Is there a query that I can use that will check for unauthorized deletion of event and security logs?
if you have that data indexed, you can look for it in Splunk.
an example will be Windows Event Code 1102
read here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
index = YOUR_INDEX sourcetype=WInEventLog:Security EventCode=1102 ....
note, depends on how you onboard the data, sourcetype name might change
hope it helps
Hi @krussellffgbank
Did the answer by @adonio help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
if you have that data indexed, you can look for it in Splunk.
an example will be Windows Event Code 1102
read here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
index = YOUR_INDEX sourcetype=WInEventLog:Security EventCode=1102 ....
note, depends on how you onboard the data, sourcetype name might change
hope it helps