Extract Windows event logs messages attributes

[roshanmaskey]

Windows event log contains details about the event in the message field (EventData XML attribute). Extracting the information in the EventData would enable analysts to query/filter event logs based on the attributes in EventData.

The figure below shows the high-level schema.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  </System>
  <EventData>
  </EventData>
</Event>

Plaso extracts the fields and stores the values as a list in the field strings.

"strings": [ "S-1-5-18", "WIN-MDLVGLNGOM0$", "WORKGROUP", "0x00000000000003e7", "S-1-5-18", "SYSTEM", "NT AUTHORITY", "0x00000000000003e7", "5", "Advapi ", "Negotiate", "-", "{00000000-0000-0000-0000-000000000000}", "-", "-", "0", "0x000000000000026c", "C:\\Windows\\System32\\services.exe", "-", "-", "%%1833", "-", "-", "-", "%%1843", "0x0000000000000000", "%%1842" ]

This PR maps the extracted event log strings to the respective attributes using winevt.yaml (data/winevt.yaml`)

Checks

• All tests succeed.
• Unit tests added.
• e2e tests added.
• Documentation updated.

Closing issues

Put closes #2911 in your comment to auto-close the issue that your PR fixes
(if such).

[jaegeral]

fwiw, I think once this is in, it could mean we can make a lot of those field mappings better in https://github.com/google/timesketch/blob/master/data/sigma_config.yaml

[jkppr]

Thanks for your work on this feature. Looking forward to the great possibilities we will get with the mapping.

Please see the comments below. If you have questions regarding the multi analyzer approach, let me know.

[jkppr]

Second round:
This works really well already! Main comments are around wording of errors and checking required dict entries.

What are your plans for moving the existing feature_extraction.py into the plugin system?

If you are fine with it, I would like to test both changes together, so either merge it in one PR or in two dependent PRs.

[jkppr]

Notes from offline sync:

• This PR will merge the new feature extraction plugins currently including the (old) regex extractor and the new winevt mapping extractor.
• The old feature extractor analyzer will be removed in a next separate PR.
• Documentation will be updated in a separate PR as well.