F015Suspiciousvalidator: blocked
Security log cleared - Event 1102 (Defense Evasion)
Security event log cleared (anti-forensics)
Analyst narrative
Event ID 1102 (Microsoft-Windows-Eventlog) on Security channel indicates the audit log was cleared. Candidate cand-0187 fact_ids=event_log_fact-0043765.
Claims asserted
pathevent_log_fact-0043765
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs