This analytic rule is designed to detect the execution of 'wevtutil.exe' with specific parameters intended to disable Windows event logs. This action is commonly associated with malicious activities, particularly ransomware, aiming to obscure their operations and evade detection by disabling logging mechanisms that are vital for forensic investigations. The detection leverages data provided by Endpoint Detection and Response (EDR) agents and focuses on the process name along with the command-line arguments used during the execution of 'wevtutil.exe'. In detail, it captures instances where 'wevtutil.exe' executes with processes that include switches like 'sl' for setting logs or 'set-log' and checks for the parameter '/e:false', strongly indicating an intention to disable logging. This rule highlights potential threats posed by attackers who use these methods to manipulate an environment confidentially.