From 023fbc7bbdbd8f0338f02b4c745a1b8df85cff5c Mon Sep 17 00:00:00 2001
From: TotalKnob <TotalKnob@users.noreply.github.com>
Date: Wed, 24 Aug 2022 02:41:30 +0200
Subject: [PATCH] [Rule Tuning] Clearing Windows Event Logs (#2233)

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 ...defense_evasion_clearing_windows_event_logs.toml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml
index ff9e41864..f38758723 100644
--- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml
+++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/05/23"
+updated_date = "2022/08/08"
 
 [rule]
 author = ["Elastic"]
@@ -69,9 +69,14 @@ type = "eql"
 
 query = '''
 process where event.type in ("process_started", "start") and
-  (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and
-    process.args : ("/e:false", "cl", "clear-log") or
-  process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Clear-EventLog"
+  (
+    (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and
+    process.args : ("/e:false", "cl", "clear-log")
+  ) or
+  (
+    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
+    process.args : "Clear-EventLog"
+  )
 '''