110 строки
2.9 KiB
YAML
110 строки
2.9 KiB
YAML
Schema:
|
|
Schema: RegistryEvent
|
|
Version: '0.1.0'
|
|
Last Updated: Sept 12 2023
|
|
References:
|
|
- Title: ASIM DHCP Schema
|
|
Link: https://aka.ms/ASimRegistryEventDoc
|
|
- Title: ASIM
|
|
Link: https://aka.ms/AboutASIM
|
|
|
|
Include:
|
|
|
|
# Metadata
|
|
- Name: Enumerations
|
|
File: common/ASimEnumerations.yaml
|
|
|
|
# Common fields
|
|
- Name: Event Fields
|
|
File: common/ASimEventFields.yaml
|
|
- Name: Inspection fields
|
|
File: common/ASimInspectionFields.yaml
|
|
|
|
# Entities
|
|
- Name: Dvc
|
|
File: entities/ASimDvc.yaml
|
|
- Name: Actor entity
|
|
File: entities/ASimActor.yaml
|
|
- Name: Acting process entity
|
|
File: entities/ASimProcess.yaml
|
|
Role: Acting
|
|
- Name: Parent process entity
|
|
File: entities/ASimProcess.yaml
|
|
Role: Parent
|
|
|
|
Fields:
|
|
# Common fields overrides and additions
|
|
- Name: EventType
|
|
Type: string
|
|
Class: Mandatory
|
|
Logical type: Enumerated
|
|
List of values: [ RegistryKeyCreated, RegistryKeyDeleted, RegistryKeyRenamed, RegistryValueDeleted, RegistryValueSet ]
|
|
Description: Describes the operation reported by the record.
|
|
|
|
- Name: EventSchema
|
|
Type: string
|
|
Class: Mandatory
|
|
Logical type: Enumerated
|
|
List of values: [ RegistryEvent ]
|
|
|
|
# Aliases
|
|
- Name: User
|
|
Type: string
|
|
Class: Alias
|
|
Description: Alias to the ActorUsername field.
|
|
Aliases: ActorUsername
|
|
|
|
- Name: Process
|
|
Type: string
|
|
Class: Alias
|
|
Description: Alias to the ActingProcessName field.
|
|
Aliases: ActingProcessName
|
|
|
|
# Registry event fields
|
|
- Name: RegistryKey
|
|
Class: Mandatory
|
|
Type: string
|
|
Description: The registry key associated with the operation, normalized to standard root key naming conventions.
|
|
Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG'
|
|
|
|
- Name: RegistryValue
|
|
Class: Recommended
|
|
Type: string
|
|
Description: The registry value associated with the operation. Registry values are similar to files in file systems.
|
|
Example: Path
|
|
|
|
- Name: RegistryValueType
|
|
Class: Recommended
|
|
Type: string
|
|
Description: The type of registry value, normalized to standard form.
|
|
Example: 'Reg_Expand_Sz'
|
|
|
|
- Name: RegistryValueData
|
|
Class: Recommended
|
|
Type: string
|
|
Description: The data stored in the registry value.
|
|
Example: 'C:\Windows\system32;C:\Windows;'
|
|
|
|
- Name: RegistryPreviousKey
|
|
Class: Recommended
|
|
Type: string
|
|
Description: For operations that modify the registry, the original registry key, normalized to standard root key naming.
|
|
Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG'
|
|
|
|
- Name: RegistryPreviousValue
|
|
Class: Recommended
|
|
Type: string
|
|
Description: For operations that modify the registry, the original value type, normalized to the standard form.
|
|
Example: Path
|
|
|
|
- Name: RegistryPreviousValueType
|
|
Class: Recommended
|
|
Type: string
|
|
Description: For operations that modify the registry, the original value type.
|
|
Example: 'Reg_Expand_Sz'
|
|
|
|
- Name: RegistryPreviousValueData
|
|
Class: Recommended
|
|
Type: string
|
|
Description: The original registry data, for operations that modify the registry.
|
|
Example: 'C:\Windows\system32;C:\Windows;' |