SPL
Clearing of Windows Audit Logs
Description
This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted.
Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/
8 7
source=WinEventLog:security (EventCode=1102 OR EventCode=517) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Client_User_Name, host, index, Date | sort - Date | rename Client_User_Name as "Account Name"
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.