Skip to content

[Rule Tuning] Windows Event Logs Cleared - alerts about Qualys agent #5755

New issue
New issue
Open
Open
[Rule Tuning] Windows Event Logs Cleared - alerts about Qualys agent#5755
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@richlv

Description

@richlv
richlv
opened on Feb 22, 2026

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_clearing_windows_security_logs.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

This rule occasionally alerts about Qualys log clearing, which seems to be initiated by the Qualys agent itself.

Possibly useful fields:
winlog.user_data.Channel Qualys
winlog.user.identifier S-1-5-18
winlog.user.name SYSTEM

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions