Windows - Deletion Event Log Detection Test
Deletion of Windows Event Log SIEM Detection Test
The deletion of a Windows Event Viewer Security log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this deletion, you can have immediate awareness of what should be an unusual activity -- with the benefit of having those same deleted event logs stored in Blumira for analysis.How to Test Deletion of Windows Security Log
Prerequisites:- Windows Host must be set up with NxLog configuration and properly logging to Blumira
- GPO Advanced Logging (Logmira) - must be installed and logging properly to Blumira
- There are various ways to delete the Security Event Viewer Logs, however the easiest is to use a PowerShell command
- Open PowerShell with "Run as Administrator"
- Run the command
Clear-EventLog "Security"
- This detection test will trigger a finding in your Blumira console and the appropriate notifications per your Blumira settings
Additional Security Resources
View All Posts![](https://4554405.fs1.hubspotusercontent-na1.net/hub/4554405/hubfs/Azure%20Threats-2.png?length=360&name=Azure%20Threats-2.png)
Product Updates
6 min read
| July 22, 2024
Detect and Respond to Azure Threats With Blumira: Easy Cloud SIEM Setup
Read More![](https://4554405.fs1.hubspotusercontent-na1.net/hub/4554405/hubfs/Imported_Blog_Media/Ransomware-Microsoft.png?length=360&name=Ransomware-Microsoft.png)
Security Trends and Info
5 min read
| April 26, 2024
Detecting and Preventing Ransomware Attacks in Microsoft Environments
Read More![](https://4554405.fs1.hubspotusercontent-na1.net/hub/4554405/hubfs/Imported_Blog_Media/mimikatz_logon.png?length=360&name=mimikatz_logon.png)
Security Alerts
8 min read
| April 19, 2024