I have a detection rule "Registry Key Value" this is looking for:
Registry Key Path: HKEY_CURRENT_USER\Software\Meditech\Wrkstn\MEDITECH_A
Registry entry: I
Registry Value: MEDITECH_A.chchealth.net
I also have the policy set to run as the current logged on user
One user does have the this reg entry but when logged in as users who don't have the detection rule still comes back with a success and the policy does not run, any idea why? It seems like its still searching the entire hive instead of just the current user