Registry Integrity Monitoring (RIM) is a system or process that monitors the windows registry for changes to keys or values. RIM’s primary purpose is to be able to identify possible undesirable changes so system administrators can take an appropriate course of action. RIM can be configured to monitor multiple keys at the same time and generate events if any sub-keys or values have been added, removed, renamed or modified. In addition, any changes to a type of value are also detected and reported. Once a RIM event has been sent for a detected change, a new baseline is automatically set to stop the event being generated again. 

RIM configurations can be created, viewed and modified from the Registry Integrity Monitoring section. From this page:

• Select Add to create a new registry integrity monitor
• Modify to update an existing registry integrity monitor
• Delete to remove the configuration

Editing a Registry Integrity Monitor Configuration

The following parameters for the monitor inputs may be set:

• Select the Schedule. Select the period in which the file integrity monitor should start scanning for changes. Select from Midnight, Hourly or Custom.  The customer options are in cron format, so knowledge of cron is required.  For example, 
  15 10 * * * defines a schedule that runs at 10.15am daily
  0 2 * * * defines a schedule that runs at 2am daily
  * will scan every minute
  @daily defines a schedule that runs daily at midnight.
  @hourly defines a schedule that runs every hour on the hour.
• Severity Level. A severity level may be assigned to designate events based on the level of importance for quick identification for each destination format type ie., Snare, Syslog, CEF, LEEF using the drop down lists.

• • Snare - Critical, Priority, Warning, Information, Clear
  • Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
  • CEF - 0 - 10, 0 is least severe and 10 is most severe
  • LEEF - 1 - 10, 1 is least severe and 10 is most severe.

• Registry Root Key. The root key in which the registry key or value can be found.

  • HKEY_CLASSES_ROOT

  • HKEY_CURRENT_USER

  • HKEY_LOCAL_MACHINE

  • HKEY_USERS

  • HKEY_CURRENT_CONFIG

• Registry Key or Value. A registry path relative to the root key to the key or value to monitor. To indicate one or more sub-keys (recursion) that should be monitored, use the * wildcard.
  For example, to match on a particular registry value:
     SOFTWARE\Intersect Alliance\AuditService\Objective\Objective1
  For example, to recursively search for a match within subkeys:
     SOFTWARE\Intersect Alliance\AuditService\*

  Note

  Please Note its not advisable to do auditing on the entire AuditService registry tree, The Status sub tree location is updated as part of the agent sending logs. Monitoring this location will result in a loop condition of the agent monitoring changes then sending logs causing more logs to be be sent then causing more audit events. Any high activity registry keys can have this affect.

  
  
  

  If there are many keys and/or values to recurse through, this may take some time to complete.
• Inclusion Format: Allows you to specify the value name or pattern you are targeting. Wildcards are accepted, e.g. Objective* or to include all values, use just a *. 
• Exclusion Format: Allows you to specify the value name or pattern that is to be excluded. Wildcards are accepted, e.g. Objective*.

1. Click on Change Configuration to save any changes to the registry and to return to the Registry Integrity Monitor Configuration main page. It will summarise the details of the registry keys/values to monitor. 
2. Click on the Apply Configuration & Restart Service menu item.

To review the registry integrity monitoring events, click on the Latest Events menu item and select the Registry Integrity button.  This will restrict the display of latest events to only RIM events. Note that no events will be generated unless there is a valid destination configured to which to send them.