Data Source: Windows Event Log Security 1102

Logs an event when the audit log is cleared.

Property Value
Source XmlWinEventLog:Security
Sourcetype xmlwineventlog
Separator EventCode
+ Fields

            1
            _time
          
            3
            Caller_User_Name
          
            5
            Channel
          
            7
            Computer
          
            9
            Error_Code
          
            11
            EventCode
          
            13
            EventID
          
            15
            EventRecordID
          
            17
            Guid
          
            19
            Keywords
          
            21
            Level
          
            23
            LogFileCleared_Xml
          
            25
            Name
          
            27
            Opcode
          
            29
            ProcessID
          
            31
            RecordNumber
          
            33
            SubjectDomainName
          
            35
            SubjectLogonId
          
            37
            SubjectUserName
          
            39
            SubjectUserSid
          
            41
            SystemTime
          
            43
            System_Props_Xml
          
            45
            Task
          
            47
            ThreadID
          
            49
            UserData_Xml
          
            51
            Version
          
            53
            action
          
            55
            app
          
            57
            change_type
          
            59
            date_hour
          
            61
            date_mday
          
            63
            date_minute
          
            65
            date_month
          
            67
            date_second
          
            69
            date_wday
          
            71
            date_year
          
            73
            date_zone
          
            75
            dest
          
            77
            dvc
          
            79
            dvc_nt_host
          
            81
            event_id
          
            83
            eventtype
          
            85
            host
          
            87
            id
          
            89
            index
          
            91
            linecount
          
            93
            name
          
            95
            object_attrs
          
            97
            object_category
          
            99
            product
          
            101
            punct
          
            103
            signature
          
            105
            signature_id
          
            107
            source
          
            109
            sourcetype
          
            111
            splunk_server
          
            113
            src_user
          
            115
            status
          
            117
            subject
          
            119
            ta_windows_action
          
            121
            tag
          
            123
            tag::eventtype
          
            125
            timeendpos
          
            127
            timestartpos
          
            129
            vendor
          
            131
            vendor_product
          
            133
            
          
...
not set
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1102</EventID><Version>0</Version><Level>4</Level><Task>104</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated SystemTime='2024-03-05T09:18:29.313328400Z'/><EventRecordID>1826166</EventRecordID><Correlation/><Execution ProcessID='412' ThreadID='1072'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><UserData><LogFileCleared xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'><SubjectUserSid>ATTACKRANGE\Administrator</SubjectUserSid><SubjectUserName>Administrator</SubjectUserName><SubjectDomainName>ATTACKRANGE</SubjectDomainName><SubjectLogonId>0x34a3a27</SubjectLogonId></LogFileCleared></UserData></Event>

Source: GitHub | Version: 2