Archive

Monitor registry - how to configure system hive?

Splunk Employee
Splunk Employee

For example, how to monitor USB device changes?

Tags (2)
0 Karma

Splunk Employee
Splunk Employee
  1. In Splunk UI, go to: Manager > Data inputs > Registry monitoring and add a new registry data.

  2. Open browse and navigate to the hive path:

    HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\USBSTOR

    Please note: don't leave the hive as CurrentControlSet, which may not work properly. Make sure take the next step to edit the path.

  3. Edit this registry hive path to:

    HKEY_LOCAL_MACHINE\SYSTEM\*CONTROLSET*\ENUM\USBSTOR?.*

  4. For process path, enter: .*

  5. Check Monitor subnodes.

  6. Set baseline=true.

So the final stanza should look like:

[USBSTOR]

baseline = 1

disabled = 0

hive = HKEY_LOCAL_MACHINE\SYSTEM\*CONTROLSET*\ENUM\USBSTOR?.*

index = default

proc = C:\.*

type = set|rename|create|delete

0 Karma