Windows Disableantispyware Registry
The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints.
This content is not mapped to any local saved search. Add mapping
Windows Disableantispyware Registry Help
You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
Open in Search