F038Suspiciousvalidator: blocked
Security event log cleared (anti-forensics)
Sysmon Security event log cleared (Event 1102)
Analyst narrative
Event 1102 (audit log cleared) recorded in Security channel, indicating anti-forensic log clearing. cand-0187 (event_log_fact-0043765).
Claims asserted
path1102 security log cleared
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs