The rule "Suspicious wevtutil Usage" detects the execution of wevtutil.exe with specific parameters that indicate attempts to clear Windows event logs, such as Application, Security, Setup, Trace, or System. The analytic collects data primarily from Endpoint Detection and Response (EDR) solutions, focusing on process names and command-line arguments. The clearance of event logs can indicate malicious behavior aimed at obscuring an attacker’s footprint and complicating forensic investigations post-compromise. Confirmation of this activity necessitates a deeper analysis as it potentially erases evidence of unauthorized access or actions taken by attackers within the environment.