cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Clearing audit logs from Domain Controller

Deleted
Not applicable

‎Jul 22 2019 02:01 PM

‎Jul 22 2019 02:01 PM

Clearing audit logs from Domain Controller

Hi there,

 

Clearing the event logs from the Domain Controller or workstation could be a sign of malicious behavior.

Does Microsoft ATA currently alert on this?

 

event-1102.png

2,187 Views
0 Likes
4 Replies
Reply
4 Replies
Eli Ofek

‎Jul 22 2019 02:05 PM

‎Jul 22 2019 02:05 PM

Re: Clearing audit logs from Domain Controller

@Deleted , No, there is no detection for this.

@Tali Ash , did we ever consider this?

1 Like
Reply

‎Jul 22 2019 09:01 PM

‎Jul 22 2019 09:01 PM

Re: Clearing audit logs from Domain Controller

@Eli Ofek 

If you consider adding it to ATA. You might add Event 1100 to it as well.

This event shows up when someone shuts down the event logs.

0 Likes
Reply
Tali Ash

‎Jul 23 2019 12:24 AM

‎Jul 23 2019 12:24 AM

Re: Clearing audit logs from Domain Controller

Thanks @Deleted , we will look into it, currently are not planning at add such detection.

 

Thanks,

Tali

0 Likes
Reply
Mark Lewis

‎Jul 24 2019 05:04 AM - edited ‎Jul 24 2019 05:04 AM

‎Jul 24 2019 05:04 AM - edited ‎Jul 24 2019 05:04 AM

Re: Clearing audit logs from Domain Controller

I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.

0 Likes
Reply