Detection rules › Kusto Query Language
NRT Security Event log cleared
'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1070 Indicator Removal |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Eventlog | 1102 | The audit log was cleared. |
Stages and Predicates
Stage 1: source
SecurityEvent
Stage 2: where
and
EventID eq "1102"
EventSourceName eq "Microsoft-Windows-Eventlog"
Stage 3: summarize
Stage 4: extend
Stage 5: extend
Stage 6: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
EventSourceName | eq |
|