From 985a80de9630a4bca09c33977e574a630959fcc1 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Thu, 22 Jul 2021 08:33:52 +0200
Subject: [PATCH] Find duplicate rules

---
 .../builtin/win_susp_eventlog_cleared.yml     |  4 +++-
 .../win_susp_security_eventlog_cleared.yml    | 24 -------------------
 2 files changed, 3 insertions(+), 25 deletions(-)
 delete mode 100644 rules/windows/builtin/win_susp_security_eventlog_cleared.yml

diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml
index 2bb184528..67693faaa 100644
--- a/rules/windows/builtin/win_susp_eventlog_cleared.yml
+++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml
@@ -1,6 +1,9 @@
 action: global
 title: Eventlog Cleared
 id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
+related:
+    id: f2f01843-e7b8-4f95-a35a-d23584476423
+    type: obsoletes
 description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
 references:
     - https://twitter.com/deviouspolack/status/832535435960209408
@@ -17,7 +20,6 @@ falsepositives:
     - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
     - System provisioning (system reset before the golden image creation)
 level: high
-
 ---
 logsource:
     product: windows
diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
deleted file mode 100644
index 7485d3013..000000000
--- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-title: Security Eventlog Cleared
-id: f2f01843-e7b8-4f95-a35a-d23584476423
-description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
-tags:
-    - attack.defense_evasion
-    - attack.t1070          # an old one
-    - attack.t1070.001
-    - car.2016-04-002
-author: Florian Roth
-date: 2017/02/19
-modified: 2020/08/23
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 517
-            - 1102
-    condition: selection
-falsepositives:
-    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
-    - System provisioning (system reset before the golden image creation)
-level: high