This analytic detects Cisco IOS-XE command sequences where show logging, clear logging, and exit occur within a short window, indicating potential attempts to erase operational logs or to obfuscate activity. It also flags a variant in which a Loopback interface is removed prior to clearing logs and exiting, which could accompany efforts to hinder traceability. The rule operates on Cisco IOS logs ingested with the Cisco Catalyst Splunk add-on (sourcetype cisco:ios) and requires command visibility data (AAA accounting, archive/config logging, or EEM catchall) to reliably identify user or system commands. The search normalizes text to lowercase, assigns an event_type per matched command (show_logging, clear_logging, exit, remove_loopback), and bins events into 2-minute windows per destination. A match is produced when a window contains clear_logging and exit, and also either show_logging or remove_loopback. The result includes firstTime/lastTime, and the observed event types, messages, and commands for that destination. This pattern aligns with monitoring for abnormal log-clearing activity and potential evasion of auditing. The analytic is tied to Salt Typhoon investigations and maps to MITRE techniques related to credential/log integrity and defense evasion.