I am forwarding sysmon logs to splunk, for normalization, I could see event ID : 12, 13, 14 are captured (Registry object added or deleted, Registry value added, Registry value modified)
All are success events, will there be any failure events under the above mentioned eventIDs?
There wont be any failure events for endpoint datamodel and tag=registry, tested it with the non-admin account.
Only success events (registry keys/values - modified/renamed/created new, deleted) are captured under eventviewer
View solution in original post