Windows - Deletion Event Log Detection Test
Deletion of Windows Event Log SIEM Detection Test
The deletion of a Windows Event Viewer Security log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this deletion, you can have immediate awareness of what should be an unusual activity -- with the benefit of having those same deleted event logs stored in Blumira for analysis.How to Test Deletion of Windows Security Log
Prerequisites:- Windows Host must be set up with NxLog configuration and properly logging to Blumira
- GPO Advanced Logging (Logmira) - must be installed and logging properly to Blumira
- There are various ways to delete the Security Event Viewer Logs, however the easiest is to use a PowerShell command
- Open PowerShell with "Run as Administrator"
- Run the command
Clear-EventLog "Security"
- This detection test will trigger a finding in your Blumira console and the appropriate notifications per your Blumira settings
Additional Security Resources
View All Posts
Blumira News
4 min read
| March 26, 2025
Blumira Launches New Microsoft 365 Threat Response Feature for Faster and More Efficient Security Operations
Read More
Product Updates
7 min read
| March 26, 2025
Now Available: Microsoft 365 Threat Response From Blumira
Read More
Customer Success Stories
7 min read
| January 6, 2025
Customer Story: District of Sparwood
Read More