Query Details

Security Log Cleared

Query

DeviceEvents
| where ActionType == 'SecurityLogCleared'
| project Timestamp, DeviceName, ActionType

About this query

Security Log Cleared

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1070.001Indicator Removal: Clear Windows Event Logshttps://attack.mitre.org/techniques/T1070/001/

Description

An attacker might delete the Security Log to hide the malicious activities. This rule only triggers on the deletion of the Security Events, however adversaries may also delete application, setup and system logs. The Windows Event log can become full, clearing the eventlog causes this rule to be triggered.

Risk

An actor removes the security log to hide malicious activities.

References

Defender XDR

Sentinel

DeviceEvents
| where ActionType == 'SecurityLogCleared'
| project Timestamp, DeviceName, ActionType

Explanation

This query is designed to detect when the security log on a Windows device is cleared. Clearing the security log can be a tactic used by attackers to hide their tracks and erase evidence of malicious activities. The query specifically looks for events where the action type is 'SecurityLogCleared' and retrieves the timestamp, device name, and action type of such events. This is important for identifying potential security incidents where an attacker might be trying to cover their tracks by deleting logs. The query is applicable in both Defender XDR and Sentinel environments.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceEvents

Keywords

DeviceEventsTimestampDeviceNameActionType

Operators

where==project

MITRE Techniques

Actions

GitHub