Getting Data In
Highlighted

Inputs for Windows Registry

Contributor

Hello All

I am looking for suggestions on monitoring Windows Registry for a particular attribute. We are looking to receive the product version from the Windows Registry.

alt text

These are my current inputs, but i do not see any information popping inside Splunk.

[WinRegistry]
index = defense
source = WinReg
disabled = 0

Am i doing something wrong ?

Any assistance will be appreciated 🙂

0 Karma
Highlighted

Re: Inputs for Windows Registry

SplunkTrust
SplunkTrust

try this in inputs.conf or enable from GUI if you have the Windows TA installed

[WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

now search: index=defense sourcetype=WinRegistry

hope it helps

0 Karma
Highlighted

Re: Inputs for Windows Registry

Contributor

I want to retrieve only the CurrentControlSet\Services\WinDefend\FailureCommand Values.

What you had suggested, isn't that generic ? @adonio ?

0 Karma
Highlighted

Re: Inputs for Windows Registry

SplunkTrust
SplunkTrust

it is generic, i didnt see the screenshot when answered. Do you need to collect data from Windows Defender? there is a short article here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-splunk-windows-defender-adva...
that explains how to achieve it

0 Karma
Highlighted

Re: Inputs for Windows Registry

Contributor

@adonio

We need to collect only the version information from the Registry Window that is highlighted above.

0 Karma
Highlighted

Re: Inputs for Windows Registry

SplunkTrust
SplunkTrust

i am opening another answer to attach a screenshot

0 Karma
Highlighted

Re: Inputs for Windows Registry

SplunkTrust
SplunkTrust

use the method in previous answer to collect the WinRegMon data,
search for the data needed. screenshot attached

alt text

0 Karma
Highlighted

Re: Inputs for Windows Registry

Contributor

You used this ? [WinRegMon://hkcurun]
disabled = 0
index = defense
[WinRegMon://hklm
run]
disabled = 0
index = defense

also, the link you shared is not working.

0 Karma
Highlighted

Re: Inputs for Windows Registry

SplunkTrust
SplunkTrust

the link i shared in previous answer is to a page about: "Configure Splunk to pull Windows Defender ATP alerts". I thought you wanted t pull out data from the defender as it is highlighted in your screenshot.
just clicked on it and it does work.
i chose index = defense since your configurations sample has this index (another reason why i thought you want to collect defender data)
yes, i used this in inputs.conf on the needed windows host to collect the desired data:
[WinRegMon://hkcurun]
disabled = 0
index = defense
[WinRegMon://hklm
run]
disabled = 0
index = defense

0 Karma
Highlighted

Re: Inputs for Windows Registry

Contributor

@adonio

Is it possible ti fetch only the values of the WinDefender ?

As we will be deploying this across to our whole infrastructure with 100,000 hosts, we are targeting less license usage for this piece of information.

0 Karma