Solved: Re: Integrity Check for Unauthorized Log Deletion

krussellffgbank · ‎04-18-2019

Is there a query that I can use that will check for unauthorized deletion of event and security logs?

adonio · ‎04-18-2019

if you have that data indexed, you can look for it in Splunk.

an example will be Windows Event Code 1102
read here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
index = YOUR_INDEX sourcetype=WInEventLog:Security EventCode=1102 ....
note, depends on how you onboard the data, sourcetype name might change

hope it helps

View solution in original post

Anam · ‎04-24-2019

Hi @krussellffgbank

Did the answer by @adonio help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

adonio · ‎04-18-2019

if you have that data indexed, you can look for it in Splunk.

an example will be Windows Event Code 1102
read here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
index = YOUR_INDEX sourcetype=WInEventLog:Security EventCode=1102 ....
note, depends on how you onboard the data, sourcetype name might change

hope it helps

Integrity Check for Unauthorized Log Deletion

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!