This detection rule, authored by Elastic, targets the misuse of the `shred` command on Linux systems, which adversaries may leverage to securely delete files and cover their tracks post-intrusion. The rule monitors for process invocations of `shred` with specific arguments that indicate malicious intent, while excluding legitimate uses by benign processes such as `logrotate`. By capturing these events, the rule aids in identifying defense evasion tactics employed by threat actors, who may aim to remove traces that could assist in forensic investigations. The detection operates against logs from various endpoints, ensuring comprehensive coverage of potential threats through integrations with Elastic Defend, CrowdStrike, and SentinelOne services. The configuration outlined in the rule's setup provides clear prerequisites and instructions for implementing Elastic Defend to ensure the rule is effectively operational. Overall, this rule functions as a valuable tool for cybersecurity professionals to monitor for and respond to suspicious file deletion activities, ultimately contributing to the broader effort of incident detection and response.