For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/52l-d2d-n78.md. A documentation index is available at /llms.txt.

Windows audit log cleared

windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

Goal

Detect when a user clears Windows Security logs.

Strategy

Monitoring of Windows event logs where @evt.id is 1102.

Triage and response

Verify if {{@Event.UserData.LogFileCleared.SubjectUserName}} has a legitimate reason to clear the security event logs on {{host}}.

Changelog

27 October 2022 - Updated tags.