This alert is triggered whenever there is an audit log cleared event generated by the system.
Windows event ID 1102 is logged whenever the Security log is cleared, regardless of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log.
MITRE ATT&CK Tactics
Windows Security Event Log
Admins clearing the Security Event log
Applications configured to clear the Security Event log
1. Identify the system(s) that have been affected
2. Identify user credentials that have been compromised
3. Identify the IT services running on the compromised host impacted.
4. Reset password for the compromised Windows account
5. Identify lateral movement of compromised users throughout the enterprise
6. Optional: isolate host from network while you continue the investigation