From 45f30cb2b43a9d3a419eab6b6df85116838a7003 Mon Sep 17 00:00:00 2001
From: SomeOne <SomeOne@example.com>
Date: Mon, 23 Aug 2021 15:00:07 +0200
Subject: [PATCH 1/2] Add fields to event log cleared

---
 rules/windows/builtin/win_event_log_cleared.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml
index 649d0d95b..969f06309 100644
--- a/rules/windows/builtin/win_event_log_cleared.yml
+++ b/rules/windows/builtin/win_event_log_cleared.yml
@@ -18,6 +18,9 @@ detection:
         EventID: 1102
     condition: selection
 fields:
-    - fields in the log source that are important to investigate further
+    - logon_id
+    - src_user
+    - src_user_id
+    - src_nt_domain
 falsepositives:
     - Legitimate administrative activity

From 037f33b5e200710140d11c9a9c644ddea01addab Mon Sep 17 00:00:00 2001
From: SomeOne <SomeOne@example.com>
Date: Mon, 23 Aug 2021 15:24:48 +0200
Subject: [PATCH 2/2] Replace by default windows fieldnames

---
 rules/windows/builtin/win_event_log_cleared.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml
index 969f06309..92c9a2eac 100644
--- a/rules/windows/builtin/win_event_log_cleared.yml
+++ b/rules/windows/builtin/win_event_log_cleared.yml
@@ -18,9 +18,9 @@ detection:
         EventID: 1102
     condition: selection
 fields:
-    - logon_id
-    - src_user
-    - src_user_id
-    - src_nt_domain
+    - SubjectLogonId
+    - SubjectUserName
+    - SubjectUserSid
+    - SubjectDomainName
 falsepositives:
     - Legitimate administrative activity