Windows Event ID 1102: The audit log was cleared
Windows Security Event ID 1102 records clearing of the Windows Security audit log and is a high-confidence defense-evasion signal.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
The event is generated when a user or process clears the Security log. It can be logged immediately before older records are removed.
Key Fields
Subject
The identity associated with the log clear. A local SYSTEM context still requires correlation to the initiating process or administrator.
Logon ID
The session identifier used to join the event to 4624 and 4688 activity.
Computer
The host whose Security log was cleared. Domain controllers and critical servers have heightened impact.
Common False Positives
- Authorized maintenance or log-retention workflows may clear logs, although this is uncommon for Security logs.
- Lab rebuilds and forensic test procedures can generate intentional clears.
Related Events
MITRE ATT&CK Mapping
- T1070.001Indicator Removal: Clear Windows Event Logs
Detection Notes
T1070.001 is high confidence when Event ID 1102 follows wevtutil.exe cl Security or Clear-EventLog in 4688 under the same Subject Logon ID. Security log clearing has no universal volume threshold: one unexpected clear on a domain controller or server is an incident. Use a local correlation window=60 minutes before the clear to review process creation, logon, and audit-policy changes, and preserve forwarded copies because the local retention window is destroyed.
SecurityEvent
| where EventID == 1102
| project TimeGenerated, Computer, Account, SubjectLogonId
| order by TimeGenerated descindex=wineventlog EventCode=1102
| table _time, host, SubjectUserName, SubjectLogonIdSubject: Account Name: CORP\admin.ops
Logon ID: 0x8e2c
Computer: DC01