Windows Event ID 1102 — Audit Log Cleared
Logged when the Security event log is cleared. This is one of the clearest signs of an attacker covering their tracks.
MITRE ATT&CK
T1070.001 · Clear Windows Event Logs
Defense Evasion
Why It Matters
Legitimate clearing of the Security log is extremely rare and almost never done in production without prior archiving. Attackers clear logs to erase evidence of their actions. The 1102 event itself is not erasable by the same method, making it a reliable indicator.
Key Fields
Investigation Tips
- 1.Treat any unexpected 1102 as a critical incident — other evidence of compromise will now be missing.
- 2.Check what happened just before the clear by looking at other log sources (Sysmon, PowerShell logs, network logs).
- 3.Look for wevtutil.exe or Clear-EventLog in process creation logs (4688) near the same time.
Seeing Event ID 1102 in your own logs? Upload an .evtx file — EventPeeker flags audit log cleared automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.
Analyze my logs →Related Event IDs
Go deeper: the full Event ID 1102 — Security Audit Log Cleared guide
Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.
Read the Event ID 1102 — Security Audit Log Cleared guide →See Event ID 1102 in your logs
Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects audit log cleared patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.
Analyze EVTX Logs Free →