Detection for clearing the security log

%3CLINGO-SUB%20id%3D%22lingo-sub-1845466%22%20slang%3D%22en-US%22%3EDetection%20for%20clearing%20the%20security%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1845466%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20various%20publicly%20shared%20Defender%20ATP%20Queries%20(like%20one%20in%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2F7745fd5f-d3a9-4d7b-a926-37296c041371%2Fanalystreport%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ethis%20Microsoft%20posting%3C%2FA%3E)%2C%20detection%20looks%20for%20act%20of%20clearing%20the%20security%20event%20log%20this%20way%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EDeviceAlertEvents%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2F%2F%20Attempts%20to%20clear%20security%20event%20logs.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20Title%20in(%22Event%20log%20was%20cleared%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CTHIS%20is%3D%22%22%20just%3D%22%22%20an%3D%22%22%20excerpt%3D%22%22%20so%3D%22%22%20ignore%3D%22%22%20the%3D%22%22%20lack%3D%22%22%20of%3D%22%22%20closure%3D%22%22%20here%3D%22%22%3E%3C%2FTHIS%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EBut%20based%20on%20my%20testing%2C%20the%20act%20of%20clearing%20the%20security%20log%20does%20not%20generate%20something%20classified%20under%20%22DeviceAlertEvents%22.%26nbsp%3B%20Instead%2C%20I%20had%20to%20use%20DeviceEvents%20and%20filter%20for%20the%20ActionType%20%22securitylogcleared%22.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EWhile%20I'm%20glad%20that%20I%20could%20figure%20this%20out%20and%20create%20my%20own%20detection%2C%20I'm%20wondering%3A%20Was%20there%20a%20schema%20change%20I%20missed%3F%26nbsp%3B%20Or%20something%20I%20didn't%20configure%20correctly%3F%26nbsp%3B%20I'm%20just%20concerned%20that%20a%20lot%20of%20community%20shared%20detections%20are%20not%20written%20properly%3B%20and%20some%20I've%20already%20implemented%20I%20need%20to%20go%20back%20and%20update.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

In various publicly shared Defender ATP Queries (like one in this Microsoft posting), detection looks for act of clearing the security event log this way:

 

DeviceAlertEvents
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
<this is just an excerpt so ignore the lack of closure here>
 
But based on my testing, the act of clearing the security log does not generate something classified under "DeviceAlertEvents".  Instead, I had to use DeviceEvents and filter for the ActionType "securitylogcleared".
 
While I'm glad that I could figure this out and create my own detection, I'm wondering: Was there a schema change I missed?  Or something I didn't configure correctly?  I'm just concerned that a lot of community shared detections are not written properly; and some I've already implemented I need to go back and update.
 
Edited to add:  So using DeviceEvents worked for one machine (Windows 10, Build 19041.572), but did not for another-- even after bringing it to the same build level.  We clear the security event log, but it's not showing up in the timeline *at all*.  I can see the mmc being loaded and I even see the screenshot of the event log-- but no event in the timeline for clearing it.  What's driving this??
 
0 Replies