Query Details
Device Detect Security Log Cleared
Query
//Detect when a user clears the security event log on one of your devices
//Data connector required for this query - M365 Defender - Device* tables
DeviceEvents
| where ActionType == "SecurityLogCleared"
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceEvents
| where ActionType == "SecurityLogCleared"
| project
Timestamp,
DeviceName,
InitiatingProcessAccountDomain,
InitiatingProcessAccountNameExplanation
This query is used to detect when a user clears the security event log on one of your devices. It requires a data connector, either M365 Defender - Device* tables or an Advanced Hunting license. The query filters the DeviceEvents table for events where the ActionType is "SecurityLogCleared" and then projects the TimeGenerated or Timestamp, DeviceName, InitiatingProcessAccountDomain, and InitiatingProcessAccountName columns.
Details
Matt Zorich
Released: June 20, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,SecurityLogCleared,TimeGenerated,DeviceName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,Timestamp
Operators
where==project