This threat detection rule identifies specific command-line operations commonly used to clear or remove the syslog file in Linux environments. Attackers often use these commands as a method to erase their footprints in system logs, making it difficult for security teams to investigate malicious behavior or intrusions. By capturing instances of these commands in the process creation logs, security analysts can flag potential malicious activity for further investigation. The detection is designed for high fidelity; however, it acknowledges the potential for false positives due to legitimate log rotation processes that may conflict with these command patterns. The detection condition is based on the presence of keywords in the command line of process creations.