Class: RegValue
The registry value object describes a Windows registry value.
URI: ocsf:RegValue
classDiagram
class RegValue
click RegValue href "../RegValue/"
Object <|-- RegValue
click Object href "../Object/"
RegValue : data
RegValue : is_default
RegValue : is_system
RegValue : modified_time
RegValue : name
RegValue : path
RegValue : reg_binary_data
RegValue : reg_integer_data
RegValue : reg_string_data
RegValue : reg_string_list_data
RegValue : type
RegValue : type_id
RegValue --> "0..1 _recommended_" RegValueTypeIdEnum : type_id
click RegValueTypeIdEnum href "../RegValueTypeIdEnum/"
Inheritance
- OcsfObject
- Object
- RegValue
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| data | 0..1 String |
The data of the registry value | direct |
| is_default | 0..1 Boolean |
The indication of whether the value is from a default value name | direct |
| is_system | 0..1 Boolean |
The indication of whether the object is part of the operating system | direct |
| modified_time | 0..1 TimestampT |
The time when the registry value was last modified | direct |
| name | 1 String |
The name of the registry value | direct |
| path | 1 String |
The full path to the registry key, where the value is located | direct |
| reg_binary_data | 0..1 String |
The data of the registry value when type_id is |
direct |
| reg_integer_data | 0..1 Integer |
The data of the registry value when type_id is |
direct |
| reg_string_data | 0..1 String |
The data of the registry value when type_id is |
direct |
| reg_string_list_data | * String |
The data of the registry value when type_id is |
direct |
| type | 0..1 String |
A string representation of the value type as specified in <a target='_blank' | direct |
| type_id | 0..1 recommended RegValueTypeIdEnum |
The value type ID | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| WindowsEvidences | reg_value | range | RegValue |
| WindowsQueryEvidence | reg_value | range | RegValue |
| RegistryValueActivity | prev_reg_value | range | RegValue |
| RegistryValueActivity | reg_value | range | RegValue |
| RegistryValueQuery | reg_value | range | RegValue |
In Subsets
Aliases
- Registry Value
See Also
Notes
- D3FEND™ Ontology d3f:WindowsRegistryValue. — https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| observable_id | 29 |
| ocsf_extension | windows |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:RegValue |
| native | ocsf:RegValue |
LinkML Source
Direct
name: RegValue
annotations:
observable_id:
tag: observable_id
value: 29
ocsf_extension:
tag: ocsf_extension
value: windows
description: The registry value object describes a Windows registry value.
notes:
- 'D3FEND™ Ontology d3f:WindowsRegistryValue. —
https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/'
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/
aliases:
- Registry Value
is_a: Object
slots:
- data
- is_default
- is_system
- modified_time
- name
- path
- reg_binary_data
- reg_integer_data
- reg_string_data
- reg_string_list_data
- type
- type_id
slot_usage:
data:
name: data
description: 'The data of the registry value. Where the value type is known, implementers
should instead use a type-specific attribute, i.e.
<code>reg_binary_data</code>, <code>reg_integer_data</code>,
<code>reg_string_data</code>, or <code>reg_string_list_data</code>.'
modified_time:
name: modified_time
description: The time when the registry value was last modified.
name:
name: name
description: The name of the registry value.
required: true
path:
name: path
description: The full path to the registry key, where the value is located.
required: true
type:
name: type
description: 'A string representation of the value type as specified in <a target=''_blank''
href=''https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types''>Registry
Value Types</a>.'
type_id:
name: type_id
description: The value type ID.
range: RegValueTypeIdEnum
recommended: true
Induced
name: RegValue
annotations:
observable_id:
tag: observable_id
value: 29
ocsf_extension:
tag: ocsf_extension
value: windows
description: The registry value object describes a Windows registry value.
notes:
- 'D3FEND™ Ontology d3f:WindowsRegistryValue. —
https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/'
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/
aliases:
- Registry Value
is_a: Object
slot_usage:
data:
name: data
description: 'The data of the registry value. Where the value type is known, implementers
should instead use a type-specific attribute, i.e.
<code>reg_binary_data</code>, <code>reg_integer_data</code>,
<code>reg_string_data</code>, or <code>reg_string_list_data</code>.'
modified_time:
name: modified_time
description: The time when the registry value was last modified.
name:
name: name
description: The name of the registry value.
required: true
path:
name: path
description: The full path to the registry key, where the value is located.
required: true
type:
name: type
description: 'A string representation of the value type as specified in <a target=''_blank''
href=''https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types''>Registry
Value Types</a>.'
type_id:
name: type_id
description: The value type ID.
range: RegValueTypeIdEnum
recommended: true
attributes:
data:
name: data
description: 'The data of the registry value. Where the value type is known, implementers
should instead use a type-specific attribute, i.e.
<code>reg_binary_data</code>, <code>reg_integer_data</code>,
<code>reg_string_data</code>, or <code>reg_string_list_data</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data
rank: 1000
alias: data
owner: RegValue
domain_of:
- Request
- Response
- TlsExtension
- Resource
- ApplicationObject
- Edge
- Enrichment
- Evidences
- ManagedEntity
- Node
- Policy
- QueryInfo
- WebResource
- RegValue
range: string
is_default:
name: is_default
description: 'The indication of whether the value is from a default value name.
For example,
the value name could be missing.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Default Value
rank: 1000
alias: is_default
owner: RegValue
domain_of:
- RegValue
range: boolean
is_system:
name: is_system
description: The indication of whether the object is part of the operating system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- System
rank: 1000
alias: is_system
owner: RegValue
domain_of:
- File
- Kernel
- RegKey
- RegValue
range: boolean
modified_time:
name: modified_time
description: The time when the registry value was last modified.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: RegValue
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
name:
name: name
description: The name of the registry value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: RegValue
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
required: true
path:
name: path
description: The full path to the registry key, where the value is located.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: RegValue
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
required: true
reg_binary_data:
name: reg_binary_data
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The data of the registry value when <code>type_id</code> is
<code>REG_BINARY</code> or <code>REG_NONE</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Registry Binary Data
rank: 1000
alias: reg_binary_data
owner: RegValue
domain_of:
- RegValue
range: string
reg_integer_data:
name: reg_integer_data
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The data of the registry value when <code>type_id</code> is
<code>REG_DWORD</code>, <code>REG_DWORD_BIG_ENDIAN</code>, or
<code>REG_QWORD</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Registry Integer Data
rank: 1000
alias: reg_integer_data
owner: RegValue
domain_of:
- RegValue
range: integer
reg_string_data:
name: reg_string_data
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The data of the registry value when <code>type_id</code> is
<code>REG_SZ</code>, <code>REG_EXPAND_SZ</code>, or <code>REG_LINK</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Registry String Data
rank: 1000
alias: reg_string_data
owner: RegValue
domain_of:
- RegValue
range: string
reg_string_list_data:
name: reg_string_list_data
annotations:
ocsf_extension:
tag: ocsf_extension
value: windows
description: 'The data of the registry value when <code>type_id</code> is
<code>REG_MULTI_SZ</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Registry String List Data
rank: 1000
alias: reg_string_list_data
owner: RegValue
domain_of:
- RegValue
range: string
multivalued: true
type:
name: type
description: 'A string representation of the value type as specified in <a target=''_blank''
href=''https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types''>Registry
Value Types</a>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: RegValue
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The value type ID.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: RegValue
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: RegValueTypeIdEnum
recommended: true