Clearing audit logs from Domain Controller

Deleted
Not applicable

Hi there,

 

Clearing the event logs from the Domain Controller or workstation could be a sign of malicious behavior.

Does Microsoft ATA currently alert on this?

 

event-1102.png

4 Replies

@Deleted , No, there is no detection for this.

@Tali Ash , did we ever consider this?

@EliOfek 

If you consider adding it to ATA. You might add Event 1100 to it as well.

This event shows up when someone shuts down the event logs.

Thanks @Deleted , we will look into it, currently are not planning at add such detection.

 

Thanks,

Tali

I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.