From 240c9474b8431665f16d714ff510879624f48cb3 Mon Sep 17 00:00:00 2001
From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Date: Fri, 5 Nov 2021 12:23:40 +0900
Subject: [PATCH] Updated 1102 log cleared rule

---
 rules/deep_blue_cli/security/1102.yml | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/rules/deep_blue_cli/security/1102.yml b/rules/deep_blue_cli/security/1102.yml
index 515bee18..94348dd9 100644
--- a/rules/deep_blue_cli/security/1102.yml
+++ b/rules/deep_blue_cli/security/1102.yml
@@ -1,16 +1,13 @@
-title: The Audit log file was cleared
-description: hogehoge
-author: Yea
+title: The audit log file was cleared.
+description: Detects when somebody has cleared an event log.
+author: DeepblueCLI, Zach Mathis
 detection:
     selection:
         Channel: Security
         EventID: 1102
     # condition: selection
 falsepositives:
-    - unknown
-output: |
-    Audit Log Clear 
-    The Audit log was cleared.
-    Security ID: %LogFileCleared%%LogFileClearedSubjectUserName%
+    - System Administrator
+output:  "Log Name: %Channel% ; Security ID: %LogFileCleared%%SubjectUserName%"
 creation_date: 2020/11/8
-updated_date: 2020/11/8
+updated_date: 2021/11/5