topic Re: Query for creation of registry keys in Dashboards & Visualizations

How to create search for creation of registry keys?

Chase — Wed, 23 Aug 2023 19:55:32 GMT

Hi, I just started Splunk yesterday and was looking for proper syntax for trying to search for the creation of registry keys on all machines and if possible, how to get alerts for deleted reg keys. I havent touched every dashboard in Splunk but I imagine a simple table that includes all machines in the network with reg key counts would be the way to go. Im not sure about the alerts part for deleted keys

Re: Query for creation of registry keys

ITWhisperer — Wed, 23 Aug 2023 14:20:31 GMT

The first thing you need to do is understand the data you have in Splunk. What events have you already ingested?

Re: Query for creation of registry keys

gcusello — Wed, 23 Aug 2023 15:46:44 GMT

Hi @Chase ,

as usual to havea result in Splunk requires 70% of knowledge of the matter to search and less than 30% of Splunk knowledge.

You need a knowledge about windows registry keys registration or deletion, so you should search which are the EventCodes to use in search,

in your case , probably the Eventcodes to use are:

4657 A registry value was modified 5039 A registry key was virtualized

I cannot help you more because I'm not a windows expert.

Ciao.

Giuseppe

Re: Query for creation of registry keys

Chase — Wed, 23 Aug 2023 16:28:07 GMT

I did see that event code on listed as response to someone asking a previous question and after attempting to pipe it to our index it said "unknown search cmd '4657'". What is the proper syntax for searching eventcodes?

Re: Query for creation of registry keys

ITWhisperer — Wed, 23 Aug 2023 16:52:24 GMT

Your initial search can find all the events in your index (within the time constraints of the search) which have the string in

index=<your index> "4657"

Re: Query for creation of registry keys

Chase — Wed, 23 Aug 2023 17:21:25 GMT

Ok so after trying that string with my index and switching the time search to 'All time', (and got a ton of irrelevant hits, I opened one of the hits and found "EventID" had its own field. Just as a reference for anyone else looking at this issue later:

A search without that field option gives 5,800+ events. 99 is about what I expect from an index that started 8 days ago. Ty for the help

Re: Query for creation of registry keys

gcusello — Thu, 24 Aug 2023 06:11:32 GMT

Hi @Chase ,

this is usually named EventCode on windows logs:

index=wineventlog EventCode=4657

beware to the field name that's case sensistive.

In addition, if possible try to avoid "All time" in your searches because it's a too expensive and long search.

Ciao.

Giuseppe

Re: Query for creation of registry keys

ITWhisperer — Thu, 24 Aug 2023 08:26:50 GMT

OK, so now you have learned that your data has fields which you can use to refine your search, as you have done. This is the sort of thing you need to understand about your data. Don't forget that, we can only provide answers based on the information you give us, although we can make educated guesses based on experience, but they may not always be correct.