This detection rule identifies instances of file deletion from the /tmp directory on Linux and macOS platforms. Adversaries often delete files associated with their activities to lessen their digital footprint, as these files may contain evidence of their intrusion techniques and tools used. The detection logic uses the Snowflake SQL syntax to query the CrowdStrike EDR logs for process events occurring within the last two hours, specifically looking for command invocations that include 'rm', a common Unix command for file deletion. The regex pattern matches various forms of the delete command, ensuring it captures potential attempts to remove sensitive files from the temporary directory during or after an attack. By focusing on file deletions from /tmp, this rule targets a common tactic employed by threat actors such as UNC5221 and UTA0178, associated with defense evasion techniques, especially in relation to file deletion to remove indicators of compromise or tools left behind.