Windows Eventlog Cleared Via Wevtutil

The following analytic detects the usage of wevtutil.exe with the "clear-log" parameter in order to clear the contents of logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.