elastic · webmat · Oct 27, 2020 · Oct 20, 2020 · Oct 20, 2020 · Oct 20, 2020
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -10,14 +10,15 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
-* Added `event.category` "session". #1049
-
 #### Breaking changes
 
 #### Bugfixes
 
 #### Added
 
+* Added `event.category` "registry". #1040
+* Added `event.category` "session". #1049
+
 #### Improvements
 
 #### Deprecated

diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -1597,7 +1597,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web
+authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>

diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
@@ -144,6 +144,7 @@ that will require subsequent breaking changes.
 * <<ecs-event-category-network,network>>
 * <<ecs-event-category-package,package>>
 * <<ecs-event-category-process,process>>
+* <<ecs-event-category-registry,registry>>
 * <<ecs-event-category-session,session>>
 * <<ecs-event-category-web,web>>
 
@@ -299,6 +300,18 @@ Use this category of events to visualize and analyze process-specific informatio
 access, change, end, info, start
 
 
+[float]
+[[ecs-event-category-registry]]
+==== registry
+
+Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.
+
+
+*Expected event types for category registry:*
+
+access, change, creation, deletion
+
+
 [float]
 [[ecs-event-category-session]]
 ==== session

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -1774,6 +1774,15 @@ event.category:
     - info
     - start
     name: process
+  - description: Having to do with settings and assets stored in the Windows registry.
+      Use this category to visualize and analyze activity such as registry access
+      and modifications.
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    name: registry
   - description: The session category is applied to events and metrics regarding logical
       persistent connections to hosts and services. Use this category to visualize
       and analyze interactive or automated persistent connections between assets.

diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
@@ -2168,6 +2168,15 @@ event:
         - info
         - start
         name: process
+      - description: Having to do with settings and assets stored in the Windows registry.
+          Use this category to visualize and analyze activity such as registry access
+          and modifications.
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        name: registry
       - description: The session category is applied to events and metrics regarding
           logical persistent connections to hosts and services. Use this category
           to visualize and analyze interactive or automated persistent connections

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -1814,6 +1814,15 @@ event.category:
     - info
     - start
     name: process
+  - description: Having to do with settings and assets stored in the Windows registry.
+      Use this category to visualize and analyze activity such as registry access
+      and modifications.
+    expected_event_types:
+    - access
+    - change
+    - creation
+    - deletion
+    name: registry
   - description: The session category is applied to events and metrics regarding logical
       persistent connections to hosts and services. Use this category to visualize
       and analyze interactive or automated persistent connections between assets.

diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
@@ -2209,6 +2209,15 @@ event:
         - info
         - start
         name: process
+      - description: Having to do with settings and assets stored in the Windows registry.
+          Use this category to visualize and analyze activity such as registry access
+          and modifications.
+        expected_event_types:
+        - access
+        - change
+        - creation
+        - deletion
+        name: registry
       - description: The session category is applied to events and metrics regarding
           logical persistent connections to hosts and services. Use this category
           to visualize and analyze interactive or automated persistent connections

diff --git a/schemas/event.yml b/schemas/event.yml
@@ -277,6 +277,15 @@
             - end
             - info
             - start
+        - name: registry
+          description: >
+            Having to do with settings and assets stored in the Windows registry.
+            Use this category to visualize and analyze activity such as registry access and modifications.
+          expected_event_types:
+            - access
+            - change
+            - creation
+            - deletion
         - name: session
           description: >
             The session category is applied to events and metrics regarding logical persistent connections to hosts and services.