What fields are there in winlog.event_data.*?
The data you want might already be in there. For most Windows events that's where you'll find the raw data that contributes to the message. But for third-party events you sometime just get a single string. When that happens you have to parse the message with tools like dissect or grok processors.