[KL] P002 "Windows Event Log was cleared"
By default, this playbook operates in the Manual operation mode. We do not recommend switching this playbook to the Auto or the Training operation mode.
Before using the playbook, you must do the following in KUMA:
- Configure the enrichment rule settings for the event enrichment that has the Event type selected as the Source kind setting. Specify the AttackerUserID value in the Target field.
- Configure enrichment in KUMA to get Windows Event Log.
The [KL] P002 "Windows Event Log was cleared" predefined playbook allows you to prevent an attacker from clearing the Windows Event Log, because the log contains sufficient telemetry for an investigation of the attacker's malicious activity.
The incident that triggers the playbook contains one or several alerts created according to the Windows Event Log was cleared correlation rule. This rule helps to detect when Windows logs are cleared or deleted by using the wevutil utility, the user interface, or PowerShell commands. To enable the creation of the incident, you have to configure segmentation rules.
The Trigger section of the playbook contains the following expression:
[.Alerts[] | .OriginalEvents[] | .ExternalID == "R050"] | any
During execution, this playbook launches the Responding through Active Directory response action, and then blocks the account of the attacker.
If an error occurs during the execution of the response action, the playbook is terminated.
If one or several alerts in the incident are generated by another correlation rule, the playbook does not apply to those alerts.
The Algorithm section of the playbook contains the following sequence of response actions:
{
"dslSpecVersion": "1.0.0",
"version": "1",
"responseActionsSpecVersion": "1",
"executionFlow": [
{
"responseAction": {
"function": {
"type": "blockLDAPAccount",
"assets": "${[ incident.Alerts[] | select(.OriginalEvents[] | .ExternalID == \"R050\") | .Assets[] | select(.Type == \"user\" and .IsAttacker) | .ID]}"
},
"onError": "stop"
}
}
]
}
