Clear Windows Event Logs

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 1102
| project TimeGenerated, Computer, Account, Activity, EventData
| union (
    Event
    | where TimeGenerated > ago(24h)
    | where Source == "Microsoft-Windows-Eventlog"
    | where EventID == 104
    | project TimeGenerated, Computer, UserName, RenderedDescription
)
| sort by TimeGenerated desc
| union (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "wevtutil.exe"
    | where ProcessCommandLine has_any ("cl ", "clear-log ", "clear ")
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine
    | extend Source = "WevtutilClear"
)
| sort by coalesce(TimeGenerated, Timestamp) desc

index=wineventlog (sourcetype="WinEventLog:Security" EventCode=1102) OR (sourcetype="WinEventLog:System" EventCode=104)
| eval LogClearType=case(EventCode=1102, "Security Log Cleared", EventCode=104, "Non-Security Log Cleared", true(), "Unknown")
| table _time, host, user, LogClearType, EventCode
| sort - _time
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | where (Image like "%wevtutil.exe" AND (match(CommandLine, "(cl |clear-log |clear )")))
      OR (Image like "%powershell.exe" AND match(CommandLine, "(Remove-EventLog|Clear-EventLog|wevtutil)"))
    | eval LogClearType="Wevtutil/PowerShell Clear Command"
    | table _time, host, User, Image, CommandLine, LogClearType
]

any where
  (
    event.provider == "Microsoft-Windows-Eventlog" and
    event.code in ("1102", "104")
  )
  or
  (
    event.category == "process" and
    process.name == "wevtutil.exe" and
    process.args : ("cl", "clear-log", "clear")
  )
  or
  (
    event.category == "process" and
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*Remove-EventLog*", "*Clear-EventLog*", "*wevtutil*cl*", "*wevtutil*clear*")
  )

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  username,
  devicehostname AS hostname,
  "EventID",
  "CommandLine",
  CATEGORYNAME(category) AS category
FROM events
WHERE
  (
    "EventID" IN (1102, 104)
    AND LOGSOURCETYPEID(logsourceid) IN (12, 13)
  )
  OR
  (
    "EventID" = 1
    AND (
      "CommandLine" ILIKE '%wevtutil%cl %'
      OR "CommandLine" ILIKE '%wevtutil%clear-log%'
      OR "CommandLine" ILIKE '%wevtutil%clear %'
      OR "CommandLine" ILIKE '%Remove-EventLog%'
      OR "CommandLine" ILIKE '%Clear-EventLog%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

(_sourceCategory=*wineventlog* OR _sourceCategory=*windows*)
| where EventCode in ("1102", "104")
  OR (EventCode = "1"
      AND CommandLine contains "wevtutil"
      AND (CommandLine contains "cl " OR CommandLine contains "clear-log" OR CommandLine contains "clear "))
  OR (EventCode = "1"
      AND (CommandLine contains "Remove-EventLog" OR CommandLine contains "Clear-EventLog"))
| if(EventCode = "1102", "Security Log Cleared",
    if(EventCode = "104", "Non-Security Log Cleared", "Process-Based Clear")) as LogClearType
| fields _time, Computer, User, LogClearType, EventCode, CommandLine
| sort by _time desc

rule t1070_001_clear_windows_event_logs {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects clearing of Windows Event Logs via EventID 1102/104 or wevtutil/PowerShell process execution"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.001"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "Windows"
    created = "2026-04-17"

  events:
    $e.metadata.vendor_name = "Microsoft"
    (
      $e.metadata.product_event_type = "1102" or
      $e.metadata.product_event_type = "104" or
      (
        re.regex($e.target.process.file.full_path, `(?i)wevtutil\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(^|\s)(cl|clear-log|clear)(\s|$)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)(\.exe)?$`) and
        re.regex($e.target.process.command_line, `(?i)(Remove-EventLog|Clear-EventLog)`)
      )
    )

  condition:
    $e
}

(
  #event_simpleName in [ProcessRollup2, SyntheticProcessRollup2]
  | FileName = "wevtutil.exe"
  | CommandLine = /\b(cl|clear-log|clear)\b/i
  | DetectionType := "WevtutilClear"
)
| union (
  #event_simpleName in [ProcessRollup2, SyntheticProcessRollup2]
  | FileName = /powershell(ise)?\.exe/i
  | CommandLine = /(Remove-EventLog|Clear-EventLog)/i
  | DetectionType := "PowerShellClear"
)
| table([_time, ComputerName, UserName, FileName, CommandLine, DetectionType])
| sort(_time, order=desc, limit=200)