Registry Schema
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Ex: redcloak,iSensor |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| process_id | string | processId$ | Identifier provided by the OS for the running process that modified the file |
| process_create_time_usec | uint64 | processCreateTimeUsec$ | Create time of process that modified the file in µs |
| commandline | string | commandline$ | Full command line of process that made the file modification |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| name | string | name$ | name of the registry key/value (subset of key) |
| path | string | path$ | full path of registry key/value |
| key | Registry.RegistryKey | key$ | |
| value | Registry.RegistryValue | value$ | |
| pivot | string | pivot$ | primary hunting pivot point of the data for grouping |
| rule_context | repeated Registry.RuleContextEntry | ruleContext$ | some rules add additonal strings to hits to help analysts interpret results |
Registry.RegistryKey ⫘
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| acl32 | string | acl32$ | permissions if 32 bit app writes redirected key on x64 |
| acl64 | string | acl64$ | permissions if native app wrote on x64 |
| last_write_time32_usec | uint64 | lastWriteTime32Usec$ | if 32 bit app writes redirected key on x64 |
| last_write_time64_usec | uint64 | lastWriteTime64Usec$ | if native app on x64 stores data |
| pivot | string | pivot$ |
Registry.RegistryValue ⫘
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| type32 | Registry.RegistryValue.ValueType | type32$ | type of data stored if 32 bit app writes redirected key on x64 |
| type64 | Registry.RegistryValue.ValueType | type64$ | type of data stored if native app on x64 stores data |
| data32 | string | data32$ | data stored at value if 32 bit app writes redirected key on x64 |
| data64 | string | data64$ | data stored at value if native app on x64 stores data |
| name | string | name$ | valueName from taegis agent, used for both 32 and 64 bit variants |
| pivot | string | pivot$ |
Registry.RuleContextEntry ⫘
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| key | string | ||
| value | string |
Registry.RegistryValue.ValueType ⫘
| Name | Number | Description |
|---|---|---|
| REG_NONE | 0 | No defined value type. |
| REG_SZ | 1 | A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions. |
| REG_EXPAND_SZ | 2 | A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions. To expand the environment variable references, use the ExpandEnvironmentStrings function. |
| REG_BINARY | 3 | Binary data in any form. |
| REG_DWORD | 4 | A 32-bit number |
| REG_MULTI_SZ | 7 | A sequence of null-terminated strings, terminated by an empty string (\0). |
| REG_QWORD | 11 | A 64-bit number. |
| REG_DWORD_LITTLE_ENDIAN | 12 | A 32-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_DWORD in the Windows header files. |
| REG_DWORD_BIG_ENDIAN | 13 | A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures. |
| REG_LINK | 14 | A null-terminated Unicode string that contains the target path of a symbolic link that was created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK. |
| REG_QWORD_LITTLE_ENDIAN | 15 | A 64-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_QWORD in the Windows header files. |