Managed Sentinel – Alert 119

Alert IDMS-A119
Alert NameWindows Security Event Log Cleared
DescriptionThis alert is triggered whenever there is an audit log cleared event generated by the system.
Windows event ID 1102 is logged whenever the Security log is cleared, regardless of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log.
Severity LevelHigh
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Defense Evasion
Lateral Movement
CnC
Log sourcesWindows Security Event Log
False PositivesAdmins clearing the Security Event log
Applications configured to clear the Security Event log
Recommendations1. Identify the system(s) that have been affected
2. Identify user credentials that have been compromised
3. Identify the IT services running on the compromised host impacted.
4. Reset password for the compromised Windows account
5. Identify lateral movement of compromised users throughout the enterprise
6. Optional: isolate host from network while you continue the investigation