MacOS Log Removal detects deletion or modification of log files on macOS by identifying executions of the rm command with command-line arguments referencing system.log or audit-related paths. It uses the osquery endpoint data model to surface process activity and filters for rm invocations or audit-related commands that target log files, such as system.log or audit trails. The underlying SPL/Datamodel query aggregates by destination, file name, and process metadata to surface occurrences where logs may be removed or altered, aligning with Indicator Removal on Host (MITRE ATT&CK T1070). False positives include legitimate log rotation or administrative cleanup. Implementation requires the TA-OSquery to be deployed across indexers and forwarders to populate macOS process data into the Splunk data models.