Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Configuring Windows Registry

cald0002
New Member
‎11-12-2019 03:06 AM

I am having trouble extracting certain information from registry events. For example I want to extract the "SetValue" from the registry type, however, when I try to use the "extract fields" option to create to create a field for it, Splunk does not allow me to select that specific string to create the field. Is there a way to fix this? Or an alternative method to create fields for registry_type and also key_path and process_image?

event_status="(0)The operation completed successfully."
pid=7008
process_image="svchost.exe"
registry_type="SetValue"
key_path="HKU\s-1-5-20\software\microsoft\windows\currentversion\deliveryoptimization\config\downloadmode_backcompat"
data_type="REG_DWORD"
data="0x00000001(1)"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-12-2019 05:58 AM

are you using the Splunk TA for Windows?
did you follow this doc:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsregistrydata
I see all the fields extracted, screenshot below

alt text

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-12-2019 05:58 AM

are you using the Splunk TA for Windows?
did you follow this doc:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsregistrydata
I see all the fields extracted, screenshot below

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

cald0002
New Member
‎11-13-2019 04:17 AM

Hi Adonio I am using the TA for Windows and I also followed the doc, however my events still do not look like the ones you have in the screen shot. This is the monitor I am using, not sure if it aligns with the one you are using.

[WinRegMon://hklm_run]
disabled = 0
hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.*
proc = .*
index = windows
type = rename|set|create|delete|rename

Also, do you think I need to make any changes or configs to any other file? In order to get all the other events to come in properly?

0 Karma
Reply
Solved! Jump to solution

cald0002
New Member
‎11-13-2019 04:18 AM

I also had an asterisk at the end of hive in proc, not sure why it didnt come up.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...