How do I monitor only the changes (add, delete, change value) to Windows Registry? I am only interested in seeing changes that I make to the registry. I do not want to see the ripple effects of the changes I made or the dynamic changes that windows makes on its own.
For example, if I make change a setting in a group policy, I only want to see that change in value that I made. I do not want to see the changes of the windows registry that were caused by the change that I made.
Each stanza in regmon-filters.conf represents a particular filter whose definition includes:
* proc: a regular expression containing the path to the process or processes you want to monitor
* hive: a regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
o \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
o \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
o \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or HKLM
o \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
o \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
o Note: There is no direct mapping for HKEY_CURRENT_USER or HKCU, as the Splunk Registry monitor runs in kernel mode. However, using \\REGISTRY\\USER\\.* (note the period and asterisk at the end) will generate events that contain the logged-in user's security identifier (SID).
o Alternatively, you can specify the user whose registry keys you wish to monitor by using \\REGISTRY\\USER\\<SID>, where SID is the SID of the desired user.
* type: the subset of event types to monitor. Can be delete, set, create, rename, open, close, query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
* baseline: whether or not to capture a baseline snapshot for that particular hive path. Set to 0 for no, and 1 for yes.
* baseline interval: how long Splunk has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds, or 24 hours.
* disabled: whether or not a filter is enabled. Set to 0 to enable the filter, and 1 to disable it.