Skip to content

Windows

WDS1. Log tampering

index=`index_winsecurity` EventID IN (1100,1102,4826) OR
index=`index_winsystem` (EventID=104 OR (EventID=4826 System_Event_Logging=No))
| stats values(EventID) as EventID, latest(EventID) as LastEventID, values(TargetUserName) as TargetUserName ,first(EventTime) as local_time by host
| where EventID IN (104,1102) OR (EventID IN (1100) AND (LastEventID!=6005 OR LastEventID!=4826))
| table TargetUserName, host, local_time

Throttle: host

Considerations

In this alert we want to retrieve every deletion of security journal as well as log stopping. We want to whitelist the restart of computer (6005 following a 1100), but some computer don’t log 6005 Events. To get rid of all these false positives for EventCode 1100, we check on the 4826 if the hosts have the system logs, if they don’t we exclude them from this particular case