How does the UBA Rule "Local Event Log Deletion" work?

Hi everyone,

Simple question: how does the legacy UBA rule “Local Event Log Deletion” actually work? What is the detection rule and the log set behind it?

The reason for my question is, I tried to analyze one of those alerts and tried to find the corresponding log entry in the log search. Due to it being a UBA rule, we basically have no insight about the inner working of the detection rule. Naturally, I tried to search for Windows event ID 1102 " The audit log was cleared" under the Endpoint Logs/Sysmon log set - with no success.

Can anyone give me some guidance on this?


Hi Nik,

I’m a member of the product team here at Rapid7 working on projects related to our IDR detection rules, and might be able to offer some background. Unfortunately you are correct that the logs behind the legacy “Local Event Log Deletion” rule are not currently available within Log Search. We are actively working on an initiative to migrate our legacy UBA rules over to the Detection Rule Library, which will give users visibility into the logic powering their detections, and more capabilities to track down the signal triggering them. By using the alert evidence peek panel for our Detection Rule Library based rules, users are able to view both the detection rule logic, and the log events that triggered them.


That´s nice to hear it, Is there any way to track the changes or migration process?