title: Security Event Log Cleared
author: Saw Winn Naung
date: 2021/08/15
description: Checks for event id 1102 which indicates the security event log was cleared.
detection:
  SELECTION_1:
    EventID: 1102
  SELECTION_2:
    Provider_Name: Microsoft-Windows-Eventlog
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate administrative activity
fields:
- SubjectLogonId
- SubjectUserName
- SubjectUserSid
- SubjectDomainName
id: a122ac13-daf8-4175-83a2-72c387be339d
level: medium
logsource:
  product: windows
  service: security
modified: 2021/10/13
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
status: experimental
tags:
- attack.t1107
- attack.t1070.001
ruletype: SIGMA