Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Clearing audit logs from Domain Controller

Not applicable

Hi there,


Clearing the event logs from the Domain Controller or workstation could be a sign of malicious behavior.

Does Microsoft ATA currently alert on this?



4 Replies

@Deleted , No, there is no detection for this.

@Tali Ash , did we ever consider this?

@Eli Ofek 

If you consider adding it to ATA. You might add Event 1100 to it as well.

This event shows up when someone shuts down the event logs.

Thanks @Deleted , we will look into it, currently are not planning at add such detection.




I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.