From 3c2407864ec5699d044b6115f7e2658588e81cc7 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 3 Mar 2026 16:46:07 +0545
Subject: [PATCH] Merge PR #5857 from @swachchhanda000 - chore: add missing
 json logs

chore: add missing json logs
---
 .../8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json | 66 +++++++++++++++++++
 .../9c226817-8dc9-46c2-a58d-66655aafd7dc.json | 52 +++++++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json
 create mode 100644 regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.json

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json b/regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json
new file mode 100644
index 000000000..151b1abf1
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-05T06:59:26.079827Z"
+        }
+      },
+      "EventRecordID": 75087,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3636,
+          "ThreadID": 4340
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-05 06:59:26.059",
+      "ProcessGuid": "0197231E-614E-695B-DC0C-000000000C00",
+      "ProcessId": 11680,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "\"C:\\WINDOWS\\system32\\reg.exe\" add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v \"Common Startup\" /t REG_SZ /d C:\\Test\\calc.exe /f",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-70FA-694F-AED1-150000000000",
+      "LogonId": "0x15d1ae",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
+      "ParentProcessGuid": "0197231E-7211-694F-D001-000000000C00",
+      "ParentProcessId": 9524,
+      "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "ParentCommandLine": "powershell  -ep bypass",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.json b/regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.json
new file mode 100644
index 000000000..3d98bc40b
--- /dev/null
+++ b/regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.json
@@ -0,0 +1,52 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-05T06:29:01.086253Z"
+        }
+      },
+      "EventRecordID": 74886,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3636,
+          "ThreadID": 4340
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2026-01-05 06:29:01.070",
+      "ProcessGuid": "0197231E-7211-694F-D001-000000000C00",
+      "ProcessId": 9524,
+      "Image": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup",
+      "Details": "C:\\Test\\calc.exe",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}