This detection rule identifies potentially suspicious actions involving the WMI class "Win32_NTEventlogFile" executed through PowerShell scripts. It specifically looks for command lines within process creation events that reference interactions with the WMI class, focusing on operations such as backing up, changing permissions, clearing, deleting, renaming, or taking ownership of event log files. These behaviors can be indicative of malicious activity, commonly associated with attempts to evade detection mechanisms by manipulating event logs (e.g., deleting logs to cover tracks). The rule is particularly beneficial for identifying advanced persistent threats (APTs) or insider threats that attempt to obscure their activities through legitimate administrative functions. It requires monitoring of process creation events, specifically filtering for command line arguments that include the targeted WMI class and suspicious function calls.