Finding Windows audit log tampering
You are concerned that a user might have been clearing Windows logs. You want to find out if Windows audit logs have been tampered, so that if they have, you can contact the owner of the account to ensure it was a legitimate action.
How to use Splunk software for this use case
This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like What is Splunk or dive into more advanced courses like Search Under the Hood, Result Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.
For more great content from the Splunk Education team, check out Splunk How-To on YouTube or sign up for a course. In addition, these Splunk resources might help you understand and implement this search:
- Data Descriptor: Microsoft Windows
- Splunk Add-On: Microsoft Windows
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.