The detection rule titled 'Clear Windows Event Logs' aims to identify actions taken by adversaries to clear Windows Event Logs as a means of covering up malicious activities. Windows Event Logs are crucial for tracking system alerts and notifications, comprising three main event sources: System, Application, and Security. Each source can report various event types, including Error, Warning, Information, Success Audit, and Failure Audit, which are vital for auditing and forensic analysis. This rule employs Splunk to monitor specific event codes associated with log clearing, notably EventCode 1102 (which indicates the event logs have been cleared) and other related event codes. The logic leverages endpoint data to capture relevant events, creating a statistical summary by host and user. The rule is linked to various threat actors and ransomware groups known for employing similar tactics to erase traces of their activities, thereby necessitating proactive monitoring of these logs.