You used this ? [WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

also, the link you shared is not working.

the link i shared in previous answer is to a page about: "Configure Splunk to pull Windows Defender ATP alerts". I thought you wanted t pull out data from the defender as it is highlighted in your screenshot.
just clicked on it and it does work.
i chose index = defense since your configurations sample has this index (another reason why i thought you want to collect defender data)
yes, i used this in inputs.conf on the needed windows host to collect the desired data:
[WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

@adonio

Is it possible ti fetch only the values of the WinDefender ?

As we will be deploying this across to our whole infrastructure with 100,000 hosts, we are targeting less license usage for this piece of information.

yes,
you can use props and transforms to route and filter data
please also read this doc ni detail:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
specailly this part:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata#Filter_incoming_R...
if you are satisfied with the answer to your original question, please mark question as answered and vote up answers / comments that you feel helped

I want to retrieve only the CurrentControlSet\Services\WinDefend\FailureCommand Values.

What you had suggested, isn't that generic ? @adonio ?

it is generic, i didnt see the screenshot when answered. Do you need to collect data from Windows Defender? there is a short article here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-splunk-windows-defender-adva...
that explains how to achieve it

@adonio

We need to collect only the version information from the Registry Window that is highlighted above.

i am opening another answer to attach a screenshot