From fbc9e8c2dfb33e030a2e5e7b617e3136b55933a2 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 26 Mar 2022 11:46:52 +0100
Subject: [PATCH] Update new registry category

---
 tools/config/devo-windows.yml      |  9 +++++++++
 tools/config/fortisiem-windows.yml | 27 +++++++++++++++++++++++++++
 tools/config/hawk.yml              | 15 +++++++++++++++
 3 files changed, 51 insertions(+)

diff --git a/tools/config/devo-windows.yml b/tools/config/devo-windows.yml
index dcb4da3ad..f97780c1f 100644
--- a/tools/config/devo-windows.yml
+++ b/tools/config/devo-windows.yml
@@ -24,9 +24,18 @@ logsources:
   windows-category-registry_event:
     product: windows
     category: registry_event
+  windows-category-registry_add:
+    product: windows
+    category: registry_add
+  windows-category-registry_delete:
+    product: windows
+    category: registry_delete
   windows-category-registry_set:
     product: windows
     category: registry_set
+  windows-category-registry_rename:
+    product: windows
+    category: registry_rename
   windows-category-process_access:
     product: windows
     category: process_access
diff --git a/tools/config/fortisiem-windows.yml b/tools/config/fortisiem-windows.yml
index 695c7b336..2e6e05490 100644
--- a/tools/config/fortisiem-windows.yml
+++ b/tools/config/fortisiem-windows.yml
@@ -39,6 +39,24 @@ logsources:
         rewrite:
             product: windows
             service: sysmon
+    registry_add:
+        category: registry_add
+        product: windows
+        conditions:
+            eventType: 
+                - Win-Sysmon-12-Registry-*
+        rewrite:
+            product: windows
+            service: sysmon
+    registry_delete:
+        category: registry_delete
+        product: windows
+        conditions:
+            eventType: 
+                - Win-Sysmon-12-Registry-*
+        rewrite:
+            product: windows
+            service: sysmon
     registry_set:
         category: registry_set
         product: windows
@@ -48,6 +66,15 @@ logsources:
         rewrite:
             product: windows
             service: sysmon
+    registry_rename:
+        category: registry_rename
+        product: windows
+        conditions:
+            eventType: 
+                - Win-Sysmon-14-Registry-*
+        rewrite:
+            product: windows
+            service: sysmon
     file_creation:
         category: file_event
         product: windows
diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index 117776789..e117b418c 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -383,11 +383,26 @@ logsources:
       - 12
       - 13
       - 14
+ windows-registry-add:
+   product: windows
+   category: registry_add
+   conditions:
+     vendor_id: 12
+ windows-registry-delete:
+   product: windows
+   category: registry_delete
+   conditions:
+     vendor_id: 12
  windows-registry-set:
    product: windows
    category: registry_event
    conditions:
      vendor_id: 13
+ windows-registry-rename:
+   product: windows
+   category: registry_rename
+   conditions:
+     vendor_id: 14
  qflow:
    product: qflow
  netflow: