From d75353aee37e11e659629c69c4611dd729912e2e Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 27 Oct 2020 13:53:10 -0400 Subject: [PATCH] Add event.category registry (#1040) --- CHANGELOG.next.md | 5 +++-- docs/field-details.asciidoc | 2 +- docs/field-values.asciidoc | 13 +++++++++++++ experimental/generated/ecs/ecs_flat.yml | 9 +++++++++ experimental/generated/ecs/ecs_nested.yml | 9 +++++++++ generated/ecs/ecs_flat.yml | 9 +++++++++ generated/ecs/ecs_nested.yml | 9 +++++++++ schemas/event.yml | 9 +++++++++ 8 files changed, 62 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ef673a8d71..103f8099a2 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,14 +10,15 @@ Thanks, you're awesome :-) --> ### Schema Changes -* Added `event.category` "session". #1049 - #### Breaking changes #### Bugfixes #### Added +* Added `event.category` "registry". #1040 +* Added `event.category` "session". #1049 + #### Improvements #### Deprecated diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index a89a0bf6e1..ddcb587a24 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1597,7 +1597,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web +authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, web To learn more about when to use which value, visit the page <> diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 653b031cc2..6f3adc1c26 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -144,6 +144,7 @@ that will require subsequent breaking changes. * <> * <> * <> +* <> * <> * <> @@ -299,6 +300,18 @@ Use this category of events to visualize and analyze process-specific informatio access, change, end, info, start +[float] +[[ecs-event-category-registry]] +==== registry + +Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications. + + +*Expected event types for category registry:* + +access, change, creation, deletion + + [float] [[ecs-event-category-session]] ==== session diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 28898f42e2..b07d2ba201 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1774,6 +1774,15 @@ event.category: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f17cc20d19..ebd19083ed 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2168,6 +2168,15 @@ event: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d085df9e87..9447fa982b 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1814,6 +1814,15 @@ event.category: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 3bb3ce663b..ca9424eaed 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2209,6 +2209,15 @@ event: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections diff --git a/schemas/event.yml b/schemas/event.yml index b4add99818..45128fcf4a 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -277,6 +277,15 @@ - end - info - start + - name: registry + description: > + Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access and modifications. + expected_event_types: + - access + - change + - creation + - deletion - name: session description: > The session category is applied to events and metrics regarding logical persistent connections to hosts and services.