Detecting Windows Security Event Logs Cleaned
Query
DeviceEvents
| where ActionType has "SecurityLogCleared"About this query
Detecting Windows Security Event Logs Cleaned
Description: This KQL query below will help you detect cases where Windows Security Event Logs, has been removed directly using Event Viewer. Among the potential mitigations and associated threats, we have:
šš”š«ššš š¦š¢šš¢š ššš¢šØš§š¬: ā Restrict access to Device Logs ā Audit access to Device Logs ā Backup Device Logs
šš”š«šššš¬ šš¬š¬šØšš¢šššš: ā Lost of non-reputation evidence ā Lack of visibility over malicious activities ā Regulatory Non-Compliance
Explanation
This KQL query is designed to identify instances where the Windows Security Event Logs have been cleared using the Event Viewer. It focuses on detecting a specific action, "SecurityLogCleared," within device events.
In simple terms, the query helps you find out if someone has deleted the security logs on a Windows system, which could be an indication of malicious activity or an attempt to cover up unauthorized actions.
To mitigate such threats, it's recommended to:
- Limit who can access device logs.
- Keep track of who accesses these logs.
- Regularly back up the logs to prevent data loss.
The associated risks of not addressing this issue include:
- Losing important evidence that could prove or disprove certain actions.
- Missing out on detecting harmful activities.
- Failing to comply with regulations that require log retention.
Details

Sergio Albea
Released: January 20, 2025
Tables
Keywords
Operators