This detection rule, authored by Elastic, monitors for the execution of the command `dmesg -c`, which is used to clear the kernel ring buffer in Linux systems. Attackers may utilize this command after installing a malicious Linux kernel module (LKM) to erase system logs that could indicate their presence, thus evading detection. The rule is configured within the Elastic Security framework, targeting specific log indices associated with Linux endpoints and security integrations such as Elastic Defend and Auditd Manager. The risk score for this detection is set at low (21), indicating a need for further investigation without immediate action in most cases. The alert is triggered when a `process` event is logged originating from a Linux host, identifying necessary parameters in the process name and arguments. The rule also provides a comprehensive investigation guide and recommendations for response and remediation, allowing analysts to take appropriate action should suspicious activity be detected.