M365 Defender Integration: Rather than removing HKEY_CURRENT_USER and and HKEY_LOCAL_MACHINE, replace them with HKCU and HKLM to avoiding breaking detection rules

[bczifra]

In https://github.com/elastic/integrations/blob/main/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml#L533 HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are stripped from ctx.m365_defender.event.registry.key. As a result, rules like https://github.com/elastic/detection-rules/blob/020ca4be24d4e38d8ac8f3fff6551d588042347e/rules/_deprecated/privilege_escalation_printspooler_malicious_registry_modification.toml#L34, which refer to the abbreviated form of those values, won't be triggered.

Instead of stripping those values, the integration should replace them with their standard abbreviations (HKCU and HKLM), which are used by the rules. Additionally, it should fill the ECS field regisitry.hive as without this there is no way to know what registry hive the key is located in.

[the-pixel-hunter]

Hi unreleated but as its registry event i suguest it maybe included in the same change, for m365 defender events with event.action registrykeydeleted or registryvalyedeleted. the key edited is actually located in m365_defender.event.previous.registry_key and registry.key is not set this is not ECS

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

/cc @w0rk3r

[kcreddy]

Hey @bczifra @the-pixel-hunter
After an internal discussion, working on a change here: #10179
Note that this change still continue to remove HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE from the registry.key, but the registry.path now remains unaffected.

            "registry": {
                "data": {
                    "type": "Binary"
                },
                "key": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C",
-                "path": "SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C\\Blob",
+                "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Windows Live ID Token Issuer\\Certificates\\B68D8F953E551914324E557E6164D68B9926650C\\Blob",
                "value": "Blob"
            },

Coming to the rule in question, it seems to be deprecated. If you would like to use the rule, you can Duplicate rule and make necessary changes to incorporate HKEY_LOCAL_MACHINE.
cc: @w0rk3r

[kcreddy]

Added registry.hive in b291386

[kcreddy]

After noticing quite a few rules depend on registry.path starting with abbreviated HKLM, the PR is updated accordingly.
registry.path is derived from registry.hive (abbreviated) + registry.key + registry.value