This detection rule focuses on identifying attempts to clear system logs on Linux-based systems, a common tactic used by adversaries to hide signs of an intrusion. The rule monitors for process creation events specifically looking for processes whose image paths end with known commands associated with log clearing (such as 'rm', 'shred', or 'unlink') and also scrutinizes command line arguments that target typical log files located in '/var/log' or the mail spool located at '/var/spool/mail'. If one of these commands is executed with appropriate command line references, it triggers the detection condition. The primary goal of this rule is to enable security analysts to identify potentially malicious behavior that could signal unauthorized attempts to erase important forensic evidence on the system.