This detection rule identifies attempts by adversaries to disable Windows Event Logs using built-in utilities such as logman, PowerShell, or auditpol. Manipulating event logs poses a significant threat to security monitoring as it hampers incident response and allows malicious activities to go undetected. The rule captures specific actions: stopping or deleting event log services via logman, disabling event logs through PowerShell, and disabling logging capabilities using auditpol. These actions are common tactics employed by attackers to cover their tracks after executing malicious activities. The rule employs EQL (Event Query Language) to analyze processes that match the criteria outlined, looking specifically for identified executable names and arguments that suggest an intent to disable logging features. It is crucial to investigate unusual process executions, validate user actions, and initiate incident response actions to isolate impacted systems and restore logging functions. This proactive detection strategy aims to bolster defense mechanisms against potential threat vectors that exploit Windows logging capabilities.