alert:
- debug
description: Detects keywords that could indicate clearing PowerShell history
filter:
- query:
    query_string:
      query: "\\*.keyword:(*del\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *Set\\-PSReadlineOption\\ \u2013HistorySaveStyle\\ SaveNothing* OR *Remove\\-Item\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *rm\\ \\(Get\\-PSReadlineOption\\).HistorySavePath*)"
index: wazuh-alerts-3.x-*
name: dfba4ce1-e0ea-495f-986e-97140f31af2d_0
priority: 3
realert:
  minutes: 0
type: any