I1104: Full support for Reg.Value.Data and Reg.EventType.

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pySigma-backend-uberAgent"
-version = "0.3.61"
+version = "0.3.62"
 description = "pySigma uAQL backend"
 authors = ["vast limits GmbH <info@vastlimits.com>"]
 license = "MIT"

sigma/pipelines/uberagent/uberagent.py

@@ -6,7 +6,7 @@
     logsource_windows_registry_delete, logsource_windows_registry_event, logsource_windows_driver_load, \
     logsource_windows_file_rename, logsource_windows_file_delete, logsource_windows_file_change, \
     logsource_windows_file_event, logsource_windows_file_access
-from sigma.processing.conditions import LogsourceCondition, RuleProcessingItemAppliedCondition
+from sigma.processing.conditions import LogsourceCondition, RuleProcessingItemAppliedCondition, RuleContainsDetectionItemCondition
 from sigma.processing.pipeline import ProcessingPipeline, ProcessingItem
 from sigma.processing.transformations import RuleFailureTransformation, SetStateTransformation
 
@@ -162,7 +162,8 @@
     # ""                    : Field(UA_VERSION_6_0, "Reg.Key.Sddl"),
     # ""                    : Field(UA_VERSION_6_0, "Reg.Key.Hive"),
     "targetobject"          : Field(UA_VERSION_6_2, "Reg.Key.Target"),
-    # "details"             : Field(              , "Reg.Value.Data")
+    "details"               : Field(UA_VERSION_DEVELOP, "Reg.Value.Data"),
+    "eventtype"             : Field(UA_VERSION_DEVELOP, "Reg.EventType")
     # ""                    : Field(UA_VERSION_7_1, "Reg.Value.Type")
 }
 
@@ -406,6 +407,25 @@ def ua_create_mapping(uaVersion: Version, category: Logsource) -> List[Processin
         )
     ]
 
+    # All the event types here are supported.
+    # Any other event type raises an error.
+    items.append(
+        ProcessingItem(
+            identifier=f"ua_registry_unsupported",
+            transformation=FieldDetectionItemFailureTransformation("Cannot transform registry field <{0}>."),
+            rule_conditions=[
+                RuleContainsDetectionItemCondition(field="EventType", value="CreateKey"),
+                RuleContainsDetectionItemCondition(field="EventType", value="DeleteKey"),
+                RuleContainsDetectionItemCondition(field="EventType", value="RenameKey"),
+                RuleContainsDetectionItemCondition(field="EventType", value="DeleteValue"),
+                RuleContainsDetectionItemCondition(field="EventType", value="SetValue")
+            ],
+            rule_condition_linking=any,
+            rule_condition_negation=True,
+            field_name_conditions=[IncludeFieldConditionLowercase(fields=["eventtype"])]
+        )
+    )
+
     # Create individual field transformations for each supported field.
     # Each field is handled separately to facilitate individual state transformations.
     for field in keys:

tests/test_pipelines_uberAgent.py

@@ -1,6 +1,6 @@
 import pytest
 from sigma.collection import SigmaCollection
-from sigma.exceptions import SigmaLevelError
+from sigma.exceptions import SigmaLevelError, SigmaTransformationError
 
 from sigma.backends.uberagent import uberagent
 from sigma.backends.uberagent.exceptions import MissingPropertyException, MissingFunctionException
@@ -411,3 +411,110 @@ def test_uberagent_620_isnull():
                         Image: null
                     condition: sel
             """), "conf")
+
+
+def test_uberagent_registry_createkey():
+    assert uberagent(processing_pipeline=uberagent_develop()).convert(
+        SigmaCollection.from_yaml("""
+            title: Test
+            status: test
+            logsource:
+                product: windows
+                category: registry_set
+            detection:
+                sel:
+                    EventType: CreateKey
+                condition: sel
+        """)) == ['Reg.EventType == "CreateKey"']
+
+
+def test_uberagent_registry_deletekey():
+    assert uberagent(processing_pipeline=uberagent_develop()).convert(
+        SigmaCollection.from_yaml("""
+            title: Test
+            status: test
+            logsource:
+                product: windows
+                category: registry_set
+            detection:
+                sel:
+                    EventType: DeleteKey
+                condition: sel
+        """)) == ['Reg.EventType == "DeleteKey"']
+
+
+def test_uberagent_registry_renamekey():
+    assert uberagent(processing_pipeline=uberagent_develop()).convert(
+        SigmaCollection.from_yaml("""
+            title: Test
+            status: test
+            logsource:
+                product: windows
+                category: registry_set
+            detection:
+                sel:
+                    EventType: RenameKey
+                condition: sel
+        """)) == ['Reg.EventType == "RenameKey"']
+
+
+def test_uberagent_registry_deletevalue():
+    assert uberagent(processing_pipeline=uberagent_develop()).convert(
+        SigmaCollection.from_yaml("""
+            title: Test
+            status: test
+            logsource:
+                product: windows
+                category: registry_set
+            detection:
+                sel:
+                    EventType: DeleteValue
+                condition: sel
+        """)) == ['Reg.EventType == "DeleteValue"']
+
+
+def test_uberagent_registry_setvalue():
+    assert uberagent(processing_pipeline=uberagent_develop()).convert(
+        SigmaCollection.from_yaml("""
+            title: Test
+            status: test
+            logsource:
+                product: windows
+                category: registry_set
+            detection:
+                sel:
+                    EventType: SetValue
+                condition: sel
+        """)) == ['Reg.EventType == "SetValue"']
+
+
+def test_uberagent_registry_unsupported_createvalue():
+    with pytest.raises(SigmaTransformationError):
+        uberagent(processing_pipeline=uberagent_develop()).convert(
+            SigmaCollection.from_yaml("""
+                title: Test
+                status: test
+                logsource:
+                    product: windows
+                    category: registry_set
+                detection:
+                    sel:
+                        EventType: CreateValue
+                    condition: sel
+            """))
+
+
+def test_uberagent_registry_unsupported_renamevalue():
+    with pytest.raises(SigmaTransformationError):
+        uberagent(processing_pipeline=uberagent_develop()).convert(
+            SigmaCollection.from_yaml("""
+                title: Test
+                status: test
+                logsource:
+                    product: windows
+                    category: registry_set
+                detection:
+                    sel:
+                        EventType: RenameValue
+                    condition: sel
+            """))