Skip to main content

1E SDK

WindowsRegistryChange

Trigger

WindowsRegistryChange

Action

Triggers when a log entry is created in a specific Event Log, optionally matching an XPath filtering expression. This can include the "Classic" Windows Event Logs (Application, Security, Setup and System) and also the "Applications and Services Logs" (although does not include the "Analytic and Debug" logs).

Parameters

Channel (string): The name/path of the event log to monitor. If the corresponding channel has not been enabled for event logging, the Tachyon Agent enables it automatically.

Example: "Security" or "Microsoft-Windows-Bits-Client/Operational"

Query (string): Optional XPath expression to match against incoming entries into the event log

Example: "*[System/EventID=4688]"

See the MSDN references pages on Event Queries and Event XML and Event Selection for details of the supported XPath syntax and examples.

AuditSubCategoryGuid (GUID string): Optional XPath expression to match against incoming entries into the event log.

Example: "0CCE922B-69AE-11D9-BED3-505054503030" corresponds to the "Process Creation" sub-category.

See the MSDN reference for a list of available GUIDs

The Tachyon Agent will modify the local security policy to enable "failure" and "success" auditing for this sub-category for the period that this trigger remains active. Doing so means that corresponding event log entries will be generated when system activity occurs for this sub-category. The Tachyon Agent will attempt to re-enable this level of auditing if the Local Security Authority Subsystem Service (LSASS) indicates that the audit policy has changed - e.g. through a re-application of local/group policy, or if an administrator has manually adjusted the auditing policy using a tool like "auditpol".

DebounceTimeSeconds (Integer): Optional de-bounce time in seconds.

How long to hold back firing this trigger (to wait for additional events to occur); see the section above on Trigger de-bouncing.

Example

<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="WindowsRegistryChange" Category="Event" Description="When a registry key changes (Windows only)" Type="WindowsRegistryChange" 
ReadablePayload="On change of registry values in "%hive%\%subkey%" (include subkeys=%includeSubkeys%)">
  <AgentParameters>
    <Parameter Name="Hive" Value="%hive%" />
    <Parameter Name="Subkey" Value="%subkey%" />
    <Parameter Name="IncludeSubkeys" Value="%includeSubkeys%" />
  </AgentParameters>
  <UserParameterJson><![CDATA[[{"Name":"Hive","Pattern":"%hive%","DataType":"string","ControlType":"valuePicker","ControlMetadata":null,"Placeholder":"hive","DefaultValue":"HKLM",
"Validation":{"Regex":null,"MaxLength":"4","AllowedValues":["HKLM","HKCR"],"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null}, 
{"Name":"Subkey","Pattern":"%subkey%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"subkey","DefaultValue":null,
"Validation":{"Regex":null,"MaxLength":"1024","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null}, 
{"Name":"IncludeSubkeys","Pattern":"%includeSubkeys%","DataType":"string","ControlType":"valuePicker","ControlMetadata":null,"Placeholder":"includeSubkeys","DefaultValue":"true",
"Validation":{"Regex":null,"MaxLength":"4","AllowedValues":["true","false"],"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null}]]]></UserParameterJson>
</TriggerTemplate>

Platforms

  • Windows

Notes

Uses the Windows Registry change notification APIs to fire when a registry key changes