drop security evtx csv · detect evidence of event log export operations · identify logs that were exported then cleared · surface wevtutil epl and other export commands preceding clearing · runs locally
evtx / mft csv
drop evtx csv (multi-file)
or click
4688 wevtutil epl/al · 4104 Export-Csv · copy/robocopy winevt\Logs · export then 1102/104 clear within 60m = critical
drop security · system · powershell operational evtx csv · optional mft csv