Detection of attempts to disable or tamper with Windows Event Logging. This includes stopping or disabling the EventLog service, modifying registry keys related to EventLog and Autologger, using auditpol or wevtutil to disable categories or clear audit policies, and detecting suspicious gaps or resets in event logs. Defenders observe registry changes, service state changes, process execution of disabling commands, and anomalies in event record sequences.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | WinEventLog:System | EventCode=7035 |
| Application Log Content (DC0038) | WinEventLog:Security | EventCode=1102 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| AuthorizedAdminAccounts | List of accounts authorized to legitimately modify audit policies or disable services. |
| TimeWindow | Correlation window between registry modification, service stop, and audit policy commands. |
| ServiceNames | Customizable set of monitored services such as EventLog, Sysmon, or custom loggers. |