🔍 Solved a SOC puzzle that had us on high alert!

Last week, I investigated an incident where critical logs were disabled and deleted, raising red flags in the SOC. Using Splunk and targeted SPL queries, I zeroed in on Event IDs (like 1102 for log clearing and 7045 for service changes) to determine ...