[New Rule] Scheduled Task Creation using winlog (#2277)

* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 4609a5e8fe)

detection_rules/etc/non-ecs-schema.json

@@ -33,16 +33,17 @@
         "ShareName": "keyword",
         "SubjectLogonId": "keyword",
         "SubjectUserName": "keyword", 
-	"TargetUserName": "keyword",
+        "TargetUserName": "keyword",
         "TargetImage": "keyword",
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
         "TargetSid": "keyword", 
-	"PrivilegeList": "keyword", 
-	"AuthenticationPackageName" : "keyword", 
-	"TargetUserSid" : "keyword", 
-	"DnsHostName" : "keyword",
-	"winlog.event_data.Status": "keyword"
+        "PrivilegeList": "keyword", 
+        "AuthenticationPackageName" : "keyword", 
+        "TargetUserSid" : "keyword", 
+        "DnsHostName" : "keyword", 
+        "TaskName": "keyword", 
+        "Status": "keyword"
       }
     },
     "winlog.logon.type": "keyword",