Registry Key
registry_key
The registry key object describes a Windows registry key.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| System | is_system | Boolean | The indication of whether the object is part of the operating system. | ||
| Modified Time | modified_time | Timestamp | The time when the registry key was last modified. | ||
| Path | path | Path Name | The full path to the registry key. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Security Descriptor | security_descriptor | String | The security descriptor of the registry key. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
References
Referenced By
Context
JSON
{
"caption": "Registry Key",
"observable": 28,
"name": "registry_key",
"description": "The registry key object describes a Windows registry key.",
"extends": "object",
"attributes": {
"is_system": {
"requirement": "optional",
"caption": "System",
"description": "The indication of whether the object is part of the operating system.",
"type": "boolean_t"
},
"modified_time": {
"description": "The time when the registry key was last modified.",
"requirement": "optional",
"caption": "Modified Time",
"type": "timestamp_t"
},
"path": {
"caption": "Path",
"description": "The full path to the registry key.",
"requirement": "required",
"type": "path_t"
},
"security_descriptor": {
"caption": "Security Descriptor",
"description": "The security descriptor of the registry key.",
"requirement": "optional",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"extension": "windows",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
}