This playbook provides remediation steps to investigate incidents that track event types where the user removes security logs. Whenever the Security log is cleared, the events 517 and 1102 are logged regardless of the Audit System Event policy status.

This alert can track the following types of events:

• Event 517: The Primary username and Client username fields identifies the user who cleared the log. The Primary username corresponds to the system, and the Client username indicates the user who cleared the log.
• Event 1102: The Account Name and Domain Name fields identifies the user who cleared the log. The Logon ID enables you to correlate backwards to the log on event and other events logged during the same logon session.