This rule detects Linux processes that start with environment variables configured to suppress or erase command history. It flags a process start where the process environment contains HISTSIZE=0, HISTFILESIZE=0, HISTCONTROL=ignorespace, or HISTFILE=/dev/null, indicating an attempt to clear or disable shell history logging. The detection uses a host OS filter (Linux) and looks for event.type == "start" and event.action == "exec" with matching env_vars. It is mapped to MITRE ATT&CK Defense Evasion techniques (T1070: Indicator Removal, T1070.003: Clear Command History). The rule relies on Elastic Defend telemetry, with a required configuration to capture specified environment variables (linux.advanced.capture_env_vars) to enable history-related monitoring. The risk score is 73 and the rule is labeled as high severity to prompt rapid investigation and response. The rule includes setup guidance for Elastic Defend, investigative context, remediation steps, and escalation criteria to contain potential compromise and preserve evidence, as well as guidance on reducing recurrence through centralized logging and restricted interactive shells.