topic Inputs for Windows Registry in Getting Data In

Inputs for Windows Registry

vr2312 — Fri, 21 Apr 2017 14:15:08 GMT

Hello All

I am looking for suggestions on monitoring Windows Registry for a particular attribute. We are looking to receive the product version from the Windows Registry.

These are my current inputs, but i do not see any information popping inside Splunk.

[WinRegistry]
index = defense
source = WinReg
disabled = 0

Am i doing something wrong ?

Any assistance will be appreciated 🙂

Re: Inputs for Windows Registry

adonio — Fri, 21 Apr 2017 14:22:52 GMT

try this in inputs.conf or enable from GUI if you have the Windows TA installed

[WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

now search: index=defense sourcetype=WinRegistry

hope it helps

Re: Inputs for Windows Registry

vr2312 — Fri, 21 Apr 2017 15:32:58 GMT

I want to retrieve only the CurrentControlSet\Services\WinDefend\FailureCommand Values.

What you had suggested, isn't that generic ? @adonio ?

Re: Inputs for Windows Registry

adonio — Fri, 21 Apr 2017 15:41:09 GMT

it is generic, i didnt see the screenshot when answered. Do you need to collect data from Windows Defender? there is a short article here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection
that explains how to achieve it

Re: Inputs for Windows Registry

vr2312 — Tue, 25 Apr 2017 19:28:34 GMT

@adonio

We need to collect only the version information from the Registry Window that is highlighted above.

Re: Inputs for Windows Registry

adonio — Tue, 25 Apr 2017 19:41:42 GMT

i am opening another answer to attach a screenshot

Re: Inputs for Windows Registry

adonio — Tue, 25 Apr 2017 19:42:53 GMT

use the method in previous answer to collect the WinRegMon data,
search for the data needed. screenshot attached

Re: Inputs for Windows Registry

vr2312 — Tue, 29 Sep 2020 13:48:26 GMT

You used this ? [WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

also, the link you shared is not working.

Re: Inputs for Windows Registry

adonio — Tue, 29 Sep 2020 13:50:01 GMT

the link i shared in previous answer is to a page about: "Configure Splunk to pull Windows Defender ATP alerts". I thought you wanted t pull out data from the defender as it is highlighted in your screenshot.
just clicked on it and it does work.
i chose index = defense since your configurations sample has this index (another reason why i thought you want to collect defender data)
yes, i used this in inputs.conf on the needed windows host to collect the desired data:
[WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

Re: Inputs for Windows Registry

vr2312 — Fri, 28 Apr 2017 20:28:14 GMT

@adonio

Is it possible ti fetch only the values of the WinDefender ?

As we will be deploying this across to our whole infrastructure with 100,000 hosts, we are targeting less license usage for this piece of information.

Re: Inputs for Windows Registry

adonio — Fri, 28 Apr 2017 20:46:34 GMT

yes,
you can use props and transforms to route and filter data
please also read this doc ni detail:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
specailly this part:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata#Filter_incoming_Registry_events
if you are satisfied with the answer to your original question, please mark question as answered and vote up answers / comments that you feel helped