[Enhancement] Add process.args_count to process events

[w0rk3r]

For compatibility with detection rules and parity with other datasets, we should add process.args_count to process events that have command_line populated in both Windows and System integrations.

PS: Sysmon logs collected via Windows Integration already have this field. This only needs to be added to Forwarded logs.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[veritasr3x]

I've tested a fix for this in the winlogbeat security ingest pipeline. Checking between that and the security_standard ingest pipeline from the Elastic Agent Integrations repository, the logic fix is the same:

def args = ctx?.process.args;
if (args != null && args != "") {
  ctx.process.args_count = ctx.process.args.length;
}

Insert the snippet above after line 3863 for the integrations package and line 3718 in winlogbeat's security ingest.

I forked the repositories. Should I go ahead and submit an MR citing it resolves this issue?