I have an new on-prem deployment of ELK 7.6.2, and have been working the the SIEM tool and like in another post about not seeing a signal get triggered when clearing logs I had the same issue. I worked through the winlogbeats configuration and installed and deployed sysmon on the windows server I am testing with. After everything and seeing the proper fields get populated, I still could not see the signal get triggered when I ran "powershell.exe clear-eventlog -logname security" on the test system.
The fields that were indexed were:
process.name => powershell.exe
event.action => Process Create (rule: ProcessCreate)
process.args => powershell.exe, clear-eventlog, -logname, application
Below is the default detection rule for "Clearing Windows Event Logs":
event.action:"Process Create (rule: ProcessCreate)" and (process.name:"wevtutil.exe" and process.args:"cl") or (process.name:"powershell.exe" and process.args:"Clear-EventLog")
It seems the when the field process.args is queried it is case sensitive, and it would not trigger if I used lower case. I made a duplicate of the default detection rule with the process.args query in lower case, and it of course triggered.
Is there a way to make the query case-insensitive like it would be on a windows system when the command is run? I did see some posts in other areas about this, but I didn't seem to find an answer.