The audit log was cleared
The audit log was cleared. Indicates that the Windows Security Event Log was wiped clean.
Event ID 1102 is recorded whenever the Windows Security Event Log is manually or programmatically cleared (`wevtutil cl Security` or `Clear-EventLog`). Windows writes this final event indicating which user (`SubjectUserName`) executed the clearing operation. This is a primary indicator of anti-forensics activity.
Failure Reason / Root Cause:
Legitimate IT maintenance during re-baselining, or malicious anti-forensics defense evasion by an adversary covering tracks.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.850Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to The audit log was cleared -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1070.001 | Indicator Removal: Clear Windows Event Logs | Defense Evasion |
Recommended actions
- Treat Event ID 1102 as a P1/Critical security incident unless pre-scheduled within authorized maintenance windows.
- Inspect SIEM forwarder logs prior to the timestamp of Event 1102 to uncover what activity preceded the log wipe.
- Restrict permissions to clear security event logs exclusively to dedicated monitoring infrastructure accounts.