RegistryDatatypeTypeWin Registry Key Object Schema

Registry_Datatype specifies Windows registry datatypes via a union of the RegistryDataTypesEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications.


Field Name Type Description
@idoptional QName

The id field specifies a unique ID for this Object Property.

@idrefoptional QName

The idref field specifies a unique ID reference for this Object Property.

When idref is specified, the id attribute must not be specified, and any instance of this property should not hold content unless an extension of the property allows it.

@datatypeoptional DatatypeEnum

This attribute is optional and specifies the expected type for the value of the specified property.

@appears_randomoptional boolean

This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.

@is_obfuscatedoptional boolean

This field is optional and conveys whether the associated Object property has been obfuscated.

@obfuscation_algorithm_refoptional anyURI

This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.

@is_defangedoptional boolean

This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).

@defanging_algorithm_refoptional anyURI

This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.

@refanging_transform_typeoptional string

This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.

@refanging_transformoptional string

This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.

@observed_encodingoptional string

This field is optional and specifies the encoding of the string when it is/was observed. This may be different from the encoding used to represent the string within this element.

It is strongly recommended that character set names should be taken from the IANA character set registry (https://www.iana.org/assignments/character-sets/character-sets.xhtml).

This field is intended to be applicable only to fields which contain string values.

@conditionoptional ConditionTypeEnum

This field is optional and defines the relevant condition to apply to the value.

@is_case_sensitiveoptional boolean

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

@apply_conditionoptional ConditionApplicationEnum

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

@delimiteroptional string

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

@bit_maskoptional hexBinary

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

@pattern_typeoptional PatternTypeEnum

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

@regex_syntaxoptional string

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

@has_changedoptional boolean

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

@trendoptional boolean

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.