The Advanced Security Information Model (ASIM) Registry Event normalization schema reference (Public preview)

The Registry Event schema is used to describe the Windows activity of creating, modifying, or deleting Windows Registry entities.

Registry events are specific to Windows systems, but are reported by different systems that monitor Windows, such as EDR (End Point Detection and Response) systems, Sysmon, or Windows itself.

For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).

Important

The Registry Event normalization schema is currently in PREVIEW. This feature is provided without a service level agreement, and is not recommended for production workloads.

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Parsers

To use the unifying parser that unifies all of the built-in parsers, and ensure that your analysis runs across all the configured sources, use imRegistry as the table name in your query.

For the list of the Process Event parsers Microsoft Sentinel provides out-of-the-box refer to the ASIM parsers list

Deploy the unifying and source-specific parsers from the Microsoft Sentinel GitHub repository.

For more information, see ASIM parsers and Use ASIM parsers.

Add your own normalized parsers

When implementing custom parsers for the Registry Event information model, name your KQL functions using the following syntax: imRegistry<vendor><Product>.

Add your KQL functions to the imRegistry unifying parsers to ensure that any content using the Registry Event model also uses your new parser.

Normalized content

Microsoft Sentinel provides the Persisting Via IFEO Registry Key hunting query. This query works on any registry activity data normalized using the Advanced Security Information Model.

For more information, see Hunt for threats with Microsoft Sentinel.

Schema details

The Registry Event information model is aligned with the OSSEM Registry entity schema.

Common ASIM fields

Important

Fields common to all schemas are described in detail in the ASIM Common Fields article.

Common fields with specific guidelines

The following list mentions fields that have specific guidelines for process activity events:

Field Class Type Description
EventType Mandatory Enumerated Describes the operation reported by the record.

For Registry records, supported values include:
- RegistryKeyCreated
- RegistryKeyDeleted
- RegistryKeyRenamed
- RegistryValueDeleted
- RegistryValueSet
EventSchemaVersion Mandatory String The version of the schema. The version of the schema documented here is 0.1.2
EventSchema Optional String The name of the schema documented here is RegistryEvent.
Dvc fields For registry activity events, device fields refer to the system on which the registry activity occurred.

Important

The EventSchema field is currently optional but will become Mandatory on September 1st 2022.

All common fields

Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.

Class Fields
Mandatory - EventCount
- EventStartTime
- EventEndTime
- EventType
- EventResult
- EventProduct
- EventVendor
- EventSchema
- EventSchemaVersion
- Dvc
Recommended - EventResultDetails
- EventSeverity
- EventUid
- DvcIpAddr
- DvcHostname
- DvcDomain
- DvcDomainType
- DvcFQDN
- DvcId
- DvcIdType
- DvcAction
Optional - EventMessage
- EventSubType
- EventOriginalUid
- EventOriginalType
- EventOriginalSubType
- EventOriginalResultDetails
- EventOriginalSeverity
- EventProductVersion
- EventReportUrl
- EventOwner
- DvcZone
- DvcMacAddr
- DvcOs
- DvcOsVersion
- DvcOriginalAction
- DvcInterface
- AdditionalFields
- DvcDescription
- DvcScopeId
- DvcScope

Registry Event specific fields

The fields listed in the table below are specific to Registry events, but are similar to fields in other schemas and follow similar naming conventions.

For more information, see Structure of the Registry in Windows documentation.

Field Class Type Description
RegistryKey Mandatory String The registry key associated with the operation, normalized to standard root key naming conventions. For more information, see Root Keys.

Registry keys are similar to folders in file systems.

For example: HKEY_LOCAL_MACHINE\SOFTWARE\MTG
RegistryValue Recommended String The registry value associated with the operation. Registry values are similar to files in file systems.

For example: Path
RegistryValueType Recommended String The type of registry value, normalized to standard form. For more information, see Value Types.

For example: Reg_Expand_Sz
RegistryValueData Recommended String The data stored in the registry value.

Example: C:\Windows\system32;C:\Windows;
RegistryPreviousKey Recommended String For operations that modify the registry, the original registry key, normalized to standard root key naming. For more information, see Root Keys.

Note: If the operation changed other fields, such as the value, but the key remains the same, the RegistryPreviousKey will have the same value as RegistryKey.

Example: HKEY_LOCAL_MACHINE\SOFTWARE\MTG
RegistryPreviousValue Recommended String For operations that modify the registry, the original value type, normalized to the standard form. For more information, see Value Types.

If the type was not changed, this field has the same value as the RegistryValueType field.

Example: Path
RegistryPreviousValueType Recommended String For operations that modify the registry, the original value type.

If the type was not changed, this field will have the same value as the RegistryValueType field, normalized to the standard form. For more information, see Value types.

Example: Reg_Expand_Sz
RegistryPreviousValueData Recommended String The original registry data, for operations that modify the registry.

Example: C:\Windows\system32;C:\Windows;
User Alias Alias to the ActorUsername field.

Example: CONTOSO\ dadmin
Process Alias Alias to the ActingProcessName field.

Example: C:\Windows\System32\rundll32.exe
ActorUsername Mandatory String The user name of the user who initiated the event.

Example: CONTOSO\WIN-GG82ULGC9GO$
ActorUsernameType Conditional Enumerated Specifies the type of the user name stored in the ActorUsername field. For more information, see The User entity.

Example: Windows
ActorUserId Recommended String A unique ID of the Actor. The specific ID depends on the system generating the event. For more information, see The User entity.

Example: S-1-5-18
ActorScope Optional String The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.
ActorUserIdType Recommended String The type of the ID stored in the ActorUserId field. For more information, see The User entity.

Example: SID
ActorSessionId Conditional String The unique ID of the login session of the Actor.

Example: 999

Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and the source sends a different type, make sure to convert the value. For example, if source sends a hexadecimal value, convert it to a decimal value.
ActingProcessName Optional String The file name of the acting process image file. This name is typically considered to be the process name.

Example: C:\Windows\explorer.exe
ActingProcessId Mandatory String The process ID (PID) of the acting process.

Example: 48610176

Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric.

If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.
ActingProcessGuid Optional String A generated unique identifier (GUID) of the acting process.

Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00
ParentProcessName Optional String The file name of the parent process image file. This value is typically considered to be the process name.

Example: C:\Windows\explorer.exe
ParentProcessId Mandatory String The process ID (PID) of the parent process.

Example: 48610176
ParentProcessGuid Optional String A generated unique identifier (GUID) of the parent process.

Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00

Root keys

Different sources represent registry key prefixes using different representations. For the RegistryKey and RegistryPreviousKey fields, use the following normalized prefixes:

Normalized key prefix Other common representations
HKEY_LOCAL_MACHINE HKLM, \REGISTRY\MACHINE
HKEY_USERS HKU, \REGISTRY\USER

Value types

Different sources represent registry value types using different representations. For the RegistryValueType and RegistryPreviousValueType fields, use the following normalized types:

Normalized key prefix Other common representations
Reg_None None, %%1872
Reg_Sz String, %%1873
Reg_Expand_Sz ExpandString, %%1874
Reg_Binary Binary, %%1875
Reg_DWord Dword, %%1876
Reg_Multi_Sz MultiString, %%1879
Reg_QWord Qword, %%1883

Schema updates

These are the changes in version 0.1.1 of the schema:

  • Added the field EventSchema.

These are the changes in version 0.1.2 of the schema:

  • Added the fields ActorScope, DvcScopeId, and DvcScope..

Next steps

For more information, see: