This detection rule identifies attempts to clear or disable Windows Event Log stores through the utilization of the `wevtutil` command or PowerShell's `Clear-EventLog` cmdlet. Such actions are typically performed by attackers to evade detection and erase forensic evidence from a compromised system. The rule triggers when instances of these commands are executed, monitored through various Winlogbeat indices and endpoint logs. It highlights potential investigations into process execution chains and user actions surrounding these commands. Analysts are advised to consider the context of the log clearing, assessing whether the actions are legitimate administrative tasks or signs of malicious activity. The rule is built to respond to low-risk scenarios by alerting upon conditions that might signal an attacker's effort to obfuscate their presence in the system.