Skip to content

feat(windows,system): populate registry.path for Security registry events#17931

Open
marc-gr wants to merge 4 commits intoelastic:mainfrom
marc-gr:fix-registry-path-4657
Open

feat(windows,system): populate registry.path for Security registry events#17931
marc-gr wants to merge 4 commits intoelastic:mainfrom
marc-gr:fix-registry-path-4657

Conversation

@marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Mar 20, 2026
edited
Loading

Summary

Populate ECS registry.path from winlog.event_data.ObjectName for Windows Security registry-related audit events:

  • 4657 (registry value modified): always mapped when ObjectName is present
  • 4656, 4658, 4660, 4661, 4662, 4663: only when winlog.event_data.ObjectType is Key, so file paths and AD/DS objects are not copied to registry.path

Packages

  • windows forwarded data stream (security_standard.yml) → 3.7.0
  • system security data stream (standard.yml) → 2.14.0

@marc-gr
feat(windows,system): populate registry.path for Security registry ev…
83f581b 
…ents

Map ECS registry.path from winlog.event_data.ObjectName for event 4657 and
for 4656/4658/4660/4661/4662/4663 when ObjectType is Key so file and AD
objects are not mapped.

Bump windows integration to 3.7.0 and system integration to 2.14.0.
@marc-gr marc-gr requested review from a team as code owners March 20, 2026 15:32
@marc-gr marc-gr requested review from leehinman and mauri870 March 20, 2026 15:32
@marc-gr marc-gr added enhancement New feature or request Integration:windows Windows Integration:system System Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Mar 20, 2026
@elasticmachine
Copy link

elasticmachine commented Mar 20, 2026

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@marc-gr
fix(windows,system): also map registry.path when ObjectName has \REGI…
d692a5d 
…STRY\ prefix

For generic object event IDs, treat as registry when ObjectType is Key or
ObjectName starts with the NT object-manager prefix (case-insensitive).
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 20, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Mar 20, 2026

💚 Build Succeeded

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mauri870 mauri870 Awaiting requested review from mauri870 mauri870 is a code owner automatically assigned from elastic/elastic-agent-data-plane

@leehinman leehinman Awaiting requested review from leehinman leehinman is a code owner automatically assigned from elastic/elastic-agent-data-plane

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request Integration:system System Integration:windows Windows Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marc-gr @elasticmachine