The rule titled 'Tampering of Shell Command-Line History' is designed to detect attempts by adversaries to clear or disable command-line history in Bash and Zsh shells—a common tactic used for evasion during investigations. The detection leverages the EQL (Event Query Language) to monitor processes that may indicate such tampering actions. It scrutinizes command-line arguments related to commonly used commands for clearing or redirecting history files, such as 'rm', 'truncate', and 'history -c'. The rule operates against several data sources—including endpoint event logs and audit logs from both Elastic Defend and Auditd Manager. The severity of the alerts is set to 'medium', reflecting the potential impact of successful tampering on ongoing investigations and forensic analysis. Detailed investigation steps provide guidance for analysts in assessing the extent of tampering by cross-referencing user actions and system logs, along with offering strategies to address false positives related to legitimate usage of similar commands. Furthermore, it outlines response strategies, emphasizing immediate isolation of affected systems and restoration of command history from backup as critical steps in remediation. The rule aligns with the MTIRE ATT&CK framework, specifically targeting the 'Defense Evasion' tactic.