Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Clearing audit logs from Domain Controller

Not applicable

Hi there,


Clearing the event logs from the Domain Controller or workstation could be a sign of malicious behavior.

Does Microsoft ATA currently alert on this?



4 Replies

@Deleted , No, there is no detection for this.

@Tali Ash , did we ever consider this?


If you consider adding it to ATA. You might add Event 1100 to it as well.

This event shows up when someone shuts down the event logs.

Thanks @Deleted , we will look into it, currently are not planning at add such detection.




I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.