Query Details

Detecting Windows Security Event Logs Cleaned

Query

DeviceEvents
| where ActionType has "SecurityLogCleared"

About this query

Detecting Windows Security Event Logs Cleaned

Description: This KQL query below will help you detect cases where Windows Security Event Logs, has been removed directly using Event Viewer. Among the potential mitigations and associated threats, we have:

š“š”š«šžššš­ š¦š¢š­š¢š ššš­š¢šØš§š¬: – Restrict access to Device Logs – Audit access to Device Logs – Backup Device Logs

š“š”š«šžššš­š¬ ššš¬š¬šØšœš¢ššš­šžš: – Lost of non-reputation evidence – Lack of visibility over malicious activities – Regulatory Non-Compliance

Explanation

This KQL query is designed to identify instances where the Windows Security Event Logs have been cleared using the Event Viewer. It focuses on detecting a specific action, "SecurityLogCleared," within device events.

In simple terms, the query helps you find out if someone has deleted the security logs on a Windows system, which could be an indication of malicious activity or an attempt to cover up unauthorized actions.

To mitigate such threats, it's recommended to:

  • Limit who can access device logs.
  • Keep track of who accesses these logs.
  • Regularly back up the logs to prevent data loss.

The associated risks of not addressing this issue include:

  • Losing important evidence that could prove or disprove certain actions.
  • Missing out on detecting harmful activities.
  • Failing to comply with regulations that require log retention.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 20, 2025

Tables

DeviceEvents

Keywords

DeviceEventsSecurityLogs

Operators

DeviceEvents|wherehas

Actions

GitHub