Windows – Deletion Event Log Detection Test

Product

Deletion of Windows Event Log SIEM Detection Test

The deletion of a Windows Event Viewer Security log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this deletion, you can have immediate awareness of what should be an unusual activity — with the benefit of having those same deleted event logs stored in Blumira for analysis.

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Set Up Instructions

How to Test Deletion of Windows Security Log

Prerequisites:

Windows Host must be set up with NxLog configuration and properly logging to Blumira
GPO Advanced Logging (Logmira) – must be installed and logging properly to Blumira

Testing Steps:

There are various ways to delete the Security Event Viewer Logs, however the easiest is to use a PowerShell command
Open PowerShell with “Run as Administrator”
Run the command Clear-EventLog "Security"
This detection test will trigger a finding in your Blumira console and the appropriate notifications per your Blumira settings