Skip to content
Get A Demo
Sign Up Free

    Windows - Deletion Event Log Detection Test

    Deletion of Windows Event Log SIEM Detection Test

    The deletion of a Windows Event Viewer Security log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this deletion, you can have immediate awareness of what should be an unusual activity -- with the benefit of having those same deleted event logs stored in Blumira for analysis.

    How to Test Deletion of Windows Security Log

    • Windows Host must be set up with NxLog configuration and properly logging to Blumira
    • GPO Advanced Logging (Logmira) - must be installed and logging properly to Blumira
    Testing Steps:
    1. There are various ways to delete the Security Event Viewer Logs, however the easiest is to use a PowerShell command
    2. Open PowerShell with "Run as Administrator"
    3. Run the command Clear-EventLog "Security"
    4. This detection test will trigger a finding in your Blumira console and the appropriate notifications per your Blumira settings

    Get Started for Free

    Experience the Blumira Free SIEM, with automated detection and response plus compliance reports for 3 cloud connectors, forever.

    Sign up