This detection rule, authored by Elastic, targets unauthorized attempts to clear logs on Linux systems using the 'journalctl' command. This behavior is indicative of adversarial tactics aimed at evading detection by modifying or deleting logs to hinder investigations. The rule specifically observes command executions of 'journalctl' accompanied by various vacuum parameters: '--vacuum-time', '--vacuum-size', or '--vacuum-files'. Behind the scenes, attackers may leverage these commands to rapidly remove log entries, especially following a privilege escalation event. The rule operates in an Elastic environment, pulling data from specific indices including auditd and various endpoint protection sources. The enforcement strength is rated as 'low' risk, implying it detects potentially serious breaches but may also trigger false positives due to legitimate administrative activities. For robust incident management, the rule encompasses detailed steps for investigation, false positive minimization, response protocols, and hardening recommendations