SigmaHQ/rules/windows/builtin/win_susp_eventlog_cleared.yml

title: Eventlog Cleared
description: One of the Windows Eventlogs has been cleared
reference: https://twitter.com/deviouspolack/status/832535435960209408
author: Florian Roth
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 104
    condition: selection
falsepositives:
    - Unknown
level: medium
Consistency between format description and examples - description/comment -> title/description - addition of reference 2017-01-10 21:40:59 +00:00			`title: Eventlog Cleared`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`description: One of the Windows Eventlogs has been cleared`
			`reference: https://twitter.com/deviouspolack/status/832535435960209408`
			`author: Florian Roth`
			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`service: system`
Example Updates 2016-12-27 13:49:54 +00:00			`detection:`
Examples and Image 2016-12-26 01:21:55 +00:00			`selection:`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`EventID: 104`
Remove implicit selection number, first Sysmon example 2017-01-10 14:05:19 +00:00			`condition: selection`
First Example Set - Builtin 2016-12-24 11:23:47 +00:00			`falsepositives:`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`- Unknown`
			`level: medium`