Hi all
im trying to run a KQL using ATP to check a reg key state.
here is what i have:
//Registry events
DeviceRegistryEvents
| where Timestamp > ago(15d)
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "ZWS_State"
| where RegistryKey has @"SOFTWAREZscalerApp*"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp
inside the reg key ZWS_State it will be either OFF or TUNNEL_FORWARDING
for some reason its returning nothing any help would be grateful
