Add registry fieldset

CHANGELOG.next.md

@@ -21,6 +21,7 @@ Thanks, you're awesome :-) -->
 * Added `file.drive_letter`. #620
 * Added `rule` fields. #665
 * Added default `text` analyzer as a multi-field to around 25 more fields. #680
+* Added `registry.*` fieldset for the Windows registry. #673
 
 #### Improvements
 

docs/field-details.asciidoc

@@ -3493,6 +3493,102 @@ example: `/home/alice`
 // ===============================================================
 
 
+|=====
+
+[[ecs-registry]]
+=== Registry Fields
+
+Fields related to Windows Registry operations.
+
+==== Registry Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| registry.data.bytes
+| Original bytes written with base64 encoding.
+
+For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
+
+type: keyword
+
+example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=`
+
+| extended
+
+// ===============================================================
+
+| registry.data.strings
+| Content when writing string types.
+
+Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+
+type: keyword
+
+example: `["C:\rta\red_ttp\bin\myapp.exe"]`
+
+| core
+
+// ===============================================================
+
+| registry.data.type
+| Standard registry type for encoding contents
+
+type: keyword
+
+example: `REG_SZ`
+
+| core
+
+// ===============================================================
+
+| registry.hive
+| Abbreviated name for the hive.
+
+type: keyword
+
+example: `HKLM`
+
+| core
+
+// ===============================================================
+
+| registry.key
+| Hive-relative path of keys.
+
+type: keyword
+
+example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe`
+
+| core
+
+// ===============================================================
+
+| registry.path
+| Full path, including hive, key and value
+
+type: keyword
+
+example: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger`
+
+| core
+
+// ===============================================================
+
+| registry.value
+| Name of the value written.
+
+type: keyword
+
+example: `Debugger`
+
+| core
+
+// ===============================================================
+
 |=====
 
 [[ecs-related]]

docs/fields.asciidoc

@@ -66,6 +66,8 @@ all fields are defined.
 
 | <<ecs-process,Process>> | These fields contain information about a process.
 
+| <<ecs-registry,Registry>> | Fields related to Windows Registry operations.
+
 | <<ecs-related,Related>> | Fields meant to facilitate pivoting around a piece of data.
 
 | <<ecs-rule,Rule>> | Fields to capture details about rules used to generate alerts or other notable events.

generated/beats/fields.ecs.yml

@@ -2584,6 +2584,65 @@
         norms: false
       description: The working directory of the process.
       example: /home/alice
+  - name: registry
+    title: Registry
+    group: 2
+    description: Fields related to Windows Registry operations.
+    type: group
+    fields:
+    - name: data.bytes
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+    - name: data.strings
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+    - name: data.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+    - name: hive
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Abbreviated name for the hive.
+      example: HKLM
+    - name: key
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+    - name: path
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
+    - name: value
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the value written.
+      example: Debugger
   - name: related
     title: Related
     group: 2

generated/csv/fields.csv

@@ -342,6 +342,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.4.0-dev,true,process,process.uptime,long,extended,1325,Seconds the process has been up.
 1.4.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process.
 1.4.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process.
+1.4.0-dev,true,registry,registry.data.bytes,keyword,extended,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+1.4.0-dev,true,registry,registry.data.strings,keyword,core,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+1.4.0-dev,true,registry,registry.data.type,keyword,core,REG_SZ,Standard registry type for encoding contents
+1.4.0-dev,true,registry,registry.hive,keyword,core,HKLM,Abbreviated name for the hive.
+1.4.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+1.4.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+1.4.0-dev,true,registry,registry.value,keyword,core,Debugger,Name of the value written.
 1.4.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event.
 1.4.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category
 1.4.0-dev,true,rule,rule.description,keyword,extended,Block requests to public DNS over HTTPS / TLS protocols,Rule description

generated/ecs/ecs_flat.yml

@@ -3689,6 +3689,87 @@ process.working_directory:
   order: 26
   short: The working directory of the process.
   type: keyword
+registry.data.bytes:
+  description: 'Original bytes written with base64 encoding.
+
+    For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+    corresponds to the data pointed by `lp_data`. This is optional but provides better
+    recoverability and should be populated for REG_BINARY encoded values.'
+  example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+  flat_name: registry.data.bytes
+  ignore_above: 1024
+  level: extended
+  name: data.bytes
+  order: 6
+  short: Original bytes written with base64 encoding.
+  type: keyword
+registry.data.strings:
+  description: 'Content when writing string types.
+
+    Populated as an array when writing string data to the registry. For single string
+    registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string.
+    For sequences of string with REG_MULTI_SZ, this array will be variable length.
+    For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with
+    the decimal representation (e.g `"1"`).'
+  example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+  flat_name: registry.data.strings
+  ignore_above: 1024
+  level: core
+  name: data.strings
+  order: 5
+  short: List of strings representing what was written to the registry.
+  type: keyword
+registry.data.type:
+  description: Standard registry type for encoding contents
+  example: REG_SZ
+  flat_name: registry.data.type
+  ignore_above: 1024
+  level: core
+  name: data.type
+  order: 4
+  short: Standard registry type for encoding contents
+  type: keyword
+registry.hive:
+  description: Abbreviated name for the hive.
+  example: HKLM
+  flat_name: registry.hive
+  ignore_above: 1024
+  level: core
+  name: hive
+  order: 0
+  short: Abbreviated name for the hive.
+  type: keyword
+registry.key:
+  description: Hive-relative path of keys.
+  example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+  flat_name: registry.key
+  ignore_above: 1024
+  level: core
+  name: key
+  order: 1
+  short: Hive-relative path of keys.
+  type: keyword
+registry.path:
+  description: Full path, including hive, key and value
+  example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+    Options\winword.exe\Debugger
+  flat_name: registry.path
+  ignore_above: 1024
+  level: core
+  name: path
+  order: 3
+  short: Full path, including hive, key and value
+  type: keyword
+registry.value:
+  description: Name of the value written.
+  example: Debugger
+  flat_name: registry.value
+  ignore_above: 1024
+  level: core
+  name: value
+  order: 2
+  short: Name of the value written.
+  type: keyword
 related.ip:
   description: All of the IPs seen on your event.
   flat_name: related.ip