Forum Discussion
AnalystGuy
Nov 02, 2020Copper Contributor
Detection for clearing the security log
In various publicly shared Defender ATP Queries (like one in this Microsoft posting), detection looks for act of clearing the security event log this way:
DeviceAlertEvents
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
<this is just an excerpt so ignore the lack of closure here>
But based on my testing, the act of clearing the security log does not generate something classified under "DeviceAlertEvents". Instead, I had to use DeviceEvents and filter for the ActionType "securitylogcleared".
While I'm glad that I could figure this out and create my own detection, I'm wondering: Was there a schema change I missed? Or something I didn't configure correctly? I'm just concerned that a lot of community shared detections are not written properly; and some I've already implemented I need to go back and update.
Edited to add: So using DeviceEvents worked for one machine (Windows 10, Build 19041.572), but did not for another-- even after bringing it to the same build level. We clear the security event log, but it's not showing up in the timeline *at all*. I can see the mmc being loaded and I even see the screenshot of the event log-- but no event in the timeline for clearing it. What's driving this??
No RepliesBe the first to reply