DET0187 Detect disabled Windows event logging

Item	Value
ID	DET0187
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1562.002 (Disable Windows Event Logging)

Analytics

Windows

AN0535

Detection of attempts to disable or tamper with Windows Event Logging. This includes stopping or disabling the EventLog service, modifying registry keys related to EventLog and Autologger, using auditpol or wevtutil to disable categories or clear audit policies, and detecting suspicious gaps or resets in event logs. Defenders observe registry changes, service state changes, process execution of disabling commands, and anomalies in event record sequences.

Log Sources

Data Component	Name	Channel
Service Metadata (DC0041)	WinEventLog:System	EventCode=7035
Application Log Content (DC0038)	WinEventLog:Security	EventCode=1102
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
AuthorizedAdminAccounts	List of accounts authorized to legitimately modify audit policies or disable services.
TimeWindow	Correlation window between registry modification, service stop, and audit policy commands.
ServiceNames	Customizable set of monitored services such as EventLog, Sysmon, or custom loggers.