x-pack/winlogbeat/module/sysmon: add eventid 26 handler

[efd6]

What does this PR do?

This change adds support for sysmon event ID 26; FileDeleteDetected.

Why is it important?

See linked issue #26280.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes [Winlogbeat] Update Sysmon module for Schema 4.70 that includes Event ID 26 #26280.

Use cases

See linked issue.

Screenshots

Test event 1:

Test event 2:

Logs

See screenshot above.

[mergify]

This pull request does not have a backport label. Could you fix it @efd6? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-01-24T06:15:49.178+0000

• Duration: 58 min 47 sec

• Commit: 345e3b8

Test stats 🧪

Test	Results
Failed	0
Passed	27
Skipped	0
Total	27

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)