Getting Data In

How do I monitor only the changes to Windows Registry?

ericmoss
Explorer

How do I monitor only the changes (add, delete, change value) to Windows Registry? I am only interested in seeing changes that I make to the registry. I do not want to see the ripple effects of the changes I made or the dynamic changes that windows makes on its own.

For example, if I make change a setting in a group policy, I only want to see that change in value that I made. I do not want to see the changes of the windows registry that were caused by the change that I made.

Thanks.

0 Karma

Genti
Splunk Employee
Splunk Employee

hope THIS helps

more specifically:

Each stanza in regmon-filters.conf represents a particular filter whose definition includes:

* proc: a regular expression containing the path to the process or processes you want to monitor
* hive: a regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
      o \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
      o \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
      o \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or HKLM
      o \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
      o \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
      o Note: There is no direct mapping for HKEY_CURRENT_USER or HKCU, as the Splunk Registry monitor runs in kernel mode. However, using \\REGISTRY\\USER\\.* (note the period and asterisk at the end) will generate events that contain the logged-in user's security identifier (SID).
      o Alternatively, you can specify the user whose registry keys you wish to monitor by using \\REGISTRY\\USER\\<SID>, where SID is the SID of the desired user. 
* type: the subset of event types to monitor. Can be delete, set, create, rename, open, close, query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
* baseline: whether or not to capture a baseline snapshot for that particular hive path. Set to 0 for no, and 1 for yes.
* baseline interval: how long Splunk has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds, or 24 hours.
* disabled: whether or not a filter is enabled. Set to 0 to enable the filter, and 1 to disable it. 

.gz

nandkumar90
New Member
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...