Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Documentation

Version

  1. uberAgent
  2. 7.1.2
  3. ESA Features & Configuration
  4. Threat Detection Engine
  5. Event Properties
  6. Registry Event Properties
Previous document Next document

Registry Event Properties

The following event properties can be used with registry events in uAQL queries (event type Reg.*). In addition to the properties listed here, the common properties are applicable, too.

Property name uAQL Data Type Description Platform
Reg.Key.Path String The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Not supported for Reg.Key.Rename. Win
Reg.Key.Name String The name of the registry key – the last path element of the full path (e.g., ^lmhosts$). Not supported for Reg.Key.Rename. Win
Reg.Parent.Key.Path String The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$). Not supported for Reg.Key.Rename. Win
Reg.Key.Path.New String The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. Win
Reg.Key.Path.Old String The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. Win
Reg.Value.Name String The name of a key property (e.g., RequiredPrivileges). Win
Reg.Value.Data Number or String The content written to the registry value. Win
Reg.Value.Type Number The numeric value representing the data-type of the content written to the registry value.
Possible values: 0 = REG_NONE, 1 = REG_SZ, 2 = REG_EXPAND_SZ, 3 = REG_BINARY, 4 = REG_DWORD, 4 = REG_DWORD_LITTLE_ENDIAN, 5 = REG_DWORD_BIG_ENDIAN, 6 = REG_LINK, 7 = REG_MULTI_SZ, 8 = REG_RESOURCE_LIST, 9 = REG_FULL_RESOURCE_DESCRIPTOR, 10 = REG_RESOURCE_REQUIREMENTS_LIST, 11 = REG_QWORD, 11 = REG_QWORD_LITTLE_ENDIAN (cf. Microsoft documentation).		 Win
Reg.File.Name String A file path (e.g., C:\TempHive.hiv). Supported for Reg.Key.Load, Reg.Key.Restore, Reg.Key.Save, or Reg.Key.Replace. Win
Reg.Key.Sddl String The security descriptor (SD) of a registry key. Win
Reg.Key.Hive String The name of the Hive (e.g., HKLM). Win
Reg.Key.Target String The absolute path of the registry key. Takes Reg.Key.Path.Old or Reg.Key.Path and is thus never empty. Win

Comments

Your email address will not be published. Required fields are marked *