[System] Add pipeline for AD FS Auditing to security data stream.

[jvalente-salemstate]

Proposed commit message

This PR adds support for AD FS Auditing (event.provider: "AD FS Auditing") to system.security. These events have an event.code of 1200-1207. Most of the information in the event logs is found in an XML object stored in winlog.event_data.param2.

Rather than trying to parse the XML, I am using the grok processor to extract most of this information.

Rather than using the script in standard.yml, I chose to place an additional painless script processor for ECS categorization within the ADFS pipeline because it seems that these codes may not be exclusive to ADFS. This avoids setting values when not appropriate.

• All four ECS categorization fields have been set as completely as possible
• Additionally, event.action and event.reason are set wherever possible.
• I've tested with roughly 4900 exported events from our production environment with no pipeline failures. event.code: 1207 has not been tested.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

Closes #11539

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)