SOC Event Lookup
Event ID 1102AuditLogP1

Windows Event ID 1102: The audit log was cleared

Windows Security Event ID 1102 records clearing of the Windows Security audit log and is a high-confidence defense-evasion signal.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

The event is generated when a user or process clears the Security log. It can be logged immediately before older records are removed.

Key Fields

Subject

The identity associated with the log clear. A local SYSTEM context still requires correlation to the initiating process or administrator.

Logon ID

The session identifier used to join the event to 4624 and 4688 activity.

Computer

The host whose Security log was cleared. Domain controllers and critical servers have heightened impact.

Common False Positives

  • Authorized maintenance or log-retention workflows may clear logs, although this is uncommon for Security logs.
  • Lab rebuilds and forensic test procedures can generate intentional clears.

Related Events

MITRE ATT&CK Mapping

  • T1070.001Indicator Removal: Clear Windows Event Logs

Detection Notes

T1070.001 is high confidence when Event ID 1102 follows wevtutil.exe cl Security or Clear-EventLog in 4688 under the same Subject Logon ID. Security log clearing has no universal volume threshold: one unexpected clear on a domain controller or server is an incident. Use a local correlation window=60 minutes before the clear to review process creation, logon, and audit-policy changes, and preserve forwarded copies because the local retention window is destroyed.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 1102
| project TimeGenerated, Computer, Account, SubjectLogonId
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=1102
| table _time, host, SubjectUserName, SubjectLogonId
Sample Log
Subject: Account Name: CORP\admin.ops
Logon ID: 0x8e2c
Computer: DC01

Source