Hi
I'm investigating Windows log in Splunk, struggling to apply the correct filter.
What filter do I need to apply to find the persistence in the Windows registry?
What filter do I need to apply to find the Sysmon id 13 events to find the registry key used to maintain persistence in Windows?
Filter for what port number is listening for an incoming connection, using Sysmon 12 and sysmon13 event IDs.
my current search: index=*
Any assistance will be immensely appreciated
Similar to this question Re: How to Identify windows registry key use for p... - Splunk Community
Do you have examples of the events you are dealing with?
Hi
I want to search for sysmon events in splunk
my current search: index=* sourcetype="WinEventLog:Microsoft-Windows-sysmon/operation" Registry
I'm trying to identify any persistence in the system, is that the correct filter for Splunk search?
Thanks
So, your question is not really a Splunk question, it is more about your data, and how to interpret your data to identify the "persistence" events. Without knowledge of your data, it is difficult for us to advise. Perhaps if you shared some of your events, anonymised of course, we might be able to make some suggestions.
Having said that, a quick google search (which you could have done yourself!) returns this link to Microsoft, which seems to indicate that events 12, 13 and 14 are to do with the Registry. Perhaps you could start with those.