Managed Sentinel – Alert 119
|Alert Name||Windows Security Event Log Cleared|
|Description||This alert is triggered whenever there is an audit log cleared event generated by the system. |
Windows event ID 1102 is logged whenever the Security log is cleared, regardless of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log.
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Execution|
|Log sources||Windows Security Event Log|
|False Positives||Admins clearing the Security Event log|
Applications configured to clear the Security Event log
|Recommendations||1. Identify the system(s) that have been affected |
2. Identify user credentials that have been compromised
3. Identify the IT services running on the compromised host impacted.
4. Reset password for the compromised Windows account
5. Identify lateral movement of compromised users throughout the enterprise
6. Optional: isolate host from network while you continue the investigation