Use the following steps to set up the T1070 - Windows Events Logs Cleared playbook.

Before you begin

Role required:
  • sn_si.admin
  • flow_designer

Make sure you have installed Security Operations Spoke (sn_sec_spoke).

Procedure

  1. Login as a user with sn_si.user and flow_designer roles.
  2. Navigate to All > Flow Designer and select the T1070 - Windows Events Logs Cleared playbook.
  3. (Optional) Create a copy of the T1070 - Windows Events Logs Cleared playbook flow and make the necessary modifications.

    To create a copy of the playbook's flow, select the More actions menu icon and select Copy flow. Perform this step only if you plan to customize or make specific changes to the flow.

    Figure 1. T1070 - Windows Events Logs Cleared playbook
    Overview of the T1070 - Windows Events Logs Cleared playbook
  4. Activate the playbooks.
    1. Activate the main flow to use the playbook available in the base system.
    2. Activate the copied flows after making the required changes.
  5. Set a Trigger Condition for the playbook.

    This playbook is triggered and associated with the security incident when the Category is Unauthorized access.

    Figure 2. T1070 - Windows Events Logs Cleared playbook trigger condition
    Trigger condition for T1070 - Windows Events Logs Cleared playbook