Merge PR #6038 from @srkyn - Fix Suspicious Eventlog Clearing or Configuration Change Activity

fix: Suspicious Eventlog Clearing or Configuration Change Activity - Fix parentheses in condition

Co-authored-by: David Sarkisyan <281478990+srkyn@users.noreply.github.com>

Author: srkyn

rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

@@ -16,7 +16,7 @@ references:
     - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
 author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2019-09-26
-modified: 2025-03-12
+modified: 2026-06-01
 tags:
     - attack.defense-impairment
     - attack.t1685.005
@@ -33,7 +33,7 @@ detection:
         CommandLine|contains:
             - 'clear-log '          # clears specified log
             - ' cl '                # short version of 'clear-log'
-            - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size
+            - 'set-log '            # modifies config of specified log. could be used to set it to a tiny size
             - ' sl '                # short version of 'set-log'
             - 'lfn:'                # change log file location and name
     selection_other_ps_img:
@@ -68,7 +68,7 @@ detection:
             - 'C:\Windows\SysWOW64\msiexec.exe'
             - 'C:\Windows\System32\msiexec.exe'
         CommandLine|contains: ' sl '
-    condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi) and not 1 of filter_main_*
+    condition: ((all of selection_wevtutil_*) or (all of selection_other_ps_*) or selection_other_wmi) and not 1 of filter_main_*
 falsepositives:
     - Admin activity
     - Scripts and administrative tools used in the monitored environment