This detection rule monitors the execution of Logman, a command-line tool used in Windows for managing performance logs and event traces. The primary concern is that threat actors can misuse Logman to disable logging and security monitoring on targeted systems, thereby facilitating malicious activities without being detected. The logic of the rule captures instances where Logman is invoked with commands such as start, stop, delete, update, or query, indicating potential tampering with event trace logs. By querying the process logs from the CrowdStrike EDR, the rule utilizes a timestamp filter to assess events that occurred in the last two hours, ensuring timely detection of suspicious activity. This rule is particularly relevant in scenarios involving defense evasion, where attackers aim to impair system defenses.