[windows.sysmon] Handle events without winlog.event_data

[andrewkroh]

From community slack:

FYI, my team found a bug with https://github.com/elastic/beats/blob/v8.13.2/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml#L12 and https://github.com/elastic/integrations/blob/main/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml#L12. The processor fails if winlog.event_data field doesn't exist. We added "if": "ctx.winlog?.even_data != null", to the processor.

The reporter thinks it was event ID 22 from Sysmon causing the problem.

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[botelastic]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!