Registry Value Integrity Checksum Changed, Registry Value Integrity Checksum Changed, Registry Value Entry Added to the System

[Abdulaziz Aljaberi]

 Hi Everyone,

We are getting an event in WAZUH from multiple agents, the event occurs thousands everyday, 

The event is regarding the registry within Windows agents, the event is regarding the deletion, modifying, adding. (Event IDs are, 750, 751, 752, 594, 597, 598)

We need a help to know if this is a critical event occurs or not? if not, we need to know how to stop it.  

The attached excel sheet has description of all the events that occurs within WAZUH  

[Javier Medeot]

Hello Abdulaziz.

You should investigate and identify the source for these changes. Check which software or processes are doing these registry modifications. You need to ensure they are legitimate and not a result from malicious activity. You might need to use Windows audit policies to get more information about these events.

If they are expected but don't want to visualize them, you can apply filters in Wazuh dashboard in order to filter them out while you are doing your review of your Wazuh alerts list. For example y using the filter NOT syscheck.path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime. to hide alerts rule.id 750 for that specific Windows registry path.

If you needed a more permanent approach, you could create custom decoders/rules to capture the specific events you want to silence. Take a look at the Custom rules and decoders section of the documentation for this and let us know if you need further assistance. Also consider that Wazuh rules can include the ignore option which allow ignoring repetitions of the same alert for a specific period of time to prevent the same alert flooding your list.

Please, let me know if this is what you needed to know. Thank you.