Question Analysis

DeviceRegistryEvents | where RegistryKey endswith @"\Microsoft\Windows\CurrentVersion\Run" | where RegistryValueName == "SecurityHealth" | where ActionType == "RegistryValueSet" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessTokenElevation, RegistryKey, RegistryValueName, RegistryValueData | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey has_any ("Software\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run") | where RegistryValueName == "SecurityHealth" | project TimeGenerated, DeviceName, RegistryValueData | order by TimeGenerated desc | take 1

DeviceRegistryEvents | where RegistryKey contains "Run" and RegistryValueName == "SecurityHealth" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ActionType

DeviceRegistryEvents | where RegistryKey has "Software\\Microsoft\\Windows\\CurrentVersion\\Run" | where RegistryValueName == "SecurityHealth" | where ActionType startswith "Registry" | extend NewProgram = extract(@"[^\\]+$", 0, RegistryValueData) // Extracts the executable name from the end of the path | project Timestamp, RegistryKey, RegistryValueName, RegistryValueData, NewProgram, InitiatingProcessFileName | order by Timestamp desc

DeviceRegistryEvents | where RegistryKey endswith "Microsoft\\Windows\\CurrentVersion\\Run" | where ActionType in ("RegistryValueSet", "RegistryValueModified", "RegistryValueNameSet", "RegistryValueNameModified") | where RegistryValueName has "SecurityHealth" | order by TimeGenerated desc | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessTokenElevation

DeviceRegistryEvents | where ActionType in ("RegistryValueSet", "RegistryValueModified") | where RegistryKey has "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" and RegistryValueName == "SecurityHealth" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey has "Run" | where RegistryValueName == "SecurityHealth" | where ActionType contains "Set" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | sort by TimeGenerated desc | extend NewProgram = tostring(split(RegistryValueData, "\\")[-1]) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryKey, NewProgram