I am seeing a huge number (almost 1000/day) of attempts to read/write registry keys. This is from random nodes everywhere. When running through the event wizard, I can configure a rule to allow access to those registry keys - the event wizard suggests allowing dozens of sources to access 200+ registry keys. These events are all grouped under "similar events".
What is the best practice for determining the proper rules to put in place for registry accesses? It would be impossible to understand each registry access to make a decision based on proper protocol operation, so there must be a better way. Of course, we don't want to simply allow all registry accesses, since this would put a dent in the armor of CSA.
From what I've seen, this mostly involves shares on Windows hosts whether it be printers or files. The host keeps a record of access in MRU keys for caching, access tracking, etc.. If you allowed (or denied) access to the root keys from trusted nodes and didn't log you might cut down on the number of messages.
Has it caused anything to stop working? If not, I'd simply stop logging it. If it's denying things and nothing is affected, why see it?
You might also look at the host access security logging and see if that can be tuned to cut down on the messages.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :