question

RossWelton-3331 avatar image
0 Votes"
RossWelton-3331 asked FahidShaheenBusiness commented

ATP advanced threat hunting query KQL

Hi all

im trying to run a KQL using ATP to check a reg key state.
here is what i have:
//Registry events
DeviceRegistryEvents
| where Timestamp > ago(15d)
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "ZWS_State"
| where RegistryKey has @"SOFTWAREZscalerApp*"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp

inside the reg key ZWS_State it will be either OFF or TUNNEL_FORWARDING

for some reason its returning nothing any help would be grateful

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered RossWelton-3331 commented

@RossWelton-3331 Thanks for reaching out. I dont have a Zscaler setup , so not sure how exactly it shows up in the RegistryKey table.
I just did a quick test with your registryKey parameter and Kusto query you used.

For example, if following is the entry in my ATP :

106038-image.png

I was able to get the particular RegistryKey with following :

DeviceRegistryEvents
| where RegistryKey contains "AArsvc_"

And obviously the other parts like timestamp and actionType should be added to narrow down the search result, my lab environment does not have much data.
What I want you to try is this part | where RegistryKey contains "AArsvc_"

So you can try something like

DeviceRegistryEvents
| where Timestamp > ago(15d)
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "ZWS_State"
| where RegistryKey contains "SOFTWAREZscalerApp"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp


Let me know if it helps, If it does not, share a screenshot of the entry you are expecting to find from KQL query and we can build something for you.


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.



image.png (21.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi this worked but i was unable to retrieve the keys i wanted

0 Votes 0 ·
RossWelton-3331 avatar image
0 Votes"
RossWelton-3331 answered FahidShaheenBusiness commented

using this bellow i was able to obtain some results but from wrong registry area.
//Registry events
DeviceRegistryEvents
| where RegistryKey contains "Zscaler"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName
| top 100 by Timestamp

I'm after
Computer\HKEY_CURRENT_USER\SOFTWARE\Zscaler\App

and value
ZWS_State

· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RossWelton-3331 If Computer\HKEY_CURRENT_USER\SOFTWARE\Zscaler\App is a valid registry path, you can directly search that with


DeviceRegistryEvents
| where RegistryKey contains "Computer\HKEY_CURRENT_USER\SOFTWARE\Zscaler\App"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName
| top 100 by Timestamp

0 Votes 0 ·

hi i'ver tried this

ATP doesn't like this line
| where RegistryKey contains "Computer\HKEY_CURRENT_USER\SOFTWARE\Zscaler\App"

doesnt like the "Computer"

0 Votes 0 ·

@RossWelton-3331 just try with "HKEY_CURRENT_USER\SOFTWARE\Zscaler\App"



DeviceRegistryEvents
| where RegistryKey contains "HKEY_CURRENT_USER\SOFTWARE\Zscaler\App"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName
| top 100 by Timestamp

0 Votes 0 ·
Show more comments