In various publicly shared Defender ATP Queries (like one in this Microsoft posting), detection looks for act of clearing the security event log this way:
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
<this is just an excerpt so ignore the lack of closure here>
But based on my testing, the act of clearing the security log does not generate something classified under "DeviceAlertEvents". Instead, I had to use DeviceEvents and filter for the ActionType "securitylogcleared".
While I'm glad that I could figure this out and create my own detection, I'm wondering: Was there a schema change I missed? Or something I didn't configure correctly? I'm just concerned that a lot of community shared detections are not written properly; and some I've already implemented I need to go back and update.
Edited to add: So using DeviceEvents worked for one machine (Windows 10, Build 19041.572), but did not for another-- even after bringing it to the same build level. We clear the security event log, but it's not showing up in the timeline *at all*. I can see the mmc being loaded and I even see the screenshot of the event log-- but no event in the timeline for clearing it. What's driving this??