Lineage extract with EventId 4688 + auto Intezer analysis

Host Agents

• Checks ALL FileCreate for PE header
• Captures untrusted PE files & submits to backend
• Captures EventID 4688 & 4689

Backend

• Submits captured files to Intezer for analysis
• Extracts process lineage with 4688 events to address Sysmon limitations
• Removed SFTP container incrontab scripting, insertEvent.js moving files instead
• Removed custom OrientDB container image, using tar.gz to support multi-CPU-architecture deployment

Integrated Sysmon Process Tampering

Pls refer to #14