I'd like to report an incomplete transform of RegistryValueData in Splunk_TA_microsoft_sysmon v1.0.1
Now it looks like:
[sysmon-registryvaluedata]
REGEX = <Data Name='Details'>\w+\s\((.+)\)</Data>
FORMAT = RegistryValueData::$1
So it works fine when Details contains: DWORD (0x00000001)
But when it is a string value, it doesn't make sense.
What about this transform?
[sysmon-registryvaluedata]
REGEX = <Data Name='Details'>(?:([^(^)]*)|\w+\s\((.+)\))</Data>
FORMAT = RegistryValueData::$1