F055MEDIUMSuspiciousvalidator: passed
defense evasion anti forensics: event:1102 (audit log cleared) · microsoft-windows-eventlog
Analyst narrative
Deterministic detection — execution of an anti-forensics / log- or evidence-clearing tool. Observed for ["1102", "microsoft-windows-eventlog", "security", "2018-03-14 20:48:48.239330+00:00", ""] directly from forensic tool output: this is a structural behavioural signal, not an LLM assertion, surfaced by construction so a strong signal is never lost to model under-generation.
Claims asserted
event_log-parse_event_logs
typed_fact1102parse_event_logs
Proof chain · 1 fact
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
•event log fact1102parse_event_logs›
event log fact
1102parse_event_logs
Raw tool output · cc2927a5cafb461d949abc5ce4db641781fef003
{"EventID": 1102, "TimeCreated": "2018-03-14 20:48:48.239330+00:00", "Provider": "Microsoft-Windows-Eventlog", "Channel": "Security", "Computer": "windows2012r2", "Message": ""}Source tools
parse_event_logs