From 1f57c642dfd43b98c33bc21e4452af216227dcb7 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 20 Oct 2020 16:12:55 -0400 Subject: [PATCH 1/5] Add event.category registry --- docs/field-details.asciidoc | 2 +- docs/field-values.asciidoc | 13 +++++++++++++ generated/ecs/ecs_flat.yml | 7 +++++++ generated/ecs/ecs_nested.yml | 8 ++++++++ schemas/event.yml | 8 ++++++++ 5 files changed, 37 insertions(+), 1 deletion(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index f961b6fa89..cbeb6427b3 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1597,7 +1597,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web +authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, registry, web To learn more about when to use which value, visit the page <> diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 1ef4b8e072..219f8ee57a 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -144,6 +144,7 @@ that will require subsequent breaking changes. * <> * <> * <> +* <> * <> [float] @@ -298,6 +299,18 @@ Use this category of events to visualize and analyze process-specific informatio access, change, end, info, start +[float] +[[ecs-event-category-registry]] +==== registry + +Use this category of event for events related to the Windows registry. + + +*Expected event types for category registry:* + +access, change, creation, deletion + + [float] [[ecs-event-category-web]] ==== web diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 81a1ee4950..2a6d1763e2 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1814,6 +1814,13 @@ event.category: - info - start name: process + - description: Use this category of event for events related to the Windows registry. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 1ca8779d5e..ffc0bdefd1 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2209,6 +2209,14 @@ event: - info - start name: process + - description: Use this category of event for events related to the Windows + registry. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also diff --git a/schemas/event.yml b/schemas/event.yml index 6778790784..a62338f458 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -277,6 +277,14 @@ - end - info - start + - name: registry + description: > + Use this category of event for events related to the Windows registry. + expected_event_types: + - access + - change + - creation + - deletion - name: web description: > Relating to web server access. Use this category to create a dashboard of From b9b7efc3219fce37ecde4efccd3c470cf7028f27 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 20 Oct 2020 16:24:19 -0400 Subject: [PATCH 2/5] Experimental artifacts --- experimental/generated/ecs/ecs_flat.yml | 7 +++++++ experimental/generated/ecs/ecs_nested.yml | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 13a7c32325..cc8c6da6e2 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1774,6 +1774,13 @@ event.category: - info - start name: process + - description: Use this category of event for events related to the Windows registry. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index bfb2df366d..ba20feee90 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2168,6 +2168,14 @@ event: - info - start name: process + - description: Use this category of event for events related to the Windows + registry. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also From 5e085bde849f267e0a6dcd0e5e777dd331987bf6 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 20 Oct 2020 16:45:13 -0400 Subject: [PATCH 3/5] Changelog --- CHANGELOG.next.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 4c63b041eb..8c74ee5bc7 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,8 @@ Thanks, you're awesome :-) --> #### Added +* Added `event.category` allowed value "registry". #1040 + #### Improvements #### Deprecated From 68d4054606e5773cd04773cce6a808c37fec22e3 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 26 Oct 2020 10:51:20 -0400 Subject: [PATCH 4/5] Adjust registry description to be closer to our initial definition for it. --- docs/field-values.asciidoc | 2 +- generated/ecs/ecs_flat.yml | 4 +++- generated/ecs/ecs_nested.yml | 5 +++-- schemas/event.yml | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 219f8ee57a..fbf3c68a3b 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -303,7 +303,7 @@ access, change, end, info, start [[ecs-event-category-registry]] ==== registry -Use this category of event for events related to the Windows registry. +Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications. *Expected event types for category registry:* diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2a6d1763e2..578a656287 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1814,7 +1814,9 @@ event.category: - info - start name: process - - description: Use this category of event for events related to the Windows registry. + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. expected_event_types: - access - change diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ffc0bdefd1..5f4fad3b8d 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2209,8 +2209,9 @@ event: - info - start name: process - - description: Use this category of event for events related to the Windows - registry. + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. expected_event_types: - access - change diff --git a/schemas/event.yml b/schemas/event.yml index a62338f458..26d68f1ec9 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -279,7 +279,8 @@ - start - name: registry description: > - Use this category of event for events related to the Windows registry. + Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access and modifications. expected_event_types: - access - change From 77a7d04791681c95abae0c48622169ec83664ee9 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 27 Oct 2020 09:12:03 -0400 Subject: [PATCH 5/5] Was missing a build of experimental artifacts --- experimental/generated/ecs/ecs_flat.yml | 4 +++- experimental/generated/ecs/ecs_nested.yml | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index cc8c6da6e2..e8983f44d0 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1774,7 +1774,9 @@ event.category: - info - start name: process - - description: Use this category of event for events related to the Windows registry. + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. expected_event_types: - access - change diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index ba20feee90..98980a9389 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2168,8 +2168,9 @@ event: - info - start name: process - - description: Use this category of event for events related to the Windows - registry. + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. expected_event_types: - access - change