The Advanced Security Information Model (ASIM) Registry Event normalization schema reference (Public preview)
The Registry Event schema is used to describe the Windows activity of creating, modifying, or deleting Windows Registry entities.
Registry events are specific to Windows systems, but are reported by different systems that monitor Windows, such as EDR (End Point Detection and Response) systems, Sysmon, or Windows itself.
For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).
Important
The Registry Event normalization schema is currently in PREVIEW. This feature is provided without a service level agreement, and is not recommended for production workloads.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Parsers
To use the unifying parser that unifies all of the built-in parsers, and ensure that your analysis runs across all the configured sources, use imRegistry as the table name in your query.
For the list of the Process Event parsers Microsoft Sentinel provides out-of-the-box refer to the ASIM parsers list
Deploy the unifying and source-specific parsers from the Microsoft Sentinel GitHub repository.
For more information, see ASIM parsers and Use ASIM parsers.
Add your own normalized parsers
When implementing custom parsers for the Registry Event information model, name your KQL functions using the following syntax: imRegistry<vendor><Product>
.
Add your KQL functions to the imRegistry
unifying parsers to ensure that any content using the Registry Event model also uses your new parser.
Normalized content
Microsoft Sentinel provides the Persisting Via IFEO Registry Key hunting query. This query works on any registry activity data normalized using the Advanced Security Information Model.
For more information, see Hunt for threats with Microsoft Sentinel.
Schema details
The Registry Event information model is aligned with the OSSEM Registry entity schema.
Common ASIM fields
Important
Fields common to all schemas are described in detail in the ASIM Common Fields article.
Common fields with specific guidelines
The following list mentions fields that have specific guidelines for process activity events:
Field | Class | Type | Description |
---|---|---|---|
EventType | Mandatory | Enumerated | Describes the operation reported by the record. For Registry records, supported values include: - RegistryKeyCreated - RegistryKeyDeleted - RegistryKeyRenamed - RegistryValueDeleted - RegistryValueSet |
EventSchemaVersion | Mandatory | String | The version of the schema. The version of the schema documented here is 0.1.2 |
EventSchema | Optional | String | The name of the schema documented here is RegistryEvent . |
Dvc fields | For registry activity events, device fields refer to the system on which the registry activity occurred. |
Important
The EventSchema
field is currently optional but will become Mandatory on September 1st 2022.
All common fields
Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.
Class | Fields |
---|---|
Mandatory | - EventCount - EventStartTime - EventEndTime - EventType - EventResult - EventProduct - EventVendor - EventSchema - EventSchemaVersion - Dvc |
Recommended | - EventResultDetails - EventSeverity - EventUid - DvcIpAddr - DvcHostname - DvcDomain - DvcDomainType - DvcFQDN - DvcId - DvcIdType - DvcAction |
Optional | - EventMessage - EventSubType - EventOriginalUid - EventOriginalType - EventOriginalSubType - EventOriginalResultDetails - EventOriginalSeverity - EventProductVersion - EventReportUrl - EventOwner - DvcZone - DvcMacAddr - DvcOs - DvcOsVersion - DvcOriginalAction - DvcInterface - AdditionalFields - DvcDescription - DvcScopeId - DvcScope |
Registry Event specific fields
The fields listed in the table below are specific to Registry events, but are similar to fields in other schemas and follow similar naming conventions.
For more information, see Structure of the Registry in Windows documentation.
Field | Class | Type | Description |
---|---|---|---|
RegistryKey | Mandatory | String | The registry key associated with the operation, normalized to standard root key naming conventions. For more information, see Root Keys. Registry keys are similar to folders in file systems. For example: HKEY_LOCAL_MACHINE\SOFTWARE\MTG |
RegistryValue | Recommended | String | The registry value associated with the operation. Registry values are similar to files in file systems. For example: Path |
RegistryValueType | Recommended | String | The type of registry value, normalized to standard form. For more information, see Value Types. For example: Reg_Expand_Sz |
RegistryValueData | Recommended | String | The data stored in the registry value. Example: C:\Windows\system32;C:\Windows; |
RegistryPreviousKey | Recommended | String | For operations that modify the registry, the original registry key, normalized to standard root key naming. For more information, see Root Keys. Note: If the operation changed other fields, such as the value, but the key remains the same, the RegistryPreviousKey will have the same value as RegistryKey. Example: HKEY_LOCAL_MACHINE\SOFTWARE\MTG |
RegistryPreviousValue | Recommended | String | For operations that modify the registry, the original value type, normalized to the standard form. For more information, see Value Types. If the type was not changed, this field has the same value as the RegistryValueType field. Example: Path |
RegistryPreviousValueType | Recommended | String | For operations that modify the registry, the original value type. If the type was not changed, this field will have the same value as the RegistryValueType field, normalized to the standard form. For more information, see Value types. Example: Reg_Expand_Sz |
RegistryPreviousValueData | Recommended | String | The original registry data, for operations that modify the registry. Example: C:\Windows\system32;C:\Windows; |
User | Alias | Alias to the ActorUsername field. Example: CONTOSO\ dadmin |
|
Process | Alias | Alias to the ActingProcessName field. Example: C:\Windows\System32\rundll32.exe |
|
ActorUsername | Mandatory | String | The user name of the user who initiated the event. Example: CONTOSO\WIN-GG82ULGC9GO$ |
ActorUsernameType | Conditional | Enumerated | Specifies the type of the user name stored in the ActorUsername field. For more information, see The User entity. Example: Windows |
ActorUserId | Recommended | String | A unique ID of the Actor. The specific ID depends on the system generating the event. For more information, see The User entity. Example: S-1-5-18 |
ActorScope | Optional | String | The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article. |
ActorUserIdType | Recommended | String | The type of the ID stored in the ActorUserId field. For more information, see The User entity. Example: SID |
ActorSessionId | Conditional | String | The unique ID of the login session of the Actor. Example: 999 Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and the source sends a different type, make sure to convert the value. For example, if source sends a hexadecimal value, convert it to a decimal value. |
ActingProcessName | Optional | String | The file name of the acting process image file. This name is typically considered to be the process name. Example: C:\Windows\explorer.exe |
ActingProcessId | Mandatory | String | The process ID (PID) of the acting process. Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. |
ActingProcessGuid | Optional | String | A generated unique identifier (GUID) of the acting process. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00 |
ParentProcessName | Optional | String | The file name of the parent process image file. This value is typically considered to be the process name. Example: C:\Windows\explorer.exe |
ParentProcessId | Mandatory | String | The process ID (PID) of the parent process. Example: 48610176 |
ParentProcessGuid | Optional | String | A generated unique identifier (GUID) of the parent process. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00 |
Root keys
Different sources represent registry key prefixes using different representations. For the RegistryKey and RegistryPreviousKey fields, use the following normalized prefixes:
Normalized key prefix | Other common representations |
---|---|
HKEY_LOCAL_MACHINE | HKLM , \REGISTRY\MACHINE |
HKEY_USERS | HKU , \REGISTRY\USER |
Value types
Different sources represent registry value types using different representations. For the RegistryValueType and RegistryPreviousValueType fields, use the following normalized types:
Normalized key prefix | Other common representations |
---|---|
Reg_None | None , %%1872 |
Reg_Sz | String , %%1873 |
Reg_Expand_Sz | ExpandString , %%1874 |
Reg_Binary | Binary , %%1875 |
Reg_DWord | Dword , %%1876 |
Reg_Multi_Sz | MultiString , %%1879 |
Reg_QWord | Qword , %%1883 |
Schema updates
These are the changes in version 0.1.1 of the schema:
- Added the field
EventSchema
.
These are the changes in version 0.1.2 of the schema:
- Added the fields
ActorScope
,DvcScopeId
, andDvcScope
..
Next steps
For more information, see:
- Normalization in Microsoft Sentinel
- Microsoft Sentinel authentication normalization schema reference (Public preview)
- Microsoft Sentinel DNS normalization schema reference
- Microsoft Sentinel file event normalization schema reference (Public preview)
- Microsoft Sentinel network normalization schema reference