From f728d237ff94d9f464823eed8200cf5b2a377771 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 4 Dec 2019 15:23:55 -0700 Subject: [PATCH 1/8] Add registry fieldset --- CHANGELOG.next.md | 1 + code/go/ecs/registry.go | 50 +++++++++++++ docs/field-details.asciidoc | 96 +++++++++++++++++++++++++ docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 55 ++++++++++++++ generated/csv/fields.csv | 7 ++ generated/ecs/ecs_flat.yml | 77 ++++++++++++++++++++ generated/ecs/ecs_nested.yml | 86 ++++++++++++++++++++++ generated/elasticsearch/6/template.json | 35 +++++++++ generated/elasticsearch/7/template.json | 35 +++++++++ schemas/registry.yml | 61 ++++++++++++++++ 11 files changed, 505 insertions(+) create mode 100644 code/go/ecs/registry.go create mode 100644 schemas/registry.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index fd550c85fb..90dfe91226 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -21,6 +21,7 @@ Thanks, you're awesome :-) --> * Added `file.drive_letter`. #620 * Added `rule` fields. #665 * Added default `text` analyzer as a multi-field to around 25 more fields. #680 +* Added `registry.*` fieldset for the Windows registry. #673 #### Improvements diff --git a/code/go/ecs/registry.go b/code/go/ecs/registry.go new file mode 100644 index 0000000000..edec21c1b7 --- /dev/null +++ b/code/go/ecs/registry.go @@ -0,0 +1,50 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// Fields related to Windows Registry operations. +type Registry struct { + // Abbreviated name for the hive. + Hive string `ecs:"hive"` + + // Hive-relative path of keys. + Key string `ecs:"key"` + + // Name of the value written. + Value string `ecs:"value"` + + // Full path, including hive, key and value + Path string `ecs:"path"` + + // Standard registry type for encoding contents + DataType string `ecs:"data.type"` + + // Content when writing string types + // Populated as an array when writing string data to the registry, such as + // REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. + DataStrings string `ecs:"data.strings"` + + // Contents for numeric values written to the registry + // Contains the data when populating REG_DWORD and REG_QWORD. For + // REG_DWORD_BIG_ENDIAN, this assumes that the bytes have already been + // interpreted in numeric form before they were ingested into + // Elasticsearch. + DataInteger int64 `ecs:"data.integer"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index d4a16dcd31..022001f359 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3493,6 +3493,102 @@ example: `/home/alice` // =============================================================== +|===== + +[[ecs-registry]] +=== Windows Registry Fields + +Fields related to Windows Registry operations. + +==== Windows Registry Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| registry.data.integer +| Contents for numeric values written to the registry + +Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, this assumes that the bytes have already been interpreted in numeric form before they were ingested into Elasticsearch. + +type: long + +example: `0` + +| extended + +// =============================================================== + +| registry.data.strings +| Content when writing string types + +Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. + +type: keyword + +example: `["C:\rta\red_ttp\bin\myapp.exe"]` + +| extended + +// =============================================================== + +| registry.data.type +| Standard registry type for encoding contents + +type: keyword + +example: `REG_SZ` + +| extended + +// =============================================================== + +| registry.hive +| Abbreviated name for the hive. + +type: keyword + +example: `HKLM` + +| core + +// =============================================================== + +| registry.key +| Hive-relative path of keys. + +type: keyword + +example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe` + +| core + +// =============================================================== + +| registry.path +| Full path, including hive, key and value + +type: keyword + +example: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger` + +| core + +// =============================================================== + +| registry.value +| Name of the value written. + +type: keyword + +example: `Debugger` + +| core + +// =============================================================== + |===== [[ecs-related]] diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index c9a73ef9e5..9a39c19bab 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -66,6 +66,8 @@ all fields are defined. | <> | These fields contain information about a process. +| <> | None + | <> | Fields meant to facilitate pivoting around a piece of data. | <> | Fields to capture details about rules used to generate alerts or other notable events. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 50f95544d2..3df6c7becc 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2584,6 +2584,61 @@ norms: false description: The working directory of the process. example: /home/alice + - name: registry + title: Windows Registry + group: 2 + description: Fields related to Windows Registry operations. + type: group + fields: + - name: data.integer + level: extended + type: long + description: 'Contents for numeric values written to the registry + + Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, + this assumes that the bytes have already been interpreted in numeric form + before they were ingested into Elasticsearch.' + example: 0 + - name: data.strings + level: extended + type: keyword + ignore_above: 1024 + description: 'Content when writing string types + + Populated as an array when writing string data to the registry, such as REG_SZ, + REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + - name: data.type + level: extended + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + - name: hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + - name: key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + - name: path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + - name: value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger - name: related title: Related group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 58bcbfb873..daabcf02ea 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -342,6 +342,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.4.0-dev,true,process,process.uptime,long,extended,1325,Seconds the process has been up. 1.4.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process. 1.4.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process. +1.4.0-dev,true,registry,registry.data.integer,long,extended,0,Contents for numeric values written to the registry +1.4.0-dev,true,registry,registry.data.strings,keyword,extended,"[""C:\rta\red_ttp\bin\myapp.exe""]",Content when writing string types +1.4.0-dev,true,registry,registry.data.type,keyword,extended,REG_SZ,Standard registry type for encoding contents +1.4.0-dev,true,registry,registry.hive,keyword,core,HKLM,Abbreviated name for the hive. +1.4.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.4.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.4.0-dev,true,registry,registry.value,keyword,core,Debugger,Name of the value written. 1.4.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event. 1.4.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category 1.4.0-dev,true,rule,rule.description,keyword,extended,Block requests to public DNS over HTTPS / TLS protocols,Rule description diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 95bcf10ec1..cdc8652078 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3689,6 +3689,83 @@ process.working_directory: order: 26 short: The working directory of the process. type: keyword +registry.data.integer: + description: 'Contents for numeric values written to the registry + + Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, + this assumes that the bytes have already been interpreted in numeric form before + they were ingested into Elasticsearch.' + example: 0 + flat_name: registry.data.integer + level: extended + name: data.integer + order: 6 + short: Contents for numeric values written to the registry + type: long +registry.data.strings: + description: 'Content when writing string types + + Populated as an array when writing string data to the registry, such as REG_SZ, + REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: registry.data.strings + ignore_above: 1024 + level: extended + name: data.strings + order: 5 + short: Content when writing string types + type: keyword +registry.data.type: + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: registry.data.type + ignore_above: 1024 + level: extended + name: data.type + order: 4 + short: Standard registry type for encoding contents + type: keyword +registry.hive: + description: Abbreviated name for the hive. + example: HKLM + flat_name: registry.hive + ignore_above: 1024 + level: core + name: hive + order: 0 + short: Abbreviated name for the hive. + type: keyword +registry.key: + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: registry.key + ignore_above: 1024 + level: core + name: key + order: 1 + short: Hive-relative path of keys. + type: keyword +registry.path: + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: registry.path + ignore_above: 1024 + level: core + name: path + order: 3 + short: Full path, including hive, key and value + type: keyword +registry.value: + description: Name of the value written. + example: Debugger + flat_name: registry.value + ignore_above: 1024 + level: core + name: value + order: 2 + short: Name of the value written. + type: keyword related.ip: description: All of the IPs seen on your event. flat_name: related.ip diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a5255de8aa..19bb7599ae 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4087,6 +4087,92 @@ process: short: These fields contain information about a process. title: Process type: group +registry: + description: Fields related to Windows Registry operations. + fields: + data.integer: + description: 'Contents for numeric values written to the registry + + Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, + this assumes that the bytes have already been interpreted in numeric form + before they were ingested into Elasticsearch.' + example: 0 + flat_name: registry.data.integer + level: extended + name: data.integer + order: 6 + short: Contents for numeric values written to the registry + type: long + data.strings: + description: 'Content when writing string types + + Populated as an array when writing string data to the registry, such as REG_SZ, + REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: registry.data.strings + ignore_above: 1024 + level: extended + name: data.strings + order: 5 + short: Content when writing string types + type: keyword + data.type: + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: registry.data.type + ignore_above: 1024 + level: extended + name: data.type + order: 4 + short: Standard registry type for encoding contents + type: keyword + hive: + description: Abbreviated name for the hive. + example: HKLM + flat_name: registry.hive + ignore_above: 1024 + level: core + name: hive + order: 0 + short: Abbreviated name for the hive. + type: keyword + key: + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: registry.key + ignore_above: 1024 + level: core + name: key + order: 1 + short: Hive-relative path of keys. + type: keyword + path: + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: registry.path + ignore_above: 1024 + level: core + name: path + order: 3 + short: Full path, including hive, key and value + type: keyword + value: + description: Name of the value written. + example: Debugger + flat_name: registry.value + ignore_above: 1024 + level: core + name: value + order: 2 + short: Name of the value written. + type: keyword + group: 2 + name: registry + prefix: registry. + short: None + title: Windows Registry + type: group related: description: 'This field set is meant to facilitate pivoting around a piece of data. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 04ef3cef8e..e4cdcf746a 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1624,6 +1624,41 @@ } } }, + "registry": { + "properties": { + "data": { + "properties": { + "integer": { + "type": "long" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "related": { "properties": { "ip": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index b1b35e0266..5ffabd0786 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1623,6 +1623,41 @@ } } }, + "registry": { + "properties": { + "data": { + "properties": { + "integer": { + "type": "long" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "related": { "properties": { "ip": { diff --git a/schemas/registry.yml b/schemas/registry.yml new file mode 100644 index 0000000000..39908309cf --- /dev/null +++ b/schemas/registry.yml @@ -0,0 +1,61 @@ +--- +- name: registry + title: Windows Registry + group: 2 + short: None + description: Fields related to Windows Registry operations. + type: group + fields: + + - name: hive + level: core + type: keyword + description: Abbreviated name for the hive. + example: HKLM + + - name: key + level: core + type: keyword + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + + - name: value + level: core + type: keyword + example: Debugger + description: Name of the value written. + + - name: path + level: core + type: keyword + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + + - name: data.type + level: extended + type: keyword + description: Standard registry type for encoding contents + example: REG_SZ + + - name: data.strings + level: extended + type: keyword + short: Content when writing string types + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: > + Content when writing string types + + Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. + + - name: data.integer + level: extended + type: long + short: Contents for numeric values written to the registry + example: 0 + description: > + Contents for numeric values written to the registry + + Contains the data when populating REG_DWORD and REG_QWORD. + For REG_DWORD_BIG_ENDIAN, this assumes that the bytes have already been interpreted in numeric form + before they were ingested into Elasticsearch. + From 5b32949995e23e2a29a9e157956ddb12214886c2 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 12 Dec 2019 10:42:44 -0700 Subject: [PATCH 2/8] Add data.bytes and update descriptions. --- schemas/registry.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/schemas/registry.yml b/schemas/registry.yml index 39908309cf..eda075de39 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -1,8 +1,7 @@ --- - name: registry - title: Windows Registry + title: Registry group: 2 - short: None description: Fields related to Windows Registry operations. type: group fields: @@ -40,10 +39,10 @@ - name: data.strings level: extended type: keyword - short: Content when writing string types + short: Content when writing string types. example: '["C:\rta\red_ttp\bin\myapp.exe"]' description: > - Content when writing string types + Content when writing string types. Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. @@ -59,3 +58,17 @@ For REG_DWORD_BIG_ENDIAN, this assumes that the bytes have already been interpreted in numeric form before they were ingested into Elasticsearch. + + - name: data.bytes + level: extended + type: keyword + short: Original bytes written with base64 encoding. + example: 0 + description: > + Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, + this corresponds to the data pointed by `lp_data`. This is optional and may be redundant + when `data.integer` or data.strings` are populated, but should be populated + for REG_BINARY encoded values. + From ded3bebf77465d81f7a65ef25eb153f242c6d448 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 12 Dec 2019 10:47:45 -0700 Subject: [PATCH 3/8] Add comment about long overflow --- schemas/registry.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schemas/registry.yml b/schemas/registry.yml index eda075de39..638d36ac6f 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -54,9 +54,9 @@ description: > Contents for numeric values written to the registry - Contains the data when populating REG_DWORD and REG_QWORD. - For REG_DWORD_BIG_ENDIAN, this assumes that the bytes have already been interpreted in numeric form - before they were ingested into Elasticsearch. + Contains the data in integer form when populating REG_DWORD and REG_QWORD. This assumes that the bytes have + already been interpreted in numeric form accordingly. Note that `long` is signed 64 bits, so values greater + than 2^63^ are invalid, and may need to be cast as negative. - name: data.bytes From 47ae29995d5798ba8ae8d5452d3ea309959a1a56 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 12 Dec 2019 10:54:14 -0700 Subject: [PATCH 4/8] Regenerate registry fieldset --- code/go/ecs/registry.go | 17 +++++++++----- docs/field-details.asciidoc | 21 +++++++++++++---- docs/fields.asciidoc | 2 +- generated/beats/fields.ecs.yml | 22 +++++++++++++----- generated/csv/fields.csv | 3 ++- generated/ecs/ecs_flat.yml | 26 ++++++++++++++++----- generated/ecs/ecs_nested.yml | 30 +++++++++++++++++++------ generated/elasticsearch/6/template.json | 4 ++++ generated/elasticsearch/7/template.json | 4 ++++ 9 files changed, 101 insertions(+), 28 deletions(-) diff --git a/code/go/ecs/registry.go b/code/go/ecs/registry.go index edec21c1b7..4f8afd10ec 100644 --- a/code/go/ecs/registry.go +++ b/code/go/ecs/registry.go @@ -36,15 +36,22 @@ type Registry struct { // Standard registry type for encoding contents DataType string `ecs:"data.type"` - // Content when writing string types + // Content when writing string types. // Populated as an array when writing string data to the registry, such as // REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. DataStrings string `ecs:"data.strings"` // Contents for numeric values written to the registry - // Contains the data when populating REG_DWORD and REG_QWORD. For - // REG_DWORD_BIG_ENDIAN, this assumes that the bytes have already been - // interpreted in numeric form before they were ingested into - // Elasticsearch. + // Contains the data in integer form when populating REG_DWORD and + // REG_QWORD. This assumes that the bytes have already been interpreted in + // numeric form accordingly. Note that `long` is signed 64 bits, so values + // greater than 2^63^ are invalid, and may need to be cast as negative. DataInteger int64 `ecs:"data.integer"` + + // Original bytes written with base64 encoding. + // For Windows registry operations, such as SetValueEx and RegQueryValueEx, + // this corresponds to the data pointed by `lp_data`. This is optional and + // may be redundant when `data.integer` or data.strings` are populated, but + // should be populated for REG_BINARY encoded values. + DataBytes string `ecs:"data.bytes"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 022001f359..6d40193f41 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3496,11 +3496,11 @@ example: `/home/alice` |===== [[ecs-registry]] -=== Windows Registry Fields +=== Registry Fields Fields related to Windows Registry operations. -==== Windows Registry Field Details +==== Registry Field Details [options="header"] |===== @@ -3508,10 +3508,23 @@ Fields related to Windows Registry operations. // =============================================================== +| registry.data.bytes +| Original bytes written with base64 encoding. + +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional and may be redundant when `data.integer` or data.strings` are populated, but should be populated for REG_BINARY encoded values. + +type: keyword + +example: `0` + +| extended + +// =============================================================== + | registry.data.integer | Contents for numeric values written to the registry -Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, this assumes that the bytes have already been interpreted in numeric form before they were ingested into Elasticsearch. +Contains the data in integer form when populating REG_DWORD and REG_QWORD. This assumes that the bytes have already been interpreted in numeric form accordingly. Note that `long` is signed 64 bits, so values greater than 2^63^ are invalid, and may need to be cast as negative. type: long @@ -3522,7 +3535,7 @@ example: `0` // =============================================================== | registry.data.strings -| Content when writing string types +| Content when writing string types. Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 9a39c19bab..a7d79cca5e 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -66,7 +66,7 @@ all fields are defined. | <> | These fields contain information about a process. -| <> | None +| <> | Fields related to Windows Registry operations. | <> | Fields meant to facilitate pivoting around a piece of data. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3df6c7becc..3991f47a99 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2585,25 +2585,37 @@ description: The working directory of the process. example: /home/alice - name: registry - title: Windows Registry + title: Registry group: 2 description: Fields related to Windows Registry operations. type: group fields: + - name: data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional and may be + redundant when `data.integer` or data.strings` are populated, but should be + populated for REG_BINARY encoded values.' + example: 0 - name: data.integer level: extended type: long description: 'Contents for numeric values written to the registry - Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, - this assumes that the bytes have already been interpreted in numeric form - before they were ingested into Elasticsearch.' + Contains the data in integer form when populating REG_DWORD and REG_QWORD. + This assumes that the bytes have already been interpreted in numeric form + accordingly. Note that `long` is signed 64 bits, so values greater than 2^63^ + are invalid, and may need to be cast as negative.' example: 0 - name: data.strings level: extended type: keyword ignore_above: 1024 - description: 'Content when writing string types + description: 'Content when writing string types. Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index daabcf02ea..eedadbae10 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -342,8 +342,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.4.0-dev,true,process,process.uptime,long,extended,1325,Seconds the process has been up. 1.4.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process. 1.4.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process. +1.4.0-dev,true,registry,registry.data.bytes,keyword,extended,0,Original bytes written with base64 encoding. 1.4.0-dev,true,registry,registry.data.integer,long,extended,0,Contents for numeric values written to the registry -1.4.0-dev,true,registry,registry.data.strings,keyword,extended,"[""C:\rta\red_ttp\bin\myapp.exe""]",Content when writing string types +1.4.0-dev,true,registry,registry.data.strings,keyword,extended,"[""C:\rta\red_ttp\bin\myapp.exe""]",Content when writing string types. 1.4.0-dev,true,registry,registry.data.type,keyword,extended,REG_SZ,Standard registry type for encoding contents 1.4.0-dev,true,registry,registry.hive,keyword,core,HKLM,Abbreviated name for the hive. 1.4.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index cdc8652078..00ebaa3068 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3689,12 +3689,28 @@ process.working_directory: order: 26 short: The working directory of the process. type: keyword +registry.data.bytes: + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional and may be redundant + when `data.integer` or data.strings` are populated, but should be populated for + REG_BINARY encoded values.' + example: 0 + flat_name: registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + order: 7 + short: Original bytes written with base64 encoding. + type: keyword registry.data.integer: description: 'Contents for numeric values written to the registry - Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, - this assumes that the bytes have already been interpreted in numeric form before - they were ingested into Elasticsearch.' + Contains the data in integer form when populating REG_DWORD and REG_QWORD. This + assumes that the bytes have already been interpreted in numeric form accordingly. + Note that `long` is signed 64 bits, so values greater than 2^63^ are invalid, + and may need to be cast as negative.' example: 0 flat_name: registry.data.integer level: extended @@ -3703,7 +3719,7 @@ registry.data.integer: short: Contents for numeric values written to the registry type: long registry.data.strings: - description: 'Content when writing string types + description: 'Content when writing string types. Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' @@ -3713,7 +3729,7 @@ registry.data.strings: level: extended name: data.strings order: 5 - short: Content when writing string types + short: Content when writing string types. type: keyword registry.data.type: description: Standard registry type for encoding contents diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 19bb7599ae..e92c672d7e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4090,12 +4090,28 @@ process: registry: description: Fields related to Windows Registry operations. fields: + data.bytes: + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional and may be + redundant when `data.integer` or data.strings` are populated, but should be + populated for REG_BINARY encoded values.' + example: 0 + flat_name: registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + order: 7 + short: Original bytes written with base64 encoding. + type: keyword data.integer: description: 'Contents for numeric values written to the registry - Contains the data when populating REG_DWORD and REG_QWORD. For REG_DWORD_BIG_ENDIAN, - this assumes that the bytes have already been interpreted in numeric form - before they were ingested into Elasticsearch.' + Contains the data in integer form when populating REG_DWORD and REG_QWORD. + This assumes that the bytes have already been interpreted in numeric form + accordingly. Note that `long` is signed 64 bits, so values greater than 2^63^ + are invalid, and may need to be cast as negative.' example: 0 flat_name: registry.data.integer level: extended @@ -4104,7 +4120,7 @@ registry: short: Contents for numeric values written to the registry type: long data.strings: - description: 'Content when writing string types + description: 'Content when writing string types. Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' @@ -4114,7 +4130,7 @@ registry: level: extended name: data.strings order: 5 - short: Content when writing string types + short: Content when writing string types. type: keyword data.type: description: Standard registry type for encoding contents @@ -4170,8 +4186,8 @@ registry: group: 2 name: registry prefix: registry. - short: None - title: Windows Registry + short: Fields related to Windows Registry operations. + title: Registry type: group related: description: 'This field set is meant to facilitate pivoting around a piece of data. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index e4cdcf746a..f948775040 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1628,6 +1628,10 @@ "properties": { "data": { "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, "integer": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 5ffabd0786..81724ee9a7 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1627,6 +1627,10 @@ "properties": { "data": { "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, "integer": { "type": "long" }, From e6b8808119eded6431d29e98b3d6c606369b360c Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 12 Dec 2019 11:06:17 -0700 Subject: [PATCH 5/8] Add example for data.bytes --- schemas/registry.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/registry.yml b/schemas/registry.yml index 638d36ac6f..dd1b3dcbda 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -63,7 +63,7 @@ level: extended type: keyword short: Original bytes written with base64 encoding. - example: 0 + example: "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=" description: > Original bytes written with base64 encoding. From e49df0d7bdc43164bafcb06c9224653144db3e99 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 12 Dec 2019 11:12:18 -0700 Subject: [PATCH 6/8] Make registry fields core --- docs/field-details.asciidoc | 8 ++++---- generated/beats/fields.ecs.yml | 8 ++++---- generated/csv/fields.csv | 8 ++++---- generated/ecs/ecs_flat.yml | 8 ++++---- generated/ecs/ecs_nested.yml | 8 ++++---- schemas/registry.yml | 6 +++--- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 6d40193f41..2180c90254 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3515,7 +3515,7 @@ For Windows registry operations, such as SetValueEx and RegQueryValueEx, this co type: keyword -example: `0` +example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` | extended @@ -3530,7 +3530,7 @@ type: long example: `0` -| extended +| core // =============================================================== @@ -3543,7 +3543,7 @@ type: keyword example: `["C:\rta\red_ttp\bin\myapp.exe"]` -| extended +| core // =============================================================== @@ -3554,7 +3554,7 @@ type: keyword example: `REG_SZ` -| extended +| core // =============================================================== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3991f47a99..b6fa3cd01c 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2600,9 +2600,9 @@ corresponds to the data pointed by `lp_data`. This is optional and may be redundant when `data.integer` or data.strings` are populated, but should be populated for REG_BINARY encoded values.' - example: 0 + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - name: data.integer - level: extended + level: core type: long description: 'Contents for numeric values written to the registry @@ -2612,7 +2612,7 @@ are invalid, and may need to be cast as negative.' example: 0 - name: data.strings - level: extended + level: core type: keyword ignore_above: 1024 description: 'Content when writing string types. @@ -2621,7 +2621,7 @@ REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - name: data.type - level: extended + level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index eedadbae10..b59b1aea22 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -342,10 +342,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.4.0-dev,true,process,process.uptime,long,extended,1325,Seconds the process has been up. 1.4.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process. 1.4.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process. -1.4.0-dev,true,registry,registry.data.bytes,keyword,extended,0,Original bytes written with base64 encoding. -1.4.0-dev,true,registry,registry.data.integer,long,extended,0,Contents for numeric values written to the registry -1.4.0-dev,true,registry,registry.data.strings,keyword,extended,"[""C:\rta\red_ttp\bin\myapp.exe""]",Content when writing string types. -1.4.0-dev,true,registry,registry.data.type,keyword,extended,REG_SZ,Standard registry type for encoding contents +1.4.0-dev,true,registry,registry.data.bytes,keyword,extended,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.4.0-dev,true,registry,registry.data.integer,long,core,0,Contents for numeric values written to the registry +1.4.0-dev,true,registry,registry.data.strings,keyword,core,"[""C:\rta\red_ttp\bin\myapp.exe""]",Content when writing string types. +1.4.0-dev,true,registry,registry.data.type,keyword,core,REG_SZ,Standard registry type for encoding contents 1.4.0-dev,true,registry,registry.hive,keyword,core,HKLM,Abbreviated name for the hive. 1.4.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. 1.4.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 00ebaa3068..3d76c3f4a9 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3696,7 +3696,7 @@ registry.data.bytes: corresponds to the data pointed by `lp_data`. This is optional and may be redundant when `data.integer` or data.strings` are populated, but should be populated for REG_BINARY encoded values.' - example: 0 + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: registry.data.bytes ignore_above: 1024 level: extended @@ -3713,7 +3713,7 @@ registry.data.integer: and may need to be cast as negative.' example: 0 flat_name: registry.data.integer - level: extended + level: core name: data.integer order: 6 short: Contents for numeric values written to the registry @@ -3726,7 +3726,7 @@ registry.data.strings: example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings ignore_above: 1024 - level: extended + level: core name: data.strings order: 5 short: Content when writing string types. @@ -3736,7 +3736,7 @@ registry.data.type: example: REG_SZ flat_name: registry.data.type ignore_above: 1024 - level: extended + level: core name: data.type order: 4 short: Standard registry type for encoding contents diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index e92c672d7e..102f63fb2e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4097,7 +4097,7 @@ registry: corresponds to the data pointed by `lp_data`. This is optional and may be redundant when `data.integer` or data.strings` are populated, but should be populated for REG_BINARY encoded values.' - example: 0 + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: registry.data.bytes ignore_above: 1024 level: extended @@ -4114,7 +4114,7 @@ registry: are invalid, and may need to be cast as negative.' example: 0 flat_name: registry.data.integer - level: extended + level: core name: data.integer order: 6 short: Contents for numeric values written to the registry @@ -4127,7 +4127,7 @@ registry: example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings ignore_above: 1024 - level: extended + level: core name: data.strings order: 5 short: Content when writing string types. @@ -4137,7 +4137,7 @@ registry: example: REG_SZ flat_name: registry.data.type ignore_above: 1024 - level: extended + level: core name: data.type order: 4 short: Standard registry type for encoding contents diff --git a/schemas/registry.yml b/schemas/registry.yml index dd1b3dcbda..ef3be90b5a 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -31,13 +31,13 @@ example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - name: data.type - level: extended + level: core type: keyword description: Standard registry type for encoding contents example: REG_SZ - name: data.strings - level: extended + level: core type: keyword short: Content when writing string types. example: '["C:\rta\red_ttp\bin\myapp.exe"]' @@ -47,7 +47,7 @@ Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. - name: data.integer - level: extended + level: core type: long short: Contents for numeric values written to the registry example: 0 From 48e3db02593f75e3c0af7dc3becbcbd4be9026c8 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 12 Dec 2019 11:35:55 -0700 Subject: [PATCH 7/8] Remove data.integer because of overflow complexity --- code/go/ecs/registry.go | 15 ++++++--------- docs/field-details.asciidoc | 15 +-------------- generated/beats/fields.ecs.yml | 17 +++++------------ generated/csv/fields.csv | 3 +-- generated/ecs/ecs_flat.yml | 25 +++++++------------------ generated/ecs/ecs_nested.yml | 25 +++++++------------------ generated/elasticsearch/6/template.json | 3 --- generated/elasticsearch/7/template.json | 3 --- schemas/registry.yml | 20 +++++--------------- 9 files changed, 32 insertions(+), 94 deletions(-) diff --git a/code/go/ecs/registry.go b/code/go/ecs/registry.go index 4f8afd10ec..de6447203a 100644 --- a/code/go/ecs/registry.go +++ b/code/go/ecs/registry.go @@ -37,17 +37,14 @@ type Registry struct { DataType string `ecs:"data.type"` // Content when writing string types. - // Populated as an array when writing string data to the registry, such as - // REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. + // Populated as an array when writing string data to the registry. For + // single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an + // array with one string. For sequences of string with REG_MULTI_SZ, this + // array will be variable length. For numeric data, such as REG_DWORD and + // REG_QWORD, this should be populated with the decimal representation (e.g + // `"1"`). DataStrings string `ecs:"data.strings"` - // Contents for numeric values written to the registry - // Contains the data in integer form when populating REG_DWORD and - // REG_QWORD. This assumes that the bytes have already been interpreted in - // numeric form accordingly. Note that `long` is signed 64 bits, so values - // greater than 2^63^ are invalid, and may need to be cast as negative. - DataInteger int64 `ecs:"data.integer"` - // Original bytes written with base64 encoding. // For Windows registry operations, such as SetValueEx and RegQueryValueEx, // this corresponds to the data pointed by `lp_data`. This is optional and diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 2180c90254..0e84eb4b01 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3521,23 +3521,10 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` // =============================================================== -| registry.data.integer -| Contents for numeric values written to the registry - -Contains the data in integer form when populating REG_DWORD and REG_QWORD. This assumes that the bytes have already been interpreted in numeric form accordingly. Note that `long` is signed 64 bits, so values greater than 2^63^ are invalid, and may need to be cast as negative. - -type: long - -example: `0` - -| core - -// =============================================================== - | registry.data.strings | Content when writing string types. -Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). type: keyword diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index b6fa3cd01c..fac78dbe07 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2601,24 +2601,17 @@ redundant when `data.integer` or data.strings` are populated, but should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - - name: data.integer - level: core - type: long - description: 'Contents for numeric values written to the registry - - Contains the data in integer form when populating REG_DWORD and REG_QWORD. - This assumes that the bytes have already been interpreted in numeric form - accordingly. Note that `long` is signed 64 bits, so values greater than 2^63^ - are invalid, and may need to be cast as negative.' - example: 0 - name: data.strings level: core type: keyword ignore_above: 1024 description: 'Content when writing string types. - Populated as an array when writing string data to the registry, such as REG_SZ, - REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - name: data.type level: core diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index b59b1aea22..260be18ac4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -343,8 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.4.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process. 1.4.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process. 1.4.0-dev,true,registry,registry.data.bytes,keyword,extended,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.4.0-dev,true,registry,registry.data.integer,long,core,0,Contents for numeric values written to the registry -1.4.0-dev,true,registry,registry.data.strings,keyword,core,"[""C:\rta\red_ttp\bin\myapp.exe""]",Content when writing string types. +1.4.0-dev,true,registry,registry.data.strings,keyword,core,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. 1.4.0-dev,true,registry,registry.data.type,keyword,core,REG_SZ,Standard registry type for encoding contents 1.4.0-dev,true,registry,registry.hive,keyword,core,HKLM,Abbreviated name for the hive. 1.4.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 3d76c3f4a9..8332d5585c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3701,35 +3701,24 @@ registry.data.bytes: ignore_above: 1024 level: extended name: data.bytes - order: 7 + order: 6 short: Original bytes written with base64 encoding. type: keyword -registry.data.integer: - description: 'Contents for numeric values written to the registry - - Contains the data in integer form when populating REG_DWORD and REG_QWORD. This - assumes that the bytes have already been interpreted in numeric form accordingly. - Note that `long` is signed 64 bits, so values greater than 2^63^ are invalid, - and may need to be cast as negative.' - example: 0 - flat_name: registry.data.integer - level: core - name: data.integer - order: 6 - short: Contents for numeric values written to the registry - type: long registry.data.strings: description: 'Content when writing string types. - Populated as an array when writing string data to the registry, such as REG_SZ, - REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings ignore_above: 1024 level: core name: data.strings order: 5 - short: Content when writing string types. + short: List of strings representing what was written to the registry. type: keyword registry.data.type: description: Standard registry type for encoding contents diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 102f63fb2e..332f2dade6 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4102,35 +4102,24 @@ registry: ignore_above: 1024 level: extended name: data.bytes - order: 7 + order: 6 short: Original bytes written with base64 encoding. type: keyword - data.integer: - description: 'Contents for numeric values written to the registry - - Contains the data in integer form when populating REG_DWORD and REG_QWORD. - This assumes that the bytes have already been interpreted in numeric form - accordingly. Note that `long` is signed 64 bits, so values greater than 2^63^ - are invalid, and may need to be cast as negative.' - example: 0 - flat_name: registry.data.integer - level: core - name: data.integer - order: 6 - short: Contents for numeric values written to the registry - type: long data.strings: description: 'Content when writing string types. - Populated as an array when writing string data to the registry, such as REG_SZ, - REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK.' + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings ignore_above: 1024 level: core name: data.strings order: 5 - short: Content when writing string types. + short: List of strings representing what was written to the registry. type: keyword data.type: description: Standard registry type for encoding contents diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index f948775040..37d2226b69 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1632,9 +1632,6 @@ "ignore_above": 1024, "type": "keyword" }, - "integer": { - "type": "long" - }, "strings": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 81724ee9a7..ff3ad98a9a 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1631,9 +1631,6 @@ "ignore_above": 1024, "type": "keyword" }, - "integer": { - "type": "long" - }, "strings": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/registry.yml b/schemas/registry.yml index ef3be90b5a..c7eaccc30c 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -39,25 +39,15 @@ - name: data.strings level: core type: keyword - short: Content when writing string types. + short: List of strings representing what was written to the registry. example: '["C:\rta\red_ttp\bin\myapp.exe"]' description: > Content when writing string types. - Populated as an array when writing string data to the registry, such as REG_SZ, REG_EXPAND_SZ, REG_MULTI_SZ, and REG_LINK. - - - name: data.integer - level: core - type: long - short: Contents for numeric values written to the registry - example: 0 - description: > - Contents for numeric values written to the registry - - Contains the data in integer form when populating REG_DWORD and REG_QWORD. This assumes that the bytes have - already been interpreted in numeric form accordingly. Note that `long` is signed 64 bits, so values greater - than 2^63^ are invalid, and may need to be cast as negative. - + Populated as an array when writing string data to the registry. + For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - name: data.bytes level: extended From a9c29dd0d4b198cd6bc7b85647ae3d82a3b14e62 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 12 Dec 2019 11:40:30 -0700 Subject: [PATCH 8/8] Remove data.integer reference from data.bytes --- code/go/ecs/registry.go | 6 +++--- docs/field-details.asciidoc | 2 +- generated/beats/fields.ecs.yml | 5 ++--- generated/ecs/ecs_flat.yml | 5 ++--- generated/ecs/ecs_nested.yml | 5 ++--- schemas/registry.yml | 6 ++---- 6 files changed, 12 insertions(+), 17 deletions(-) diff --git a/code/go/ecs/registry.go b/code/go/ecs/registry.go index de6447203a..54a01777cf 100644 --- a/code/go/ecs/registry.go +++ b/code/go/ecs/registry.go @@ -47,8 +47,8 @@ type Registry struct { // Original bytes written with base64 encoding. // For Windows registry operations, such as SetValueEx and RegQueryValueEx, - // this corresponds to the data pointed by `lp_data`. This is optional and - // may be redundant when `data.integer` or data.strings` are populated, but - // should be populated for REG_BINARY encoded values. + // this corresponds to the data pointed by `lp_data`. This is optional but + // provides better recoverability and should be populated for REG_BINARY + // encoded values. DataBytes string `ecs:"data.bytes"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 0e84eb4b01..f35fc02379 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3511,7 +3511,7 @@ Fields related to Windows Registry operations. | registry.data.bytes | Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional and may be redundant when `data.integer` or data.strings` are populated, but should be populated for REG_BINARY encoded values. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. type: keyword diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fac78dbe07..3a9494b150 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2597,9 +2597,8 @@ description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional and may be - redundant when `data.integer` or data.strings` are populated, but should be - populated for REG_BINARY encoded values.' + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - name: data.strings level: core diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 8332d5585c..3775384e52 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3693,9 +3693,8 @@ registry.data.bytes: description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional and may be redundant - when `data.integer` or data.strings` are populated, but should be populated for - REG_BINARY encoded values.' + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: registry.data.bytes ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 332f2dade6..6f47608c87 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4094,9 +4094,8 @@ registry: description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional and may be - redundant when `data.integer` or data.strings` are populated, but should be - populated for REG_BINARY encoded values.' + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= flat_name: registry.data.bytes ignore_above: 1024 diff --git a/schemas/registry.yml b/schemas/registry.yml index c7eaccc30c..6642850396 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -57,8 +57,6 @@ description: > Original bytes written with base64 encoding. - For Windows registry operations, such as SetValueEx and RegQueryValueEx, - this corresponds to the data pointed by `lp_data`. This is optional and may be redundant - when `data.integer` or data.strings` are populated, but should be populated - for REG_BINARY encoded values. + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. + This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.