diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 994cb0300d6..4a3984d94b2 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -179,7 +179,7 @@ var security = (function () {
         "4634": [["authentication"], ["end"], "logged-out"],
         "4647": [["authentication"], ["end"], "logged-out"],
         "4648": [["authentication"], ["start"], "logged-in-explicit"],
-        "4657": [["configuration"], ["change"], "registry-value-modified"],
+        "4657": [["registry", "configuration"], ["change"], "registry-value-modified"],
         "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"],
         "4672": [["iam"], ["admin"], "logged-in-special"],
         "4673": [["iam"], ["admin"], "privileged-service-called"],
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
index b7ddf42429c..372912027a5 100644
--- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
+++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -1195,7 +1195,7 @@ var sysmon = (function () {
         .Add(parseUtcTime)
         .AddFields({
             fields: {
-                category: ["configuration"],
+                category: ["configuration", "registry"],
                 type: ["change"],
             },
             target: "event",
@@ -1234,7 +1234,7 @@ var sysmon = (function () {
         .Add(parseUtcTime)
         .AddFields({
             fields: {
-                category: ["configuration"],
+                category: ["configuration", "registry"],
                 type: ["change"],
             },
             target: "event",
@@ -1273,7 +1273,7 @@ var sysmon = (function () {
         .Add(parseUtcTime)
         .AddFields({
             fields: {
-                category: ["configuration"],
+                category: ["configuration", "registry"],
                 type: ["change"],
             },
             target: "event",
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json
index 5dcbcaab942..5da24c16db5 100644
--- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json
+++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json
@@ -3,7 +3,8 @@
     "@timestamp": "2020-05-05T14:57:40.589Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -67,7 +68,8 @@
     "@timestamp": "2020-05-05T14:57:44.714Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -125,7 +127,8 @@
     "@timestamp": "2020-05-05T14:57:44.714Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -189,7 +192,8 @@
     "@timestamp": "2020-05-05T14:57:46.808Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",
@@ -247,7 +251,8 @@
     "@timestamp": "2020-05-05T14:57:46.808Z",
     "event": {
       "category": [
-        "configuration"
+        "configuration",
+        "registry"
       ],
       "code": 13,
       "kind": "event",