diff --git a/rules/cross-platform/user_account_created.toml b/rules/cross-platform/user_account_created.toml
new file mode 100644
index 00000000000..a2bf3aab408
--- /dev/null
+++ b/rules/cross-platform/user_account_created.toml
@@ -0,0 +1,26 @@
+[metadata]
+creation_date = "2020/11/18"
+ecs_version = ["1.6.0"]
+maturity = "development"
+updated_date = "2020/11/18"
+
+[rule]
+author = ["Anabella Cristaldi"]
+description = """
+Identifies the creation of new users. This is sometimes done either by attackers to increase access to a system or a
+domain or by a legal admin and the activity needs to be audited when strong security regulations are in place.
+"""
+index = ["winlogbeat-*", "auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "User Account Created"
+risk_score = 21
+rule_id = "73ccc727-dc70-4112-85f1-aa91f86548f0"
+severity = "low"
+tags = ["Windows", "Linux", "Elastic"]
+type = "query"
+
+query = '''
+event.category:iam and event.type:(creation and user) and event.outcome:success
+'''
+
diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml
new file mode 100644
index 00000000000..aab36926455
--- /dev/null
+++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml
@@ -0,0 +1,27 @@
+[metadata]
+creation_date = "2020/11/12"
+ecs_version = ["1.6.0"]
+maturity = "development"
+updated_date = "2020/11/12"
+
+[rule]
+author = ["Anabella Cristaldi"]
+description = "Identifies attempts to clear Windows Security log stores"
+from = "now-9m"
+index = ["winlogbeat-*"]
+interval = "6m"
+language = "kuery"
+license = "Elastic License"
+max_signals = 99
+name = "Clearing Windows Security Logs"
+risk_score = 21
+rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7"
+severity = "low"
+tags = ["Windows", "Elastic"]
+to = "now-1s"
+type = "query"
+
+query = '''
+event.module:security and event.action:audit-log-cleared
+'''
+