kqlElastic-2.0from elastic/detection-rules
Windows Event Logs Cleared
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/defense_evasion_clearing_windows_security_logs.toml
host.os.type:windows and event.action:("audit-log-cleared" or "Log clear") and
winlog.channel: ("Security" or "System")