],
  "tags": [
    "embeddedfile",
    "encryptionmethod",
    "encrypteddata",
    "cipherdata",
    "ciphervalue",
    "reference",
    "canonicalizationmethod",
    "digestmethod",
    "relationships",
    "script",
    "signedinfo",
    "digestvalue",
    "signaturemethod",
    "relationship",
    "data"
  ],
  "tag_data": [
    {
      "tag": "Type",
      "content": "{'Id': 'rId1', 'Type': 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/image', 'Target': '../media/image1.png'}"
    },
    {
      "tag": "Type",
      "content": "{'Id': 'rId3', 'Type': 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/image', 'Target': '../media/image2.png'}"
    },
    {
      "tag": "Type",
      "content": "{'Id': 'rId2', 'Type': 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink', 'Target': 'file:///\\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\share\\\\\\\\EXCEL_OPEN_DOCUMENT.vbs', 'TargetMode': 'External'}"
    },
    {
      "tag": "Type",
      "content": "{'Id': 'file1', 'Type': 'image/png'}"
    },
    {
      "tag": "Type",
      "content": "{'Id': 'encData1', 'Type': 'http://www.w3.org/2001/04/xmlenc#Element'}"
    },
    {
      "tag": "Type",
      "content": "{'Id': 'rId4', 'Type': 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink', 'Target': 'https://www.example.com', 'TargetMode': 'External'}"
    },
    {
      "tag": "Type",
      "content": "{'Id': 'rId5', 'Type': 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink', 'Target': 'mailto:user@example.com', 'TargetMode': 'External'}"
    },
    {
      "tag": "Type",
      "content": "{'Id': 'rId6', 'Type': 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink', 'Target': 'ftp://ftp.example.com/resource', 'TargetMode': 'External'}"
    }
  ],
  "namespaces": [
    "http://schemas.openxmlformats.org/package/2006/relationships"
  ],
  "total": {
    "tags": 15,
    "extracted": 2
  },
  "doc_type": "<!DOCTYPE Relationships SYSTEM \"relationships.dtd\">",
  "version": "1.0",
  "emitted_content": [
    "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==",
    "function showAlert() {\n            alert('This is an embedded script within XML!');\n        }"
  ],
  "iocs": [
    {
      "ioc": "schemas.openxmlformats.org",
      "ioc_type": "domain",
      "scanner": "ScanXml"
    },
    {
      "ioc": "127.0.0.1",
      "ioc_type": "ip",
      "scanner": "ScanXml"
    },
    {
      "ioc": "ftp.example.com",
      "ioc_type": "domain",
      "scanner": "ScanXml"
    },
    {
      "ioc": "www.w3.org",
      "ioc_type": "domain",
      "scanner": "ScanXml"
    }
  ]
}

Checklist

• [X] My code follows the style guidelines of this project
• [X] I have performed a self-review of and tested my code
• [X] I have commented my code, particularly in hard-to-understand areas
• [X] I have made corresponding changes to the documentation
• [X] My changes generate no new warnings

[phutelmyer]

Looks good. Thanks for porting @skalupa !