
Summary
This detection rule identifies the deletion of sensitive Linux system logs, which can indicate attempts by adversaries to evade detection or eliminate forensic evidence. The rule is crafted using EQL (Event Query Language) and looks for deletion events of specific system log files such as '/var/log/syslog' and '/var/log/auth.log'. It is designed to exclude benign processes like 'gzip' and 'dockerd' to reduce false positives. As log files are critical for auditing activities, unauthorized deletions can significantly undermine system security. The rule employs integrations like Elastic Defend and Auditbeat, which help capture the necessary events from the target systems. Following a triggered alert, analysts are advised to investigate the deletion event, examine the involved process, and assess user activity around the time of deletion. The severity is marked as 'medium' due to the potential impact on system forensics and security posture.
Categories
- Endpoint
- Linux
Data Sources
- File
- Process
- Container
- Application Log
- Network Traffic
ATT&CK Techniques
- T1070
- T1070.002
Created: 2020-11-03