Detection rules › Kusto Query Language

Security Event log cleared

Source: upstream

'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.'

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1070` Indicator Removal

Event coverage

Provider	Event ID	Title
Eventlog	1102	The audit log was cleared.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 2 branches

Security Event log cleared

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Keyboard Shortcuts

Security Event log cleared

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: extend

Stage 4: extend

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`