Windows - Deletion Event Log Detection Test

Deletion of Windows Event Log SIEM Detection Test

The deletion of a Windows Event Viewer Security log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this deletion, you can have immediate awareness of what should be an unusual activity -- with the benefit of having those same deleted event logs stored in Blumira for analysis.

How to Test Deletion of Windows Security Log

Prerequisites:

Windows Host must be set up with NxLog configuration and properly logging to Blumira
GPO Advanced Logging (Logmira) - must be installed and logging properly to Blumira

Testing Steps:

There are various ways to delete the Security Event Viewer Logs, however the easiest is to use a PowerShell command
Open PowerShell with "Run as Administrator"
Run the command Clear-EventLog "Security"
This detection test will trigger a finding in your Blumira console and the appropriate notifications per your Blumira settings

Additional Security Resources

View All Posts

Customer Success Stories

7 min read | September 16, 2025

Customer Story: MTC Federal Credit Union

Critical Microsoft SharePoint Server vulnerability

Security Trends and Info

9 min read | July 24, 2025

Critical Microsoft SharePoint Server vulnerability allows unauthorized code execution

Customer Success Stories

6 min read | July 15, 2025

Customer Story: LEAP Managed IT Streamlines Ticketing and Boosts Visibility with Blumira’s API

Get Started for Free

Experience the Blumira Free SIEM, with automated detection and response plus compliance reports for 3 cloud connectors.