This rule identifies the deletion of shell command-line history files within containers, a tactic commonly employed by adversaries aiming to obscure their activities and evade detection. Shell command-line history files, such as .bash_history, .sh_history, and .zsh_history, keep a record of command inputs. Attackers may utilize kubectl exec to gain an interactive bash shell in a running pod, subsequently deleting or symlinking these history files to /dev/null to ensure that their commands are not recorded, thereby hindering forensic investigations. The detection logic combines analysis of both file events and process events, particularly focusing on deletions of history files as well as commands that manipulate these file histories. This rule is structured to fire on actions indicative of history suppression and can trigger alerts wired to alerting systems. With a risk score of 73, it is classified under high severity due to the potential impact on tracking malicious activities inside containerized environments. Investigation steps outlined emphasize correlating events, analyzing timelines for unauthorized actions, and restoring any compromised settings or configurations. Response recommendations involve isolating affected containers, eradicating unauthorized configurations, and recovering through rebuilding workloads, with enhancements suggested to RBAC for enhanced security posture.