Registry Fields
editRegistry Fields
editFields related to Windows Registry operations.
Registry Field Details
editField | Description | Level |
---|---|---|
Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by type: keyword example: |
extended |
|
Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g type: wildcard Note: this field should contain an array of values. example: |
core |
|
Standard registry type for encoding contents type: keyword example: |
core |
|
Abbreviated name for the hive. type: keyword example: |
core |
|
Hive-relative path of keys. type: keyword example: |
core |
|
Full path, including hive, key and value type: keyword example: |
core |
|
Name of the value written. type: keyword example: |
core |
Field Reuse
editThe registry
fields are expected to be nested at:
-
threat.enrichments.indicator.registry
-
threat.indicator.registry
Note also that the registry
fields may be used directly at the root of the events.