Add registry specific event.category value

[marc-gr]

Summary

We do not have a specific category for registry (for example for winlogbeat registry events)

It seems endgame and endpoint are using already an event.category = registry value, since it is not listed as an allowed value we might want to consider to add it or either find a different solution and move all our products to use it.

Motivation:

We went through https://discuss.elastic.co/t/winlogbeat-sysmon-registry-events-missing-event-category/251282 which pointed the lack of categorisation for winlogbeat sysmon events.

[jamiehynds]

FYI @paulewing - similar to the challenge you faced this week trying to find registry events from sysmon.

[webmat]

@MikePaquette @dainperkins "registry" was initially part of the values we were considering. Do you remember why it got dropped out of the initial list of allowed values we published in 1.3?

[MikePaquette]

@webmat there was no specific reason or problem with "registry" as an allowed value of event.category. We were under time pressure to get the initial set of allowed values into ECS, and "registry" simply did not make it onto the docket for inclusion.

I am +1 to moving forward with adding this new value.

We'd proposed the definition below, but it should be discussed/reviewed again - as we are nearly 1 year "smarter" now :-)

Having to do with settings and assets associated with a host operating system, primarily Windows. Use this category to visualize and analyze activity such as registry modifications.
Expected values of event.type: creation, access, change, info, deletion

[webmat]

Ah thanks for digging these up, I'll adjust #1040 with this later today