Skip to main content

RegistryParse

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This command uses the Registry Parse automation to extract critical forensics data from a registry file. The essential values are specified by the argument.

Script Data#


NameDescription
Script Typepython3
Tags
Cortex XSOAR Version6.0.0

Used In#


This script is used in the following playbooks and scripts.

  • Registry Parse Data Analysis

Inputs#


Argument NameDescription
entryIDThis entry ID for the reg file.
registryDataThis argument allows the user to specify which of the following objects in the registry to parse. Default is "All".
customRegistryPathsA comma-separated list of registry paths to parse. Try to keep your searches as exact as possible, for example registry_path=`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList`.

Outputs#


PathDescriptionType
RegistryForensicDataRaw.TypeThe registry data type. "Custom" for custom registry path.Unknown
RegistryForensicDataRaw.RegistryPathThe registry key path.Unknown
RegistryForensicDataRaw.RegistryKeyThe registry key.Unknown
RegistryForensicDataRaw.RegistryValueThe registry value.Unknown
RegistryForensicData.Users.SidUser SID.Unknown
RegistryForensicData.Users.GuidUser GUID.Unknown
RegistryForensicData.LastLoggedOnUserLast user to be logged in.Unknown
RegistryForensicData.TimeZoneRegistry ime zone.Unknown
RegistryForensicData.Services.DisplayNameRegistry service name.Unknown