Home
  •  

Check Existence of RegKey Monitor Type

SecurityMonitoringMP.RegValueExistsMonitorType (UnitMonitorType)

Element properties:

RunAsDefault
AccessibilityInternal
Support Monitor RecalculateFalse

Member Modules:

ID Module Type TypeId RunAs 
RegValueDS DataSource Microsoft.Windows.RegistryProvider Default
ValueExists ConditionDetection System.ExpressionFilter Default
ValueMissing ConditionDetection System.ExpressionFilter Default

Source Code:

<UnitMonitorType ID="SecurityMonitoringMP.RegValueExistsMonitorType" Accessibility="Internal">

  <MonitorTypeStates>

    <MonitorTypeState ID="RegValueExists" NoDetection="false"/>

    <MonitorTypeState ID="RegValueMissing" NoDetection="false"/>

  </MonitorTypeStates>

  <Configuration/>

  <MonitorImplementation>

    <MemberModules>

      <DataSource ID="RegValueDS" TypeID="Windows!Microsoft.Windows.RegistryProvider">

        <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

        <RegistryAttributeDefinitions>

          <RegistryAttributeDefinition>

            <AttributeName>UseLogonCredential</AttributeName>

            <Path>SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\UseLogonCredential</Path>

            <PathType>1</PathType>

            <AttributeType>0</AttributeType>

          </RegistryAttributeDefinition>

        </RegistryAttributeDefinitions>

        <Frequency>900</Frequency>

      </DataSource>

      <ConditionDetection ID="ValueExists" TypeID="System!System.ExpressionFilter">

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">Values/UseLogonCredential</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">true</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </ConditionDetection>

      <ConditionDetection ID="ValueMissing" TypeID="System!System.ExpressionFilter">

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">Values/UseLogonCredential</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">false</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </ConditionDetection>

    </MemberModules>

    <RegularDetections>

      <RegularDetection MonitorTypeStateID="RegValueExists">

        <Node ID="ValueExists">

          <Node ID="RegValueDS"/>

        </Node>

      </RegularDetection>

      <RegularDetection MonitorTypeStateID="RegValueMissing">

        <Node ID="ValueMissing">

          <Node ID="RegValueDS"/>

        </Node>

      </RegularDetection>

    </RegularDetections>

  </MonitorImplementation>

</UnitMonitorType>