Splunk Search

Integrity Check for Unauthorized Log Deletion

krussellffgbank
New Member

Is there a query that I can use that will check for unauthorized deletion of event and security logs?

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

if you have that data indexed, you can look for it in Splunk.

an example will be Windows Event Code 1102
read here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
index = YOUR_INDEX sourcetype=WInEventLog:Security EventCode=1102 ....
note, depends on how you onboard the data, sourcetype name might change

hope it helps

View solution in original post

0 Karma

Anam
Community Manager
Community Manager

Hi @krussellffgbank

Did the answer by @adonio help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

adonio
Ultra Champion

if you have that data indexed, you can look for it in Splunk.

an example will be Windows Event Code 1102
read here:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
index = YOUR_INDEX sourcetype=WInEventLog:Security EventCode=1102 ....
note, depends on how you onboard the data, sourcetype name might change

hope it helps

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...