Event ID 1102 — The audit log was cleared.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Level: Informational
Collection Priority: Recommended (ASD, others)
Task: Logclear

Description

The audit log was cleared.

Message #

The audit log was cleared.
Subject:
	Security ID: %1
	Account Name: %2
	Domain Name: %3
	Logon ID: %4

Fields #

Name	Description
`LogFileCleared.SubjectUserSid`	[Subject] Security ID.
`LogFileCleared.SubjectUserName`	[Subject] Account Name.
`LogFileCleared.SubjectDomainName`	[Subject] Domain Name.
`LogFileCleared.SubjectLogonId`	[Subject] Logon ID.
`LogFileCleared.ClientProcessId`	—
`LogFileCleared.ClientProcessStartKey`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
    "event_source_name": "",
    "event_id": 1102,
    "version": 1,
    "level": 4,
    "task": 104,
    "opcode": 0,
    "keywords": 4620693217682128896,
    "time_created": "2023-10-25T22:53:10.300656+00:00",
    "event_record_id": 2625,
    "correlation": {},
    "execution": {
      "process_id": 1796,
      "thread_id": 2028
    },
    "channel": "Security",
    "computer": "WinDevEval",
    "security": {
      "user_id": ""
    }
  },
  "user_data": {
    "LogFileCleared": {
      "SubjectUserSid": "S-1-5-21-2533829718-189860685-2477588761-500",
      "SubjectUserName": "Administrator",
      "SubjectDomainName": "WINDEVEVAL",
      "SubjectLogonId": "0x42eea",
      "ClientProcessId": 4544,
      "ClientProcessStartKey": 2533274790396090
    }
  },
  "message": ""
}

Detection Patterns #

Defense Evasion: Clear Windows Event Logs

Eventlog Event ID 104: The LogFileCleared.Channel log file was cleared.OREvent ID 1102: The audit log was cleared.

2 rules

Elastic

Windows Event Logs Cleared (source)

Elastic, Anabella Cristaldi

Splunk

Windows Event Log Cleared (source)

Rico Valdez, Michael Haag, Splunk

Defense Evasion: Clear Windows Event Logs

Eventlog Event ID 104: The LogFileCleared.Channel log file was cleared.ANDEvent ID 1102: The audit log was cleared.

2 rules

Elastic

Windows Event Logs Cleared (source)

Elastic, Anabella Cristaldi

Splunk

Windows Event Log Cleared (source)

Rico Valdez, Michael Haag, Splunk

Defense Evasion: Clear Windows Event Logs

Eventlog Event ID 517: The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).OREvent ID 1102: The audit log was cleared.

1 rule

Sigma

Security Eventlog Cleared (source)

Florian Roth (Nextron Systems)

Detection Rules #

View all rules referencing this event →

Kusto Query Language # view in reference

Security Event log cleared source medium: 'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.'
NRT Security Event log cleared source medium: 'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.'

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102
Example event sourced from https://github.com/NextronSystems/evtx-baseline
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection