-
Notifications
You must be signed in to change notification settings - Fork 496
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] Clearing Windows Event Logs #500
Comments
@janniten thanks for opening this issue, in your screenshot I see eventid 4688, is the commandline auditing enabled or not? It's good idea to use 1102 EventID to complement, but inconvenience of this approach is one don't know which process + cmdline did the deletion action and hence can't easily guess the context (most of time the GUI way is legit and related to SysAdmin activity). |
Hi @Samirbous, My fault, the setting Include command line in process creation events was not configured in my local policy. Sorry!. Now I can see the parameters about log clearing. I still believe that use the event 1102 (security) and 104 (for application, system and other logs) its a good complement in this cases:
Thank you! |
Ho @janniten yes all good points especially regulation and compliance requirements. because the existing rule is using process execution data you can create a "New Rule" Issue and PR for the same using windows event logs. |
Description
There are (to my knowledge) 3 ways of clearing the Windows Event logs:
Using powershell:
powershell.exe Clear-EventLog -LogName application, system -confirm
Using webutil:
WevtUtil.exe cl "Security"
Using the event viewer:
I've been tested the rule for the 3 ways in a 2012 and 2016 DC and here the results:
After the tests:
When clearing from event viewer no process related data is generated, but Event logs are cleared.
In the 3 cases the event 1102 is generated. The event is ECS compliant and my own rule works for the 3 cases using this query:
event.action: "audit-log-cleared"
or works also querying the specific event
event.code: "1102"
There has been a discussion about a event category when configurations or audit are changed/modified and maybe in the future a more general query can be done (elastic/ecs#963)
Is there any reason why the clearing of event logs is not detected by the appearance of event 1102 and only by process and its arguments?
Also there is one open improvement, related to this rule (#392) but in that case is clear that proccess.args has data...
Am I missing something?
Thank you
The text was updated successfully, but these errors were encountered: