Clearing audit logs from Domain Controller

Question

Hi there,&nbsp;Clearing the event logs from the Domain Controller or workstation could be a sign of malicious behavior.Does Microsoft ATA currently alert on this?&nbsp;

eliofek · Answer

Deleted&nbsp;, No, there is no detection for this.
Tali Ash&nbsp;, did we ever consider this?

deleted · Answer

EliOfek&nbsp;If you consider adding it to ATA. You might add Event 1100 to it as well.This event shows up when someone shuts down the event logs.

tali ash · Answer

Thanks&nbsp;Deleted&nbsp;, we will look into it, currently are not planning at add such detection.
&nbsp;
Thanks,
Tali

mark lewis · Answer

I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.

Forum Discussion

Clearing audit logs from Domain Controller

4 Replies

Resources