Security Eventlog Cleared

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1070.001` Indicator Removal: Clear Windows Event Logs

Event coverage

Provider	Event ID	Title
Eventlog	517	The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).
Eventlog	1102	The audit log was cleared.

Stages and Predicates

Stage 1: `1 of selection_517`

Provider_Name: Security

Stage 2: `1 of selection_1102`

Provider_Name: Microsoft-Windows-Eventlog

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Provider_Name`	eq	`Microsoft-Windows-Eventlog` corpus 3 (sigma 3) `Security`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Windows Event Logs Cleared [elastic]
Windows Event Log Cleared [splunk]