Registry Value

registry_value

The registry value object describes a Windows registry value.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Attributes
References
Graph
JSON

Attributes

Caption	Name	Type	Default	Description
Data	data	JSON		The data of the registry value.
Default Value	is_default	Boolean		The indication of whether the value is from a default value name. For example, the value name could be missing.
System	is_system	Boolean		The indication of whether the object is part of the operating system.
Modified Time	modified_time	Timestamp		The time when the registry value was last modified.
Name	name	String		The name of the registry value.
Path	path	Path Name		The full path to the registry key, where the value is located.
Raw Data	raw_data	JSON		The event data as received from the event source.
Record ID	record_id	String		Unique identifier for the object
Type	type	String		A string representation of the value type as specified in Registry Value Types.
Type ID	type_id	Integer	0	The value type ID. -1 Other 0 Unknown 1 REG_BINARY 10 REG_SZ 2 REG_DWORD 3 REG_DWORD_BIG_ENDIAN 4 REG_EXPAND_SZ 5 REG_LINK 6 REG_MULTI_SZ 7 REG_NONE 8 REG_QWORD 9 REG_QWORD_LITTLE_ENDIAN 99 Other
Unmapped Data	unmapped	Unmapped		The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

References

Referenced By

Context

JSON

            
{
  "caption": "Registry Value",
  "description": "The registry value object describes a Windows registry value.",
  "extends": "object",
  "name": "registry_value",
  "observable": 29,
  "attributes": {
    "data": {
      "description": "The data of the registry value.",
      "requirement": "optional",
      "caption": "Data",
      "type": "json_t"
    },
    "is_default": {
      "requirement": "optional",
      "caption": "Default Value",
      "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.",
      "type": "boolean_t"
    },
    "is_system": {
      "requirement": "optional",
      "caption": "System",
      "description": "The indication of whether the object is part of the operating system.",
      "type": "boolean_t"
    },
    "modified_time": {
      "description": "The time when the registry value was last modified.",
      "requirement": "optional",
      "caption": "Modified Time",
      "type": "timestamp_t"
    },
    "name": {
      "description": "The name of the registry value.",
      "requirement": "required",
      "caption": "Name",
      "type": "string_t"
    },
    "path": {
      "description": "The full path to the registry key, where the value is located.",
      "requirement": "required",
      "caption": "Path",
      "type": "path_t"
    },
    "type": {
      "description": "A string representation of the value type as specified in <a target='_blank' href='https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types'>Registry Value Types</a>.",
      "requirement": "optional",
      "caption": "Type",
      "type": "string_t"
    },
    "type_id": {
      "description": "The value type ID.",
      "enum": {
        "1": {
          "caption": "REG_BINARY"
        },
        "10": {
          "caption": "REG_SZ"
        },
        "2": {
          "caption": "REG_DWORD"
        },
        "3": {
          "caption": "REG_DWORD_BIG_ENDIAN"
        },
        "4": {
          "caption": "REG_EXPAND_SZ"
        },
        "5": {
          "caption": "REG_LINK"
        },
        "6": {
          "caption": "REG_MULTI_SZ"
        },
        "7": {
          "caption": "REG_NONE"
        },
        "8": {
          "caption": "REG_QWORD"
        },
        "9": {
          "caption": "REG_QWORD_LITTLE_ENDIAN"
        },
        "99": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
        },
        "0": {
          "caption": "Unknown",
          "description": "The type is unknown."
        },
        "-1": {
          "caption": "Other",
          "description": "The type is not mapped. See the <code>type</code> attribute, which may contain a data source specific value."
        }
      },
      "requirement": "recommended",
      "caption": "Type ID",
      "sibling": "type",
      "type": "integer_t",
      "default": 0
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    }
  },
  "extension": "windows",
  "@deprecated": {
    "since": "1.1.0",
    "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
  }
}

Registry Value

Contents

Attributes

References

Referenced By

Context

JSON