Microsoft Graph · Schema
registryKeyState
Azure ADCollaborationContactsDocumentsEmailGraphIdentityMicrosoftOffice 365PresentationsProductivitySpreadsheetsT1Tasks
Properties
| Name | Type | Description |
|---|---|---|
| hive | object | A Windows registry hive : HKEYCURRENTCONFIG HKEYCURRENTUSER HKEYLOCALMACHINE/SAM HKEYLOCALMACHINE/Security HKEYLOCALMACHINE/Software HKEYLOCALMACHINE/System HKEY_USERS/.Default. The possible values ar |
| key | string | Current (i.e. changed) registry key (excludes HIVE). |
| oldKey | string | Previous (i.e. before changed) registry key (excludes HIVE). |
| oldValueData | string | Previous (i.e. before changed) registry key value data (contents). |
| oldValueName | string | Previous (i.e. before changed) registry key value name. |
| operation | object | Operation that changed the registry key name and/or value. The possible values are: unknown, create, modify, delete. |
| processId | number | Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection). |
| valueData | string | Current (i.e. changed) registry key value data (contents). |
| valueName | string | Current (i.e. changed) registry key value name |
| valueType | object | Registry key value type REGBINARY REGDWORD REGDWORDLITTLEENDIAN REGDWORDBIGENDIANREGEXPANDSZ REGLINK REGMULTISZ REGNONE REGQWORD REGQWORDLITTLEENDIAN REG_SZ The possible values are: unknown, binary, d |
| @odata.type | string |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/microsoft.graph.registryKeyState",
"title": "registryKeyState",
"required": [
"@odata.type"
],
"type": "object",
"properties": {
"hive": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.registryHive"
},
{
"type": "object",
"nullable": true
}
],
"description": "A Windows registry hive : HKEYCURRENTCONFIG HKEYCURRENTUSER HKEYLOCALMACHINE/SAM HKEYLOCALMACHINE/Security HKEYLOCALMACHINE/Software HKEYLOCALMACHINE/System HKEY_USERS/.Default. The possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSecurity, localMachineSoftware, localMachineSystem, usersDefault."
},
"key": {
"type": "string",
"description": "Current (i.e. changed) registry key (excludes HIVE).",
"nullable": true
},
"oldKey": {
"type": "string",
"description": "Previous (i.e. before changed) registry key (excludes HIVE).",
"nullable": true
},
"oldValueData": {
"type": "string",
"description": "Previous (i.e. before changed) registry key value data (contents).",
"nullable": true
},
"oldValueName": {
"type": "string",
"description": "Previous (i.e. before changed) registry key value name.",
"nullable": true
},
"operation": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.registryOperation"
},
{
"type": "object",
"nullable": true
}
],
"description": "Operation that changed the registry key name and/or value. The possible values are: unknown, create, modify, delete."
},
"processId": {
"maximum": 2147483647,
"minimum": -2147483648,
"type": "number",
"description": "Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection).",
"format": "int32",
"nullable": true
},
"valueData": {
"type": "string",
"description": "Current (i.e. changed) registry key value data (contents).",
"nullable": true
},
"valueName": {
"type": "string",
"description": "Current (i.e. changed) registry key value name",
"nullable": true
},
"valueType": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.registryValueType"
},
{
"type": "object",
"nullable": true
}
],
"description": "Registry key value type REGBINARY REGDWORD REGDWORDLITTLEENDIAN REGDWORDBIGENDIANREGEXPANDSZ REGLINK REGMULTISZ REGNONE REGQWORD REGQWORDLITTLEENDIAN REG_SZ The possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz."
},
"@odata.type": {
"type": "string"
}
}
}