Question Analysis

DeviceRegistryEvents | where ActionType == 'RegistryValueSet' | where RegistryValueName == 'ProxyServer' | where RegistryKey contains @'Software\Microsoft\Windows\CurrentVersion\Internet Settings' | project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData

DeviceRegistryEvents | where ActionType == 'RegistryValueSet' | where RegistryKey contains 'Internet Settings' and RegistryValueName == 'ProxyServer' | project DeviceId, DeviceName, TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData

DeviceRegistryEvents | where RegistryKey contains "Internet Settings" and RegistryValueName == "ProxyServer" | project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData

DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryValueName =~ "ProxyServer" | where tolower(RegistryKey) has "\\software\\microsoft\\windows\\currentversion\\internet settings" | where tolower(RegistryKey) has_any ("hkey_users\\", "hku\\", "hkey_current_user\\", "hkcu\\") // keep only newly set/changed values | where isnull(PreviousRegistryValueData) or tostring(RegistryValueData) != tostring(PreviousRegistryValueData) | extend UserSid = extract(@'^(?:hkey_users\\|hku\\)(S-[0-9\-]+)\\', 1, tolower(RegistryKey)) | extend ProxyServer = tostring(RegistryValueData) // show the latest set per device/key in the selected time range | summarize arg_max(TimeGenerated, *) by DeviceId, RegistryKey | project TimeGenerated, DeviceName, DeviceId, UserSid, ProxyServer, RegistryKey, PreviousRegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceRegistryEvents | where isnotempty(RegistryValueName) | where tolower(RegistryValueName) == "proxyserver" | where RegistryKey has "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" or RegistryKey has "Internet Settings" | where ActionType in ("RegistryValueSet", "SetValue", "Modifed", "RegSetValue", "Registry value set", "Value Set", "Set") or ActionType has "Set" or ActionType has "Write" or ActionType has "Create" | project TimeGenerated, DeviceName, DeviceId, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, RegistryValueType, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime | extend ProxyServer = tostring(RegistryValueData) | extend PreviousProxy = tostring(PreviousRegistryValueData) | summarize arg_max(TimeGenerated, *) by DeviceId, AccountName, RegistryKey, ProxyServer | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, RegistryKey, ProxyServer, PreviousProxy, RegistryValueType, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime | order by TimeGenerated desc | take 100

DeviceRegistryEvents | where RegistryValueName == "ProxyServer" | where RegistryKey contains "Internet Settings" | where ActionType in ("SetValue","RegistryValueSet","WriteValue","CreateValue") | sort by TimeGenerated desc | summarize arg_max(TimeGenerated, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCreationTime) by DeviceId, DeviceName, RegistryKey, RegistryValueName | project TimeGenerated, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCreationTime

DeviceRegistryEvents | where ActionType has "RegistryValueSet" | where RegistryKey has "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" | where RegistryValueName == "ProxyServer" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData | order by Timestamp desc

DeviceRegistryEvents | where ActionType == "RegistryValueSet" or ActionType == "RegistryValueModified" | where RegistryValueName == "ProxyServer" | where RegistryKey has_any ("HKEY_USERS", "HKEY_CURRENT_USER", "HKCU", "HKU") | where RegistryKey has "Internet Settings" | project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ActionType, RegistryKey, RegistryValueName, RegistryValueData | order by TimeGenerated desc

DeviceRegistryEvents | where ActionType in ("RegistryValueSet", "RegistryValueCreated") | where RegistryKey has "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" | where RegistryValueName == "ProxyServer" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryValueData | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryValueName =~ "ProxyServer" | where RegistryKey has "Internet Settings" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessAccountName, ActionType | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey contains "Internet Settings" | where RegistryValueName =~ "ProxyServer" | where ActionType in ("SetValue", "RegValueSet", "RegistryValueSet") | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | where RegistryValueName == "ProxyServer" | where ActionType == "RegistryValueSet" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, ProxyServer = RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by TimeGenerated desc

DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey has "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" | where RegistryValueName == "ProxyServer" // Only show new or changed values | where isnull(PreviousRegistryValueData) or PreviousRegistryValueData != RegistryValueData | project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueData | sort by TimeGenerated desc