registryKeyState resource type
Namespace: microsoft.graph
Contains information about registry key changes related to the alert, and the process that changed the registry keys.
Properties
| Property | Type | Description |
|---|---|---|
| hive | registryHive | A Windows registry hive :
unknown, currentConfig, currentUser, localMachineSam, localMachineSecurity, localMachineSoftware, localMachineSystem, usersDefault. |
| key | String | Current (i.e. changed) registry key (excludes HIVE). |
| oldKey | String | Previous (i.e. before changed) registry key (excludes HIVE). |
| oldValueData | String | Previous (i.e. before changed) registry key value data (contents). |
| oldValueName | String | Previous (i.e. before changed) registry key value name. |
| operation | registryOperation | Operation that changed the registry key name and/or value. Possible values are: unknown, create, modify, delete. |
| processId | Int32 | Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection). |
| valueData | String | Current (i.e. changed) registry key value data (contents). |
| valueName | String | Current (i.e. changed) registry key value name |
| valueType | registryValueType | Registry key value type
unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz. |
JSON representation
The following JSON representation shows the resource type.
{
"hive": "@odata.type: microsoft.graph.registryHive",
"key": "String",
"oldKey": "String",
"oldValueData": "String",
"oldValueName": "String",
"operation": "@odata.type: microsoft.graph.registryOperation",
"processId": 1024,
"valueData": "String",
"valueName": "String",
"valueType": "@odata.type: microsoft.graph.registryValueType"
}