Hi Isaac,
Yes, If your Windows device Audit Registry policy enabled.
RSA Parser has the Audit Registry eventid for Parsing those logs which helps for monitoring.
cat /etc/netwitness/ng/envision/etc/devices/winevent_snare/v20_winevent_snaremsg.xml |grep -i 4657
id1="System_4657_System"
id2="System_4657_System"
id1="Security_4657_Microsoft-Windows-Security-Auditing"
id2="Security_4657_Microsoft-Windows-Security-Auditing"
