I had a customer bring this to my attention, but there are tools out there that will backup logs and clear them as needed. This will generate an unwanted noise when an automated tool clears the log. As such, I’ve re-written the rule to allow for an account based override. Here’s how it works.
The original rule has been disabled. It’s still there if you want to enable it for any reason, but I haven’t (at least as of now) pulled it out of the XML. I’ve created and enabled a new rule that does the same thing, but this has an additional statement looking for a user account, which is can be overridden.
In the screenshot above, you can override with the specific service account that is being used to clear the logs.
This will also apply to the rule looking for the system log being cleared.
This will be in the May update to Security Monitoring.