KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Windows Security Event Logs Cleaned

Query

**Detecting Windows Security Event Logs Cleaned**

**Description:**  This KQL query below will help you detect cases where Windows Security Event Logs, has been removed directly using Event Viewer.
Among the potential mitigations and associated threats, we have:

š“š”š«šžššš­ š¦š¢š­š¢š ššš­š¢šØš§š¬:
ā€“ Restrict access to Device Logs
ā€“ Audit access to Device Logs
ā€“ Backup Device Logs

š“š”š«šžššš­š¬ ššš¬š¬šØšœš¢ššš­šžš:
ā€“ Lost of non-reputation evidence
ā€“ Lack of visibility over malicious activities
ā€“ Regulatory Non-Compliance

```
DeviceEvents
| where ActionType has "SecurityLogCleared"
```

Explanation

This KQL query is designed to identify instances where the Windows Security Event Logs have been cleared using the Event Viewer. It focuses on detecting a specific action, "SecurityLogCleared," within device events.

In simple terms, the query helps you find out if someone has deleted the security logs on a Windows system, which could be an indication of malicious activity or an attempt to cover up unauthorized actions.

To mitigate such threats, it's recommended to:

  • Limit who can access device logs.
  • Keep track of who accesses these logs.
  • Regularly back up the logs to prevent data loss.

The associated risks of not addressing this issue include:

  • Losing important evidence that could prove or disprove certain actions.
  • Missing out on detecting harmful activities.
  • Failing to comply with regulations that require log retention.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 20, 2025

Tables

DeviceEvents

Keywords

DeviceEventsSecurityLogs

Operators

DeviceEvents|wherehas

Actions