diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml
index 649d0d95b..92c9a2eac 100644
--- a/rules/windows/builtin/win_event_log_cleared.yml
+++ b/rules/windows/builtin/win_event_log_cleared.yml
@@ -18,6 +18,9 @@ detection:
         EventID: 1102
     condition: selection
 fields:
-    - fields in the log source that are important to investigate further
+    - SubjectLogonId
+    - SubjectUserName
+    - SubjectUserSid
+    - SubjectDomainName
 falsepositives:
     - Legitimate administrative activity