Parsing XML data in schedule tasks (a scheduled task was created)

[willemri]

Describe the enhancement:
https://www.elastic.co/guide/en/security/current/ .html

winlog.event_data.TaskContent XML data is not parsed in elasticsearch:

DOMAIN\user Deze taak zorgt ervoor dat presentatie-instellingen worden uitgeschakeld als u zich opnieuw bij de computer aanmeldt. \PresentationSettingsTurnOff_DOMAIN_USER true DOMAIN\USER PT5S IgnoreNew false false true false false PT10M PT1H true false true true true false false PT72H 7 %windir%\system32\PresentationSettings.exe /stop DOMAIN\USER InteractiveToken LeastPrivilege

This change would start with elastic agent and/or winlogbeat, was thinking about a javascript processor that would run on the client:
function process(event) {
var xml = new XML(event.GetEvent());
var task = xml.Task;

event.Put("task_version", task.@version);
event.Put("author", task.RegistrationInfo.Author);
event.Put("description", task.RegistrationInfo.Description);
event.Put("uri", task.RegistrationInfo.URI);
event.Put("logon_trigger_enabled", task.Triggers.LogonTrigger.Enabled);
event.Put("user_id", task.Triggers.LogonTrigger.UserId);
event.Put("delay", task.Triggers.LogonTrigger.Delay);
event.Put("multiple_instances_policy", task.Settings.MultipleInstancesPolicy);
event.Put("disallow_start_if_on_batteries", task.Settings.DisallowStartIfOnBatteries);
event.Put("stop_if_going_on_batteries", task.Settings.StopIfGoingOnBatteries);
event.Put("allow_hard_terminate", task.Settings.AllowHardTerminate);
event.Put("start_when_available", task.Settings.StartWhenAvailable);
event.Put("run_only_if_network_available", task.Settings.RunOnlyIfNetworkAvailable);
event.Put("idle_duration", task.Settings.IdleSettings.Duration);
event.Put("idle_wait_timeout", task.Settings.IdleSettings.WaitTimeout);
event.Put("idle_stop_on_idle_end", task.Settings.IdleSettings.StopOnIdleEnd);
event.Put("idle_restart_on_idle", task.Settings.IdleSettings.RestartOnIdle);
event.Put("allow_start_on_demand", task.Settings.AllowStartOnDemand);
event.Put("enabled", task.Settings.Enabled);
event.Put("hidden", task.Settings.Hidden);
event.Put("run_only_if_idle", task.Settings.RunOnlyIfIdle);
event.Put("wake_to_run", task.Settings.WakeToRun);
event.Put("execution_time_limit", task.Settings.ExecutionTimeLimit);
event.Put("priority", task.Settings.Priority);
event.Put("command", task.Actions.Exec.Command);
event.Put("arguments", task.Actions.Exec.Arguments);
event.Put("principal_user_id", task.Principals.Principal.UserId);
event.Put("principal_logon_type", task.Principals.Principal.LogonType);
event.Put("principal_run_level", task.Principals.Principal.RunLevel);

return event;

}

however, this would also imply changes into the winlogbeat mappings.

Describe a specific use case for the enhancement or feature:
With the xml parsed we could create better exceptions in elasticsearch. Currently only the taskname is possible. While taskname is useful, i'm more interested in what commands the schedule task runs.

[botelastic]

This issue doesn't have a Team:<team> label.