Query Details
Event Log Was Cleared
Query
Use Case: Retrieve security event logs from Windows Event Viewer for events with ID 1102, indicating the clearing of security logs, over the past 7 days.
Query:
WindowsEvent('Security', 7d)
| where tostring(EventId) == '1102'Explanation
The query is used to retrieve security event logs from the Windows Event Viewer. It specifically looks for events with ID 1102, which indicates the clearing of security logs. The query is limited to events that occurred within the past 7 days.
Details
Ugur Koc
Released: February 4, 2024
Tables
Security
Keywords
WindowsEvent,Security,EventId
Operators
|wheretostring==