Automate Response to Event Log Clearing Alerts with Cortex XSIAM

Reacting to Event Log Was Cleared Alerts

This playbook belongs to the Cortex Response and Remediation Pack , a comprehensive suite of automated workflows that enhance security operations efficiency. The pack supports the vision of an autonomous SOC.

These playbooks are deeply integrated with XSIAM® analytics alert systems, using intelligent detection mechanisms to deliver precise, contextual responses. By seamlessly working with Cortex XSIAM®, these automated workflows handle investigation and remediation tasks automatically, allowing security teams to dedicate their attention to critical security threats.

Threat Overview: Event Log Clearing

Event logs are crucial for monitoring and auditing activities within an enterprise. They provide visibility into user actions, system changes, and security events. Clearing event logs can be a legitimate administrative task, but it is also a common tactic employed by threat actors to cover their tracks after compromising a system.

This blog introduces a robust Cortex XSIAM playbook designed to address alerts related to event log clearing, ensuring security teams can respond promptly to potential threats.

Purpose of the Playbook

The primary purpose of this playbook is to mitigate security risks by:

• Investigating the context of the cleared event log alert thoroughly.
• Determining whether the log clearing activity was authorized.
• Executing remediation actions if malicious activity is detected.

This playbook addresses the following alerts:

• Windows Event Log was cleared using wevtutil.exe.
• Security Event Log was cleared using wevtutil.exe.
• A Sensitive Windows Event Log was cleared using wevtutil.exe.
• Windows event logs were cleared with PowerShell.
• Suspicious clear or delete security provider event logs with PowerShell.
• Suspicious clear or delete default providers event logs with PowerShell.
• Windows event logs cleared using wmic.exe.

1. Investigation

The playbook begins by investigating the alert to determine whether the event log clearing activity was malicious. It performs the following actions:

• Identifies the causality chain process (Causality Group Owner - CGO) responsible for the event log clearing.
• Evaluates process prevalence to determine whether the involved process is frequently observed or anomalous.
• Checks process signatures to verify if the parent process is unsigned or uncommon.
• Analyzes related Cortex XSIAM alerts to identify patterns indicating malicious behavior based on the MITRE ATT&CK framework.

2. Remediation

Based on the investigation results, the playbook will take a path upon verdict with the following actions:

• Terminate the causality process (CGO) to disrupt the entire causality chain associated with the alert, preventing further malicious activity. Upon successful operation, the alert will be closed.
• Close non-malicious alerts if the investigation finds no evidence of malicious behavior.

Integration Requirements - To execute the response actions, the playbook requires the following integration:

• CortexCoreIR - used for investigating associated processes and executing termination actions.

Addressing Security Challenges - Clearing event logs can indicate the following:

• Incident concealment: Attackers attempting to erase evidence.
• Privilege escalation attempts: Hiding traces of unauthorized access.
• Persistence mechanisms: Obfuscating malicious activity.

This playbook provides an automated, structured response to mitigate these risks, ensuring:

• Threats are investigated and contained quickly.
• Incident data is preserved for forensic analysis.
• Remediation actions prevent recurrence.
• Low impact on the operation system and user experience.

Learn More

For detailed documentation and implementation guidance, visit the Event Log Was Cleared Playbook Documentation.

Stay ahead of evolving threats and protect your enterprise with Cortex XSIAM's automated playbooks.

Public link

Please use the above public link if you want to share this noodl on another website.