Can HKLM\SYSTEM be monitored with Registry Monitor...

kholleran · ‎11-15-2012

Can someone confirm they are monitoring some keys under here?

I am trying to monitor the USB & USBSTOR keys for any changes (new USB keys plugged in) but it does not send it back to the aggregator. I am monitoring some software keys and they report just fine but the USB's do not....

Thanks.

Kevin

kholleran · ‎11-25-2012

OK, though my Splunk case a formal bug has been submitted.

kholleran · ‎11-15-2012

Found it in the web interface under a different heading. Set it up in the web as well, still not passing data.

kholleran · ‎11-15-2012

OK, so when I click through the registry monitory in the web interface, I get to HKLM\System\CurrentControlSet\Enum & there is nothing there? There should be a whole bunch of stuff but the only key there is PCI? Where is USBSTOR & USB?

Any thoughts? Thanks!

Can HKLM\SYSTEM be monitored with Registry Monitoring

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation