Added Windows Defender event log ingestion

[inzlain]

What is this PR for?
A starting point for ingesting Windows Defender Operational event logs.

Currently has support for the main detection and configuration change events:

• Event ID 1116: MALWAREPROTECTION_STATE_MALWARE_DETECTED
• Event ID 1117: MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
• Event ID 5000: MALWAREPROTECTION_RTP_ENABLED
• Event ID 5001: MALWAREPROTECTION_RTP_DISABLED
• Event ID 5004: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
• Event ID 5007: MALWAREPROTECTION_CONFIG_CHANGED

What type of PR is it?
Feature Request

How should this be tested?
Setup HELK and configure a Windows endpoint with the modified Winlogbeat configuration. Perform the following actions in Defender and confirm event logs are generated and forwarded to HELK:

• Trigger a malware detection and response action by running a known bad command (events 1116/1117). For example:
  wmic os get /format:http://127.0.0.1
• Disable and then enable Real Time Protection (events 5000/5001).

Questions:

• Do the licenses files need update? No
• Are there breaking changes for older versions? No
• Does this needs documentation? No

Other Notes:

• The location of the filter and output in the pipeline is a guess based on similar ingestion of WMI and PowerShell logs.
• OSSEM CIM compliant field names have been used where possible as it's assumed HELK will transition to these in the future (e.g. registry_key_value_data instead of registry_key_value as currently used elsewhere in HELK).