Update new registry category

2022-03-26 11:46:52 +01:00
parent 5a1e2c91e0
commit fbc9e8c2df
3 changed files with 51 additions and 0 deletions
@@ -24,9 +24,18 @@ logsources:
  windows-category-registry_event:
    product: windows
    category: registry_event
+  windows-category-registry_add:
+    product: windows
+    category: registry_add
+  windows-category-registry_delete:
+    product: windows
+    category: registry_delete
  windows-category-registry_set:
    product: windows
    category: registry_set
+  windows-category-registry_rename:
+    product: windows
+    category: registry_rename
  windows-category-process_access:
    product: windows
    category: process_access
@@ -39,6 +39,24 @@ logsources:
        rewrite:
            product: windows
            service: sysmon
+    registry_add:
+        category: registry_add
+        product: windows
+        conditions:
+            eventType: 
+                - Win-Sysmon-12-Registry-*
+        rewrite:
+            product: windows
+            service: sysmon
+    registry_delete:
+        category: registry_delete
+        product: windows
+        conditions:
+            eventType: 
+                - Win-Sysmon-12-Registry-*
+        rewrite:
+            product: windows
+            service: sysmon
    registry_set:
        category: registry_set
        product: windows
@@ -48,6 +66,15 @@ logsources:
        rewrite:
            product: windows
            service: sysmon
+    registry_rename:
+        category: registry_rename
+        product: windows
+        conditions:
+            eventType: 
+                - Win-Sysmon-14-Registry-*
+        rewrite:
+            product: windows
+            service: sysmon
    file_creation:
        category: file_event
        product: windows
@@ -383,11 +383,26 @@ logsources:
      - 12
      - 13
      - 14
+ windows-registry-add:
+   product: windows
+   category: registry_add
+   conditions:
+     vendor_id: 12
+ windows-registry-delete:
+   product: windows
+   category: registry_delete
+   conditions:
+     vendor_id: 12
 windows-registry-set:
   product: windows
   category: registry_event
   conditions:
     vendor_id: 13
+ windows-registry-rename:
+   product: windows
+   category: registry_rename
+   conditions:
+     vendor_id: 14
 qflow:
   product: qflow
 netflow: