Added registry rollback fields associated with recovered values (#362)

bit-envoy · web-flow · commit 953b35f68879 · 2023-04-17T11:10:07.000+02:00
* Added registry rollback fields associated with recovered values

* added sample value

* added sample value
diff --git a/custom_schemas/custom_responses.yml b/custom_schemas/custom_responses.yml
@@ -76,6 +76,21 @@
       type: keyword
       description: NT path of registry key recovered by Rollback 
 
+    - name: action.key.values
+      level: custom
+      type: nested
+      description: Values modified
+
+    - name: action.key.values.name
+      level: custom
+      type: keyword
+      description: Value name recovered by Rollback 
+
+    - name: action.key.values.actions
+      level: custom
+      type: keyword
+      description: Actions taken by Registry Rollback for value 
+
     - name: message
       level: custom
       type: text
diff --git a/package/endpoint/data_stream/alerts/fields/fields.yml b/package/endpoint/data_stream/alerts/fields/fields.yml
@@ -417,6 +417,23 @@
       ignore_above: 1024
       description: NT path of registry key recovered by Rollback
       default_field: false
+    - name: action.key.values
+      level: custom
+      type: nested
+      description: Values modified
+      default_field: false
+    - name: action.key.values.actions
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: Actions taken by Registry Rollback for value
+      default_field: false
+    - name: action.key.values.name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: Value name recovered by Rollback
+      default_field: false
     - name: action.source.attributes
       level: custom
       type: keyword
diff --git a/package/endpoint/data_stream/alerts/sample_event.json b/package/endpoint/data_stream/alerts/sample_event.json
@@ -548,5 +548,62 @@
     "user": {
         "domain": "NT AUTHORITY",
         "name": "SYSTEM"
-    }
+    },
+    "Responses": [
+        {
+            "@timestamp": "2023-04-13T16:15:16.0Z",
+            "action": {
+                "action": "file_rollback",
+                "file": {
+                    "attributes": [
+                        "invalid"
+                    ],
+                    "path": "",
+                    "reason": 2147484160
+                },
+                "source": {
+                    "attributes": [
+                        "archive"
+                    ],
+                    "path": "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy55\\git\\endpoint-dev\\Python\\runtime\\failed_test_logs\\20230413_181248\\EndpointRollbackTestCase\\test_rollback_trigger_malware_1_prevent\\tmp\\TRA14KA5Z2\\ExceptionlistTester-Windows.1d1phoq97d"
+                }
+            },
+            "message": "Successful production rollback",
+            "result": 0
+        },
+        {
+            "@timestamp": "2023-04-13T16:15:16.0Z",
+            "action": {
+                "action": "registry_rollback",
+                "key": {
+                    "actions": [
+                        "Deleted"
+                    ],
+                    "path": "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\TestRollback\\1"
+                }
+            },
+            "message": "Successful production registry rollback",
+            "result": 0
+        },
+        {
+            "@timestamp": "2023-04-13T16:15:16.0Z",
+            "action": {
+                "action": "registry_rollback",
+                "key": {
+                    "actions": [
+                        "Modified"
+                    ],
+                    "path": "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\TestRollback.valuetest",
+                    "values": [
+                        {
+                            "actions": [
+                                "Deleted"
+                            ],
+                            "name": "SomeValue"
+                        }
+                    ]
+                }
+            }
+        }
+    ]
 }
diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
@@ -80,6 +80,9 @@ sent by the endpoint.
 | Responses.action.file.reason | Combined USN file modification reason | long |
 | Responses.action.key.actions | Actions taken by Registry Rollback for key | keyword |
 | Responses.action.key.path | NT path of registry key recovered by Rollback | keyword |
+| Responses.action.key.values | Values modified | nested |
+| Responses.action.key.values.actions | Actions taken by Registry Rollback for value | keyword |
+| Responses.action.key.values.name | Value name recovered by Rollback | keyword |
 | Responses.action.source.attributes | Source file attributes | keyword |
 | Responses.action.source.path | Source file path | keyword |
 | Responses.action.state | Index of event in events array to use for field lookup | long |
diff --git a/schemas/v1/alerts/rule_detection_event.yaml b/schemas/v1/alerts/rule_detection_event.yaml
