Where do you see this error at? What action were you doing when it happens?
The fields under winlog.event_data.* will all have a mapping type of keyword if the index template from Winlogbeat was installed properly.
These winlog.event_data.* are not all know apriori since any event can establish its own parameter names. But the data will always be mapped to a keyword.
If it's an issue with a Kibana index pattern not knowing about a particular winlog.event_data field then you can refresh the Kibana index pattern to pick up any new fields from the index mappings.