Add DNS Event Support

[cthulhusec]

Add DNS events to the Security Events schema and the mapping for Sysmon conversion.

Field mappings

query_name = "QueryName"
query_results = "QueryResults"
query_status = "QueryStatus"

I think the rest should be generic fields already mapped.

[rw-access]

For reference to this thread, here's an example event from OSSEM
https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-22.md

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
    <EventID>22</EventID> 
    <Version>5</Version> 
    <Level>4</Level> 
    <Task>22</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8000000000000000</Keywords> 
    <TimeCreated SystemTime="2019-06-12T00:57:56.373798200Z" /> 
    <EventRecordID>6612437</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="2312" ThreadID="3252" /> 
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
    <Computer>DESKTOP-WARDOG.RIVENDELL.local</Computer> 
    <Security UserID="S-1-5-18" /> 
  </System>
  <EventData>
    <Data Name="RuleName" /> 
    <Data Name="UtcTime">2019-06-12 00:57:55.254</Data> 
    <Data Name="ProcessGuid">{A98268C1-4DDF-5D00-0000-00102D794100}</Data> 
    <Data Name="ProcessId">416</Data> 
    <Data Name="QueryName">chrome.google.com</Data> 
    <Data Name="QueryStatus">0</Data> 
    <Data Name="QueryResults">type: 5 www3.l.google.com;172.217.7.206;</Data> 
    <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data> 
  </EventData>
</Event>

I think normalizing the QueryResults will be a little tricky, because we'll probably want something a little more structured. Maybe an array of just the IPs for now?

[cthulhusec]

@rw-access What are your thoughts on a more structured format? I'm not sure what all we could use here. How is it currently being done in Endgame?