EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 1102Audit SuccessSecurityT1070.001

Windows Event ID 1102Audit Log Cleared

Logged when the Security event log is cleared. This is one of the clearest signs of an attacker covering their tracks.

MITRE ATT&CK

Technique

T1070.001 · Clear Windows Event Logs

Tactic

Defense Evasion

View on attack.mitre.org →

Why It Matters

Legitimate clearing of the Security log is extremely rare and almost never done in production without prior archiving. Attackers clear logs to erase evidence of their actions. The 1102 event itself is not erasable by the same method, making it a reliable indicator.

Key Fields

Subject Account NameThe account that cleared the log — should be a known admin with a documented reason
Subject Logon IDLinks to the logon session that performed the clear

Investigation Tips

  1. 1.Treat any unexpected 1102 as a critical incident — other evidence of compromise will now be missing.
  2. 2.Check what happened just before the clear by looking at other log sources (Sysmon, PowerShell logs, network logs).
  3. 3.Look for wevtutil.exe or Clear-EventLog in process creation logs (4688) near the same time.

Related Event IDs

4688Process creation — look for wevtutil.exe
4624Logon by the account that cleared the log

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 1102

See Event ID 1102 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects audit log cleared patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →