One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
Checks for event id 1102 which indicates the security event log was cleared.