Hi,
The below rule was enabled after IBM content pack extension was installed.
Potential COM Hijacking containing Hive Registry Was Reorganized
I was not able to find the exact steps in the analysis or investigation to find the root cause.
Sample log:
<13>Dec 20 19:12:49 SAMOBQA123 AgentDevice=WindowsLog AgentLogFile=System PluginVersion=7.2.9.72 Source=Microsoft-Windows-Kernel-General Computer=SAMOBQA123.<companyname>.com OriginatingComputer=10.x.x.x User=SYSTEM Domain=NT AUTHORITY EventID=15 EventIDCode=15 EventType=4 EventCategory=0 RecordNumber=221214 TimeGenerated=1671543717 TimeWritten=1671543717 Level=Informational Keywords=0x8000000000000000 Task=None Opcode=Info Message=Hive \SystemRoot\System32\Config\SOFTWARE was reorganized with a starting size of 101601280 bytes and an ending size of 101294080 bytes.
If any of you know how to handle this offense, please share your guidance.
Thanks in Advance
------------------------------
Arunkumar R
------------------------------