Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Contains information about registry key changes related to the alert, and the process that changed the registry keys.
Properties
| Property | Type | Description | 
|---|---|---|
| hive | registryHive | A Windows registry hive : 
 unknown,currentConfig,currentUser,localMachineSam,localMachineSecurity,localMachineSoftware,localMachineSystem,usersDefault. | 
| key | String | Current (i.e. changed) registry key (excludes HIVE). | 
| oldKey | String | Previous (i.e. before changed) registry key (excludes HIVE). | 
| oldValueData | String | Previous (i.e. before changed) registry key value data (contents). | 
| oldValueName | String | Previous (i.e. before changed) registry key value name. | 
| operation | registryOperation | Operation that changed the registry key name and/or value. Possible values are: unknown,create,modify,delete. | 
| processId | Int32 | Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection). | 
| valueData | String | Current (i.e. changed) registry key value data (contents). | 
| valueName | String | Current (i.e. changed) registry key value name | 
| valueType | registryValueType | Registry key value type 
 unknown,binary,dword,dwordLittleEndian,dwordBigEndian,expandSz,link,multiSz,none,qword,qwordlittleEndian,sz. | 
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
  "hive": "@odata.type: microsoft.graph.registryHive",
  "key": "String",
  "oldKey": "String",
  "oldValueData": "String",
  "oldValueName": "String",
  "operation": "@odata.type: microsoft.graph.registryOperation",
  "processId": 1024,
  "valueData": "String",
  "valueName": "String",
  "valueType": "@odata.type: microsoft.graph.registryValueType"
}