Forum Discussion

MREVCI's avatar
MREVCI
Copper Contributor
Oct 21, 2021

Running a registry based query

  Hello, we have some computers which we need to find out the specific registry value in order to be able to update their OS. The path: HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\Win...
Defender for Endpoint
hunting
David Caddick's avatar
David Caddick
Iron Contributor
Oct 21, 2021

MREVCI 

Head into https://security.microsoft.com/advanced-hunting

Use this to start with:

>DeviceRegistryEvents
>| limit 100
 
Then pivot from there using show filters?
David Caddick's avatar
David Caddick
Iron Contributor
Oct 24, 2021
For instance I have recently been wanting to track Macros that have been executed, so I'm looking for this in TrustedRecords using this KQL

DeviceRegistryEvents
| where RegistryKey has @"SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords"
| project Timestamp, DeviceName, RegistryValueName

Resources