Getting Data In

Inputs for Windows Registry

vr2312
Contributor

Hello All

I am looking for suggestions on monitoring Windows Registry for a particular attribute. We are looking to receive the product version from the Windows Registry.

alt text

These are my current inputs, but i do not see any information popping inside Splunk.

[WinRegistry]
index = defense
source = WinReg
disabled = 0

Am i doing something wrong ?

Any assistance will be appreciated 🙂

0 Karma

adonio
Ultra Champion

use the method in previous answer to collect the WinRegMon data,
search for the data needed. screenshot attached

alt text

0 Karma

vr2312
Contributor

You used this ? [WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

also, the link you shared is not working.

0 Karma

adonio
Ultra Champion

the link i shared in previous answer is to a page about: "Configure Splunk to pull Windows Defender ATP alerts". I thought you wanted t pull out data from the defender as it is highlighted in your screenshot.
just clicked on it and it does work.
i chose index = defense since your configurations sample has this index (another reason why i thought you want to collect defender data)
yes, i used this in inputs.conf on the needed windows host to collect the desired data:
[WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

0 Karma

vr2312
Contributor

@adonio

Is it possible ti fetch only the values of the WinDefender ?

As we will be deploying this across to our whole infrastructure with 100,000 hosts, we are targeting less license usage for this piece of information.

0 Karma

adonio
Ultra Champion

yes,
you can use props and transforms to route and filter data
please also read this doc ni detail:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
specailly this part:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata#Filter_incoming_R...
if you are satisfied with the answer to your original question, please mark question as answered and vote up answers / comments that you feel helped

0 Karma

adonio
Ultra Champion

try this in inputs.conf or enable from GUI if you have the Windows TA installed

[WinRegMon://hkcu_run]
disabled = 0
index = defense
[WinRegMon://hklm_run]
disabled = 0
index = defense

now search: index=defense sourcetype=WinRegistry

hope it helps

0 Karma

vr2312
Contributor

I want to retrieve only the CurrentControlSet\Services\WinDefend\FailureCommand Values.

What you had suggested, isn't that generic ? @adonio ?

0 Karma

adonio
Ultra Champion

it is generic, i didnt see the screenshot when answered. Do you need to collect data from Windows Defender? there is a short article here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-splunk-windows-defender-adva...
that explains how to achieve it

0 Karma

vr2312
Contributor

@adonio

We need to collect only the version information from the Registry Window that is highlighted above.

0 Karma

adonio
Ultra Champion

i am opening another answer to attach a screenshot

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...