Windows audit log cleared

Goal

Detect when a user clears Windows Security logs.

Strategy

Monitoring of Windows event logs where @evt.id is 1102.

Triage and response

Verify if {{@Event.UserData.LogFileCleared.SubjectUserName}} has a legitimate reason to clear the security event logs on {{host}}.

Changelog

27 October 2022 - Updated tags.