SigmaHQ/windows/builtin/susp_eventlog_cleared.yml

description: Eventlog Cleared
comment: Some threat groups tend to delete the local 'Security'' Eventlog using certain utitlities
detection:
    selection:
        - EventLog: Security
          EventID:
              - 517
              - 1102
    condition: selection[0]
falsepositives:
    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
    - System provisioning (system reset before the golden image creation)
level: 70
Examples and Image 2016-12-26 01:21:55 +00:00			`description: Eventlog Cleared`
			`comment: Some threat groups tend to delete the local 'Security'' Eventlog using certain utitlities`
Example Updates 2016-12-27 13:49:54 +00:00			`detection:`
Examples and Image 2016-12-26 01:21:55 +00:00			`selection:`
Updated examples 2016-12-27 22:09:41 +00:00			`- EventLog: Security`
			`EventID:`
			`- 517`
			`- 1102`
			`condition: selection[0]`
First Example Set - Builtin 2016-12-24 11:23:47 +00:00			`falsepositives:`
			`- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)`
			`- System provisioning (system reset before the golden image creation)`
			`level: 70`