How would you make an alert for this registry change?
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess
changed to 0
Hi Hayden,
would this be for a subset of critical assets? Or across all endpoints?
The reason I ask is, it appears this type of action gets logged as a 4657 eventid, https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
This is not an event code we track for IDR built in alerts, and therefore is not collected by default.
See the list of event codes collected here: https://docs.rapid7.com/insightidr/insight-agent/#insight-agent
In order to get any additional event codes in to Log Search there are a few options.
If these are Domain Controllers running an existing AD event source you can tick the send unfiltered logs option when configuring the event source and all security logs will be pulled from the DC.
If these are regular hosts then you could configure the Generic Windows Event logs event source:
Neither of these options are truly scalable, so if your aim is to monitor this on a fleet of assets, you could configure the Insight Agent to pull all System Security and Application logs using this method: https://docs.rapid7.com/insightidr/configure-the-insight-agent-to-send-logs/#configure-the-insight-agent-to-send-logs
The caveat with this method is that all System Security and Application log will be sent, and this option is not available on Domain Controllers.
Finally if none of these options are applicable then Nxlog is an option with more configurability
https://docs.rapid7.com/insightidr/nxlog#collect-windows-server-logs) page for instructions.
David