https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643201#M222809 <P>Hi&nbsp;</P> <P>I'm investigating Windows log in Splunk, struggling to apply the correct filter.</P> <P>What filter do I need to apply to find the persistence in the Windows registry?</P> <P>What filter do I need to apply to find the Sysmon id 13 events to find the registry key used to maintain persistence in Windows?</P> <P>Filter for what port number is listening for an incoming connection, using Sysmon&nbsp; 12 and sysmon13 event IDs.</P> <P>my current search: index=*</P> <P><SPAN>Any assistance will be immensely appreciated</SPAN></P> Mon, 15 May 2023 12:53:19 GMT tonyfer 2023-05-15T12:53:19Z https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643201#M222809 <P>Hi&nbsp;</P> <P>I'm investigating Windows log in Splunk, struggling to apply the correct filter.</P> <P>What filter do I need to apply to find the persistence in the Windows registry?</P> <P>What filter do I need to apply to find the Sysmon id 13 events to find the registry key used to maintain persistence in Windows?</P> <P>Filter for what port number is listening for an incoming connection, using Sysmon&nbsp; 12 and sysmon13 event IDs.</P> <P>my current search: index=*</P> <P><SPAN>Any assistance will be immensely appreciated</SPAN></P> Mon, 15 May 2023 12:53:19 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643201#M222809 tonyfer 2023-05-15T12:53:19Z https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643208#M222811 <P>Similar to this question&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/How-to-identify-windows-registry-key-use-for-persistence/m-p/643087#M222765" target="_blank">Re: How to Identify windows registry key use for p... - Splunk Community</A></P><P>Do you have examples of the events you are dealing with?</P> Fri, 12 May 2023 12:34:59 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643208#M222811 ITWhisperer 2023-05-12T12:34:59Z https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643246#M222824 <P>Hi</P><P>I want to search for sysmon events in splunk</P><P>&nbsp;my current search: index=* sourcetype="WinEventLog:Microsoft-Windows-sysmon/operation" Registry</P><P>I'm trying to identify any persistence in the system, is that the correct filter for Splunk search?</P><P>&nbsp;</P><P>Thanks</P> Fri, 12 May 2023 18:15:31 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643246#M222824 tonyfer 2023-05-12T18:15:31Z https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643263#M222826 <P>So, your question is not really a Splunk question, it is more about your data, and how to interpret your data to identify the "persistence" events. Without knowledge of your data, it is difficult for us to advise. Perhaps if you shared some of your events, anonymised of course, we might be able to make some suggestions.</P><P>Having said that, a quick <A href="https://www.google.com/search?q=persistence+events+in+windows+sysmon+logs&amp;oq=persistence+events+in+windows+sysmon+logs" target="_self">google search</A> (which you could have done yourself!) returns this <A href="https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon" target="_self">link to Microsoft</A>, which seems to indicate that events 12, 13 and 14 are to do with the Registry. Perhaps you could start with those.</P> Sat, 13 May 2023 08:57:42 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-correct-filter-to-find-persistence-in-Windows/m-p/643263#M222826 ITWhisperer 2023-05-13T08:57:42Z