Upated sysmon parser script to fix issue reported on Sentinel Github

[ashwin-patil]

Hi @Cyb3rWard0g

Referencing issues raised PR by @lostInSpaceSomewhere from Azure Sentinel Github. since we are generating parser from automated script, it makes sense to update original template to get those changes in the script.

PR : Azure/Azure-Sentinel#1754

Summary of changes required in original template:

• Formatting fixes - added line breaks in each project list of fields so parser looks legible.
• Update Hashes like below in related event Ids where Hashes field is available.
  | extend Hashes = extract_all(@"(?P<key>\w+)=(?P<value>[a-zA-Z0-9]+)", dynamic(["key","value"]), tostring(EventDetail.[17].["#text"]))
• update all union section from line 515 till end. - changes are additional fields in project.

[ashwin-patil]

Need to further evaluate below 2 points :

• Final extend for Hashes = column_ifexists("Hashes", "") because ParsedHashes is used instead
• Need to evaluate if ParsedHashes fits normalization schema based on OSSEM

[Cyb3rWard0g]

Fixed already with latest PR in February