← All rules
IOI-007 · IoI Rule · Temporal
Event 1102 + USN DataTruncation Timeline
✓ Validated Temporal Security.evtx $UsnJrnl
Contributed by @ioi-framework · 2025-01-01 · v1.0 · View scenario →
Invariant predicate φ
Event 1102 and USN DataTruncation for Security.evtx must both be absent under normal operation
Download ioi-007.rq ↗
Tested on: Virtuoso 7.2 (OpenLink OSE)

Dependency specification

  1. Security.evtx — Event ID 1102 records with startTime and eventRecordText
  2. $UsnJrnlDataTruncation records against files matching Security in their filename

Under normal operation neither Event 1102 nor a USN DataTruncation against Security.evtx should exist. Their co-occurrence signals deliberate log clearance.

Contradiction condition

Fires when Event 1102 exists in the event log graph or a USN DataTruncation record exists for the Security log. Both signals are returned in a unified timeline ordered by timestamp.

SPARQL signature

SELECT ?event_type ?time ?source_name ?update_reasons
WHERE {
  {
    GRAPH <security_case7> {
      ?event a observable:EventRecord ;
             core:hasFacet ?std_facet, ?custom_facet .
      ?std_facet a observable:EventRecordFacet ;
                 observable:eventID "1102" ;
                 observable:startTime ?time ;
                 observable:eventRecordText ?text .
      ?custom_facet a ioi-ext:EventLogFacet ;
                    ioi-ext:channel "Security" .
      BIND("Event 1102 - Log Cleared" AS ?event_type)
      BIND("Security Event Log" AS ?source_name)
      BIND("" AS ?update_reasons)
    }
  }
  UNION
  {
    GRAPH <usn_case7> {
      ?file core:hasFacet ?fileFacet, ?usnFacet .
      ?fileFacet a observable:FileFacet ;
                 observable:fileName ?filename .
      ?usnFacet a ioi-ext:UsnFacet ;
                ioi-ext:updateReasons ?reasons ;
                ioi-ext:updateTimestamp ?time .
      FILTER(CONTAINS(?filename, "Security"))
      FILTER(CONTAINS(?reasons, "DataTruncation"))
      BIND("USN DataTruncation" AS ?event_type)
      BIND(?filename AS ?source_name)
      BIND(?reasons AS ?update_reasons)
    }
  }
}
ORDER BY ?time

Graph IRI substitution

Replace <security_case7> and <usn_case7> with your named graph IRIs.

Expected output

Both the Event 1102 record and the USN truncation record are returned sorted by ?time. The ?source_name column identifies either the Security event log source or the matching USN filename, so event text is not mislabeled as a file name. The investigator reads the ordering directly from the result set to determine whether the log was truncated before or after the log-clear event was recorded.