Cobalt Strike 4.2 support

[MarcOverIP]

This fixes issue #105:

• CobaltStrike 4.2 screenshot info is now parsed the new screenshots.log, backward compatibility for pre 4.2 is kept
• CobaltStrike 4.2 keylogger info is now parsed with all the new information available, backward compatibility for pre 4.2 is kept
• Event log join and leave messages are now parsed, including c2.operator and c2.operator_ip

Also overall cleanup of filter rules:

• Timestamp and c2.message is now parsed and set once at the beginning
• Comments provide more structure
• Several smaller things

[fastlorenzo]

@MarcOverIP it looks like you introduced some new fields ([screenshot][file_name], [screenshot][desktop_session], [screenshot][title]) but did not update the index template and index pattern.

[fastlorenzo]

Same for [c2][operator], [c2][operator_ip], [keystrokes][user], [keystrokes][desktop_session]

[fastlorenzo]

additionally, shouldn't we put keystrokes.user under user.name instead?

[MarcOverIP]

I was going for a single update of fields in one go (we are missing several others as well besides these new ones).

I thought about user.name but decided keystrokes.user is more adhering to the truth as it is possible that an implant running as $userA intercepts keystrokes from a process of $userB. Also, user.name is automatically populated by enrichment scripts anyway.

[fastlorenzo]

I was going for a single update of fields in one go (we are missing several others as well besides these new ones).

I thought about user.name but decided keystrokes.user is more adhering to the truth as it is possible that an implant running as $userA intercepts keystrokes from a process of $userB. Also, user.name is automatically populated by enrichment scripts anyway.

makes sense indeed then