elastic · Samirbous · Dec 2, 2020 · Oct 19, 2020 · Nov 5, 2020 · Nov 27, 2020
diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/11/30"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection
-or destroy forensic evidence on a system.
+Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by
+attackers in an attempt to evade detection or destroy forensic evidence on a system.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
@@ -21,9 +21,9 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "query"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  process.name:wevtutil.exe and process.args:cl or
-  process.name:powershell.exe and process.args:Clear-EventLog
+event.category:process and event.type:(process_started or start) and 
+(process.name:"wevtutil.exe" or process.pe.original_file_name:"wevtutil.exe") and 
+process.args:("/e:false" or cl or "clear-log") or process.name:"powershell.exe" and process.args:"Clear-EventLog"
 '''
 
 
@@ -39,4 +39,3 @@ reference = "https://attack.mitre.org/techniques/T1070/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-