Splunk Enterprise Security

tag=registry

vijaysri
Contributor

Hi,

I am forwarding sysmon logs to splunk, for normalization, I could see event ID : 12, 13, 14 are captured (Registry object added or deleted, Registry value added, Registry value modified)

All are success events, will there be any failure events under the above mentioned eventIDs?

Labels (2)
0 Karma
1 Solution

vijaysri
Contributor

There wont be any failure events for endpoint datamodel  and tag=registry, tested it with the non-admin account.

Only success events (registry keys/values  - modified/renamed/created new, deleted) are captured under eventviewer

 

View solution in original post

0 Karma

vijaysri
Contributor

There wont be any failure events for endpoint datamodel  and tag=registry, tested it with the non-admin account.

Only success events (registry keys/values  - modified/renamed/created new, deleted) are captured under eventviewer

 

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!