Getting Data In

How to edit my WinRegMon configuration to filter out certain Windows registry events?

Engager

Hello!

I need some help filtering Windows registry events in Splunk. Here is my inputs.conf file

[WinRegMon://default]
disabled = 0
hive = .*
proc = .(?!symantec|google)([a-z0-9*]+)$
type = rename|set|delete|create
index = windows

As you can see in proc, I am trying to remove all entries which have the word sDymantec and google, but I have had no success.

Could anyone provide a way they are doing this or a suggestion?

Thank you!

Builder

needed to do the same today. this seems to work for me.

proc = ^((?!(reg.exe|powershell_ise.exe)).)*$