This detection rule identifies potentially suspicious activities associated with the usage of the WMI class `Win32_NTEventlogFile` via PowerShell scripts. Actions targeted by this rule include deleting, backing up, changing permissions, clearing, or renaming event log files, which can indicate an attempt to evade detection or clean traces of malicious activities. The rule is configured to scan PowerShell script blocks for specific functions that are known to interact with the `Win32_NTEventlogFile` class, alerting on usage of keywords like `BackupEventlog`, `ClearEventLog`, and `Delete`. The ability to perform these operations inappropriately may suggest malicious intent, especially if executed outside of known legitimate administrative tasks.