Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Registry Event schema is used to describe the Windows activity of creating, modifying, or deleting Windows Registry entities.
Registry events are specific to Windows systems, but are reported by different systems that monitor Windows, such as EDR (End Point Detection and Response) systems, Sysmon, or Windows itself.
For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).
Parsers
To use the unifying parser that unifies all of the built-in parsers, and ensure that your analysis runs across all the configured sources, use imRegistry as the table name in your query.
For the list of the Process Event parsers Microsoft Sentinel provides out-of-the-box refer to the ASIM parsers list
Deploy the unifying and source-specific parsers from the Microsoft Sentinel GitHub repository.
For more information, see ASIM parsers and Use ASIM parsers.
Add your own normalized parsers
When implementing custom parsers for the Registry Event information model, name your KQL functions using the following syntax: imRegistry<vendor><Product>.
Add your KQL functions to the imRegistry unifying parsers to ensure that any content using the Registry Event model also uses your new parser.
Normalized content
Microsoft Sentinel provides the Persisting Via IFEO Registry Key hunting query. This query works on any registry activity data normalized using the Advanced Security Information Model.
For more information, see Hunt for threats with Microsoft Sentinel.
Schema details
The Registry Event information model is aligned with the OSSEM Registry entity schema.
Common ASIM fields
Important
Fields common to all schemas are described in detail in the ASIM Common Fields article.
Common fields with specific guidelines
The following list mentions fields that have specific guidelines for process activity events:
| Field | Class | Type | Description |
|---|---|---|---|
| EventType | Mandatory | Enumerated | Describes the operation reported by the record. For Registry records, supported values include: - RegistryKeyCreated - RegistryKeyDeleted- RegistryKeyRenamed - RegistryValueDeleted - RegistryValueSet |
| EventSchemaVersion | Mandatory | SchemaVersion (String) | The version of the schema. The version of the schema documented here is 0.1.3 |
| EventSchema | Mandatory | String | The name of the schema documented here is RegistryEvent. |
| Dvc fields | For registry activity events, device fields refer to the system on which the registry activity occurred. |
All common fields
Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.
| Class | Fields |
|---|---|
| Mandatory | - EventCount - EventStartTime - EventEndTime - EventType - EventResult - EventProduct - EventVendor - EventSchema - EventSchemaVersion - Dvc |
| Recommended | - EventResultDetails - EventSeverity - EventUid - DvcIpAddr - DvcHostname - DvcDomain - DvcDomainType - DvcFQDN - DvcId - DvcIdType - DvcAction |
| Optional | - EventMessage - EventSubType - EventOriginalUid - EventOriginalType - EventOriginalSubType - EventOriginalResultDetails - EventOriginalSeverity - EventProductVersion - EventReportUrl - EventOwner - DvcZone - DvcMacAddr - DvcOs - DvcOsVersion - DvcOriginalAction - DvcInterface - AdditionalFields - DvcDescription - DvcScopeId - DvcScope |
Registry Event specific fields
The fields listed in the table below are specific to Registry events, but are similar to fields in other schemas and follow similar naming conventions.
For more information, see Structure of the Registry in Windows documentation.
| Field | Class | Type | Description |
|---|---|---|---|
| RegistryKey | Mandatory | String | The registry key associated with the operation, normalized to standard root key naming conventions. For more information, see Root Keys. Registry keys are similar to folders in file systems. For example: HKEY_LOCAL_MACHINE\SOFTWARE\MTG |
| RegistryValue | Recommended | String | The registry value associated with the operation. Registry values are similar to files in file systems. For example: Path |
| RegistryValueType | Recommended | String | The type of registry value, normalized to standard form. For more information, see Value Types. For example: Reg_Expand_Sz |
| RegistryValueData | Recommended | String | The data stored in the registry value. Example: C:\Windows\system32;C:\Windows; |
| RegistryPreviousKey | Recommended | String | For operations that modify the registry, the original registry key, normalized to standard root key naming. For more information, see Root Keys. Note: If the operation changed other fields, such as the value, but the key remains the same, the RegistryPreviousKey will have the same value as RegistryKey. Example: HKEY_LOCAL_MACHINE\SOFTWARE\MTG |
| RegistryPreviousValue | Recommended | String | For operations that modify the registry, the original value type, normalized to the standard form. For more information, see Value Types. If the type was not changed, this field has the same value as the RegistryValueType field. Example: Path |
| RegistryPreviousValueType | Recommended | String | For operations that modify the registry, the original value type. If the type was not changed, this field will have the same value as the RegistryValueType field, normalized to the standard form. For more information, see Value types. Example: Reg_Expand_Sz |
| RegistryPreviousValueData | Recommended | String | The original registry data, for operations that modify the registry. Example: C:\Windows\system32;C:\Windows; |
| User | Alias | Alias to the ActorUsername field. Example: CONTOSO\ dadmin |
|
| Process | Alias | Alias to the ActingProcessName field. Example: C:\Windows\System32\rundll32.exe |
|
| ActorUsername | Mandatory | Username (String) | The user name of the user who initiated the event. Example: CONTOSO\WIN-GG82ULGC9GO$ |
| ActorUsernameType | Conditional | Enumerated | Specifies the type of the user name stored in the ActorUsername field. For more information, see The User entity. Example: Windows |
| ActorUserId | Recommended | String | A unique ID of the Actor. The specific ID depends on the system generating the event. For more information, see The User entity. Example: S-1-5-18 |
| ActorScope | Optional | String | The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article. |
| ActorUserIdType | Conditional | Enumerated | The type of the ID stored in the ActorUserId field. For more information, see The User entity. Example: SID |
| ActorSessionId | Optional | String | The unique ID of the login session of the Actor. Example: 999Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and the source sends a different type, make sure to convert the value. For example, if source sends a hexadecimal value, convert it to a decimal value. |
| ActingProcessName | Optional | String | The file name of the acting process image file. This name is typically considered to be the process name. Example: C:\Windows\explorer.exe |
| ActingProcessId | Mandatory | String | The process ID (PID) of the acting process. Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. |
| ActingProcessGuid | Optional | GUID (String) | A generated unique identifier (GUID) of the acting process. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00 |
| ParentProcessName | Optional | String | The file name of the parent process image file. This value is typically considered to be the process name. Example: C:\Windows\explorer.exe |
| ParentProcessId | Mandatory | String | The process ID (PID) of the parent process. Example: 48610176 |
| ParentProcessGuid | Optional | String | A generated unique identifier (GUID) of the parent process. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00 |
Inspection fields
The following fields are used to represent that inspection performed by a security system such an EDR system.
| Field | Class | Type | Description |
|---|---|---|---|
| RuleName | Optional | String | The name or ID of the rule by associated with the inspection results. |
| RuleNumber | Optional | Integer | The number of the rule associated with the inspection results. |
| Rule | Conditional | String | Either the value of kRuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string. |
| ThreatId | Optional | String | The ID of the threat or malware identified in the file activity. |
| ThreatName | Optional | String | The name of the threat or malware identified in the file activity. Example: EICAR Test File |
| ThreatCategory | Optional | String | The category of the threat or malware identified in the file activity. Example: Trojan |
| ThreatRiskLevel | Optional | RiskLevel (Integer) | The risk level associated with the identified threat. The level should be a number between 0 and 100. Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatOriginalRiskLevel. |
| ThreatOriginalRiskLevel | Optional | String | The risk level as reported by the reporting device. |
| ThreatField | Optional | String | The field for which a threat was identified. |
| ThreatConfidence | Optional | ConfidenceLevel (Integer) | The confidence level of the threat identified, normalized to a value between 0 and a 100. |
| ThreatOriginalConfidence | Optional | String | The original confidence level of the threat identified, as reported by the reporting device. |
| ThreatIsActive | Optional | Boolean | True if the threat identified is considered an active threat. |
| ThreatFirstReportedTime | Optional | datetime | The first time the IP address or domain were identified as a threat. |
| ThreatLastReportedTime | Optional | datetime | The last time the IP address or domain were identified as a threat. |
Root keys
Different sources represent registry key prefixes using different representations. For the RegistryKey and RegistryPreviousKey fields, use the following normalized prefixes:
| Normalized key prefix | Other common representations |
|---|---|
| HKEY_LOCAL_MACHINE | HKLM, \REGISTRY\MACHINE |
| HKEY_USERS | HKU, \REGISTRY\USER |
Value types
Different sources represent registry value types using different representations. For the RegistryValueType and RegistryPreviousValueType fields, use the following normalized types:
| Normalized key prefix | Other common representations |
|---|---|
| Reg_None | None, %%1872 |
| Reg_Sz | String, %%1873 |
| Reg_Expand_Sz | ExpandString, %%1874 |
| Reg_Binary | Binary, %%1875 |
| Reg_DWord | Dword, %%1876 |
| Reg_Multi_Sz | MultiString, %%1879 |
| Reg_QWord | Qword, %%1883 |
Schema updates
These are the changes in version 0.1.1 of the schema:
- Added the field
EventSchema.
These are the changes in version 0.1.2 of the schema:
- Added the fields
ActorScope,DvcScopeId, andDvcScope.
These are the changes in version 0.1.3 of the schema:
- Added inspection fields.
Next steps
For more information, see: