There are a few different ways to solve this, and the best solution would probably be driven by the particulars. How time-sensitive is this? Once the registry key appears, does it go away when the machine goes back into online mode? (Would this represent a “clearing” of the alert and set it up to be triggered again?)
Depending on the answer, and the behavior you want the alert to have, you might go one of a few different ways.
Most likely though, you would write a single-instance datasource, which applies to windows servers (ideally only those upon which this software is running) with a collection method of “script”. You could then write an embedded powershell script which uses remote execution on the target machines to enumerate the registry keys and iterate through them looking for the one you want. It also appears that you might be able to save some processing by using a filter. As Joe said above, the simplest thing to do would be to return a 1 or a 0 representing whether or not the entry is there. You could also do a key value pair like “offline=1”, then you would create a normal datapoint to interpret the output as a number. You would then add an alert threshold and a descriptive custom alert message. (Have a look at some from the datasources built into your account for good examples of them and their tokens)
If I was doing this, I would also investigate Cylance’s REST API; You might get more information from their API about the status of the servers from that.
It’s always worth checking in with support to see if the Monitoring Engineering team has this on their radar, too.