Add registry fieldset

[rw-access]

Added field set for Windows registry.

Closes #671

[webmat]

Thanks for opening this, Ross. A few adjustments are needed, but this looks good :-)

• We had discussed having registry.data.original, which should always be filled, and contain the base 64 encoding of the data. Did you forget to include it, or was there a reason you're not adding it yet? (either is fine)

See also the review comments for a few more small things

[webmat]

One more thing. The sorting on the field reference page is by short name, not by title. Which means "Windows Registry" is in the middle of the pack, instead of at the end 😂

For now simplest would be to rename title to "Registry", and omit Windows, IMO. Or if people feel like the word "Windows" is very important, perhaps we can do "Registry (Windows)".

I prefer that over changing the sorting to be based on "title", as the underlying field set will actually be "registry.*". I feel it's important that the titles follow this closely.

[rw-access]

Yes, I'll add back registry.data.original, but mark it as extended. I think it's fair to make it optional, at the very least to keep storage low. The change to Registry (Windows) is probably the most clear, so I'll give that a try.

[webmat]

The way I see these potentially big fields is that users always have the power to remove them when & how they see fit. In doing that, they obviously lose the ability to utilize them later on. Elastic can even decide to make this optional & off by default in the solutions.

But in defining the schema itself, it's still useful to define the fields regardless of disk usage. Just like we did for http request/response body.

Perhaps we should add general documentation around this at some point.

[webmat]

@rw-access Do you think you'll have time to add registry.data.original soon? I'd like the descriptions for the data fields to be centered around it. E.g. 1) always store the base64 in original 2) copy to .integer when appropriate, copy to .strings when appropriate.

If you don't think you'll have time, we can still proceed and add .original later.

But we still need to fix the following before merging:

• the field set's short: None
• change the title to "Registry (Windows)" or equivalent, to avoid sorting surprises

[webmat]

LGTM, thanks for the adjustments.

One last discussion point, but we can merge if you're not convinced of the point below

[webmat]

As discussed out of band, we're removing registry.data.integer for now, since long in ES is signed, and in the registry is unsigned.

We'll move forward and merge the rest of this PR as is, and continue thinking on what we do with the .integer field. The keyword datatype would let us query for exact values and aggregate, but wouldn't support numeric operations or sorting. So more thinking is required.