Getting Data In

What stanza would I need to only monitor the Notification Packages string within the Lsa hive?

AaronMoorcroft
Communicator

Hey guys,

So I have another request that I can monitor hives without issue so directly below if I were to add anything into this hive it gets picked up. However, when it comes to monitoring a specific value of a String or Dword then i'm having trouble, see the 2nd example below.

[WinRegMon://Registry1]
proc = .*
hive = \\REGISTRY\\USER\\.*\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\.*
type = create|delete|set|rename
baseline = 1
index = main


[WinRegMon://Registry11]
proc = .*
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\CONTROL\\LSA\\Notification Packages.*
type = create|delete|set|rename
baseline = 1
index = main

Also tried with -

\\NotificationPackages.*
\\Notification Packages\\.*

If I remove the "Notification Packages" then the stanza does kinda of work in that the baseline is taken of all items within the Lsa hive, but when adding the Notifications Packages item I get nothing at all. I have read that I can monitor via the key_path and also process_image however I dont want to narrow the changes down to specific processes and again adding a .* doesnt seem to bring back any values.

Can anyone advise of the stanza I would need to only monitor the Notification Packages string within the Lsa hive ?

0 Karma

AaronMoorcroft
Communicator

A little more info on this, so I can use the key_path value which sort of works as it logs the changes I need however it also opens to floodgates for some reason to a bunch of other keys in various hives, not limited to HKLM

So I could write a query and create dashboards for what I actually need however, the license usage is being taken up by events I don't wish to be logging. I did some digging around the CurrentControlSet path and it seems to work like a VIP / loadbalancer in that it points to ControlSet001 or ControlSet002 and potentially even ControlSet003 as these are like backups to the CurrentControlSet.

So if anyone has any other ideas on this i'm happy to listen, my current setup is -

[WinRegMon://Registry11]
proc = .
key_path = "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\Notification Packages"
type = create|delete|set|rename
index = main

0 Karma

MikaJustasACN
Path Finder

Don't know exactly in this case, but try with underscore _: Notification_Packages. This is the standard behaviour of Windows in majority of spaces I have faced. Not guaranteed, just try.

0 Karma

AaronMoorcroft
Communicator

Hey,

I've tried with an _ and it brings back some surprising results, so the key I wish to monitor is not monitored however what seems to be a replication of the key is monitored along with a whole host of other items. Its defiantly got me scratching my head

HKLM\System\ControlSet001\Control\Lsa\Notofication Packages is now being picked up ???

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...