Add registry category to events

elastic · Feb 3, 2021 · f468000 · f468000
1 parent dfaf531
commit f468000
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 9 deletions.
diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -179,7 +179,7 @@ var security = (function () {
         "4634": [["authentication"], ["end"], "logged-out"],
         "4647": [["authentication"], ["end"], "logged-out"],
         "4648": [["authentication"], ["start"], "logged-in-explicit"],
-        "4657": [["configuration"], ["change"], "registry-value-modified"],
+        "4657": [["registry", "configuration"], ["change"], "registry-value-modified"],
         "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"],
         "4672": [["iam"], ["admin"], "logged-in-special"],
         "4673": [["iam"], ["admin"], "privileged-service-called"],

diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -1195,7 +1195,7 @@ var sysmon = (function () {
         .Add(parseUtcTime)
         .AddFields({
             fields: {
-                category: ["configuration"],
+                category: ["configuration", "registry"],
                 type: ["change"],
             },
             target: "event",
@@ -1234,7 +1234,7 @@ var sysmon = (function () {
         .Add(parseUtcTime)
         .AddFields({
             fields: {
-                category: ["configuration"],
+                category: ["configuration", "registry"],
                 type: ["change"],
             },
             target: "event",
@@ -1273,7 +1273,7 @@ var sysmon = (function () {
         .Add(parseUtcTime)
         .AddFields({
             fields: {
-                category: ["configuration"],
+                category: ["configuration", "registry"],
                 type: ["change"],
             },
             target: "event",

diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json
@@ -3,7 +3,8 @@
     "@timestamp": "2020-05-05T14:57:40.589Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -67,7 +68,8 @@
     "@timestamp": "2020-05-05T14:57:44.714Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -125,7 +127,8 @@
     "@timestamp": "2020-05-05T14:57:44.714Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -189,7 +192,8 @@
     "@timestamp": "2020-05-05T14:57:46.808Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -247,7 +251,8 @@
     "@timestamp": "2020-05-05T14:57:46.808Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",