diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
index a24e9d470..cc61bdf10 100644
--- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
+++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
@@ -12,7 +12,6 @@ detection:
         EventID:
             - 517
             - 1102
-            - 104
     condition: selection
 falsepositives:
     - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)