From 63d6a54804bfa4843a63f2d8a969d9ace108e1e9 Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Fri, 24 Sep 2021 09:04:56 -0800
Subject: [PATCH] [Rule Tuning] Add system index to Windows Event Logs Cleared
 (#1502)

---
 .../windows/defense_evasion_clearing_windows_security_logs.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml
index 1cfb6afa1..c7fbb7b06 100644
--- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml
+++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml
@@ -10,7 +10,7 @@ Identifies attempts to clear Windows event log stores. This is often done by att
 or destroy forensic evidence on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Windows Event Logs Cleared"