1102

The audit log was cleared

The audit log was cleared. Indicates that the Windows Security Event Log was wiped clean.

Event ID 1102 is recorded whenever the Windows Security Event Log is manually or programmatically cleared (`wevtutil cl Security` or `Clear-EventLog`). Windows writes this final event indicating which user (`SubjectUserName`) executed the clearing operation. This is a primary indicator of anti-forensics activity.

Failure Reason / Root Cause:

Legitimate IT maintenance during re-baselining, or malicious anti-forensics defense evasion by an adversary covering tracks.

CategoryEvent Log
Audit typeSuccess Audit
SeverityCritical
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywordsaudit log cleared, log wiped, anti-forensics, wevtutil, Clear-EventLog, defense evasion
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>1102</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.850Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to The audit log was cleared -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1070.001Indicator Removal: Clear Windows Event LogsDefense Evasion

Recommended actions

Related events