This detection rule identifies suspicious activities related to the clearing or modification of event logs on Windows systems, typically performed by command-line utilities such as `wevtutil`, `PowerShell`, and `WMIC`. These activities are often utilized by threat actors and ransomware to evade detection mechanisms by erasing critical logs that would provide evidence of malicious actions. The detection mechanism employs multiple 'selections' to capture command-line arguments indicative of log tampering, filtering out typical administrative tasks that may occur legitimately. By implementing this rule, organizations can enhance their ability to detect potential malicious insider activities and external threats attempting to erase traces of their actions. False positives should be managed with careful consideration of user roles and the context of log management operations.