F027Suspiciousvalidator: blocked
Audit log cleared - anti-forensics
Security event log cleared (Event ID 1102)
Analyst narrative
candidate cand-0187: Event ID 1102 (audit log cleared) observed in Security log, indicating anti-forensic activity. fact_ids=event_log_fact-0043765
Claims asserted
pathevent_log_fact-0043765
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs