This detection rule identifies attempts by adversaries to clear command history on macOS and Linux systems. Clearing command history is a technique employed by intruders to conceal their actions after compromising an account. Such activity is captured in the terminal history where users typically see their executed commands. The rule utilizes Splunk's querying capabilities to monitor for specific commands associated with clearing terminal histories, such as unset, export, and history commands. These commands, when executed, can either directly clear the command history or manipulate environment variables (HISTFILE, HISTSIZE) to prevent command logging. The detection logic is structured to identify trends in process call patterns that indicate the history has been cleared or redirected to null, and it compiles this data to showcase suspicious activity over time. The rule leverages advanced regular expressions to sift through log data and confirm whether any of the conditions for command clearing were met, ensuring thorough monitoring of user actions within the terminal environment.