Registry Schema
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Data Lake Search shows only searchable fields.
| Normalized Field |
Type |
Parser Field |
Description |
| resource_id |
string |
resourceId$ |
Full resource string identifying the record |
| tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
| sensor_type |
string |
sensorType$ |
Ex: redcloak |
| sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
sensorTenant$ |
Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
sensorId$ |
Ex: redcloak-agent-id |
| sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert.
Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| process_id |
string |
processId$ |
Identifier provided by the OS for the running process that modified the file |
| process_create_time_usec |
uint64 |
processCreateTimeUsec$ |
Create time of process that modified the file in µs |
| commandline |
string |
commandline$ |
Full command line of process that made the file modification |
| process_correlation_id |
string |
processCorrelationId$ |
Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
| sensor_version |
string |
sensorVersion$ |
The agent version as string. |
| name |
string |
name$ |
name of the registry key/value (subset of key) |
| path |
string |
path$ |
full path of registry key/value |
| key |
Registry.RegistryKey |
key$ |
|
| value |
Registry.RegistryValue |
value$ |
|
| pivot |
string |
pivot$ |
primary hunting pivot point of the data for grouping |
| rule_context |
repeated Registry.RuleContextEntry |
ruleContext$ |
some rules add additonal strings to hits to help analysts interpret results |
Registry.RegistryKey
| Normalized Field |
Type |
Parser Field |
Description |
| acl32 |
string |
acl32$ |
permissions if 32 bit app writes redirected key on x64 |
| acl64 |
string |
acl64$ |
permissions if native app wrote on x64 |
| last_write_time32_usec |
uint64 |
lastWriteTime32Usec$ |
if 32 bit app writes redirected key on x64 |
| last_write_time64_usec |
uint64 |
lastWriteTime64Usec$ |
if native app on x64 stores data |
| pivot |
string |
pivot$ |
|
Registry.RegistryValue
| Normalized Field |
Type |
Parser Field |
Description |
| type32 |
Registry.RegistryValue.ValueType |
type32$ |
type of data stored if 32 bit app writes redirected key on x64 |
| type64 |
Registry.RegistryValue.ValueType |
type64$ |
type of data stored if native app on x64 stores data |
| data32 |
string |
data32$ |
data stored at value if 32 bit app writes redirected key on x64 |
| data64 |
string |
data64$ |
data stored at value if native app on x64 stores data |
| name |
string |
name$ |
valueName from taegis agent, used for both 32 and 64 bit variants |
| pivot |
string |
pivot$ |
|
Registry.RuleContextEntry
| Normalized Field |
Type |
Parser Field |
Description |
| key |
string |
|
|
| value |
string |
|
|
Registry.RegistryValue.ValueType
| Name |
Number |
Description |
| REG_NONE |
0 |
No defined value type. |
| REG_SZ |
1 |
A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions. |
| REG_EXPAND_SZ |
2 |
A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions. To expand the environment variable references, use the ExpandEnvironmentStrings function. |
| REG_BINARY |
3 |
Binary data in any form. |
| REG_DWORD |
4 |
A 32-bit number |
| REG_MULTI_SZ |
7 |
A sequence of null-terminated strings, terminated by an empty string (\0). |
| REG_QWORD |
11 |
A 64-bit number. |
| REG_DWORD_LITTLE_ENDIAN |
12 |
A 32-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_DWORD in the Windows header files. |
| REG_DWORD_BIG_ENDIAN |
13 |
A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures. |
| REG_LINK |
14 |
A null-terminated Unicode string that contains the target path of a symbolic link that was created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK. |
| REG_QWORD_LITTLE_ENDIAN |
15 |
A 64-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_QWORD in the Windows header files. |