id: 4c086156-63ea-469c-bc85-c57e2ed4ac32
name: Clearing of forensic evidence from event logs using wevtutil
description: |
  This query checks for attempts to clear at least 10 log entries from event logs using wevtutil.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  // Look for use of wevtutil to clear multiple logs
  DeviceProcessEvents
  | where Timestamp > ago(1d)
  | where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL"
  | summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
  | where LogClearCount > 10