Windows Event Log Clearing Events
Windows Event Log Clearing Events
Description
This use case looks for Windows event codes that indicate the Windows Audit Logs were tampered with.
Content Mapping
This content is not mapped to any local saved search. Add mapping
How to Implement |
|---|
To run this search, you need to be logging Windows event logs from your Windows Systems. |
Known False Positives |
|---|
None at the moment |
How To Respond |
|---|
When this search fires, you will want to verify with the owner of the account responsible for clearing the Windows Logs that it was a legitimate action taken on their part. You will want to analyze the parent process to wevtutil and verify its activities. |
Help |
|---|
Windows Event Log Clearing Events HelpThis use case looks for Windows event codes that indicate the Windows Audit Logs were tampered with. |
SPL for Windows Event Log Clearing Events
Demo Data
| First we load our basic demo data |
| Next we filter for the Event Codes that indicate the Windows event log is being cleared. You can see there are a few possibilities. |
| Finally, because we respect analysts, we put it in a nice easy-to-consume table. |
Live Data
| First we load our Windows Event Log data and filter for the Event Codes that indicate the Windows event log is being cleared. You can see there are a few possibilities. |
| Then, because we respect analysts, we put it in a nice easy-to-consume table. |