topic Re: Find computers with specific registry key in Cortex XDR Discussions

Find computers with specific registry key

Piotr_Kowalczyk — Tue, 17 Oct 2023 10:44:05 GMT

Hi,

Is it possible to find computers which have specific registry key set to particular value using Cortex XDR? I'm not looking for registry modification just for existence. If so, could you tell me how to do this please?

Re: Find computers with specific registry key

jmazzeo — Tue, 17 Oct 2023 13:53:40 GMT

Hi @Piotr_Kowalczyk , thanks for using the Live Community!

The Cortex XDR Console comes with a script to check the value of a registry entry:

You set the path, and this will return the value, and type.

If you need to receive a "Exists/Non-exists" return answer from a particular key and the value, then a custom script will be the approach to solve it.

Re: Find computers with specific registry key

Piotr_Kowalczyk — Tue, 17 Oct 2023 14:00:34 GMT

Thank you for your reply.

My understanding is that this will require to connect with console to particular machine? If so, unfortunately this is not solution which I'm looking for as I need to find all computers (perhaps a few hundreds) which have particular registry value.

Re: Find computers with specific registry key

jmazzeo — Tue, 17 Oct 2023 14:10:50 GMT

@Piotr_Kowalczyk you don't need to connect to each computer!

The script can be run from Incident Response -> Action Center -> Agent Script Library, then look for the script and select Run.

Then set the registry key.

And define the target, can be many endpoints at the same time. You only need to select the right filter, can be wildcard like when you assign a profile with the policy.

(this example is my test VM, based in my prefix "JM")

Click NEXT, review the settings and click "Run".

You can see the result in the Action Center - All Actions with right-click -> Additional Data.

Re: Find computers with specific registry key

Piotr_Kowalczyk — Tue, 17 Oct 2023 14:45:47 GMT

This is exactly what I was looking for! Thank you!