T1070.002 Clear Linux or Mac System Logs Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileDeleted", "FileModified", "FileTruncated")
| where FolderPath startswith "/var/log/" or FolderPath startswith "/Library/Logs/" or FolderPath startswith "/private/var/log/"
| where FileName endswith ".log" or FileName in~ ("auth.log", "syslog", "messages", "secure", "wtmp", "btmp", "lastlog", "kern.log")
| where not(InitiatingProcessFileName in~ ("logrotate", "newsyslog", "rsyslog", "syslogd"))
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         ActionType, FileName, FolderPath, InitiatingProcessFileName,
         InitiatingProcessCommandLine
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Deletion File: File Modification Microsoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceFileEvents

False Positives

Logrotate and newsyslog performing scheduled log rotation — though they archive rather than delete
System administrators manually clearing logs after legitimate troubleshooting
Docker container cleanup processes removing application logs
Some security tools that manage their own log files in /var/log directories

Splunk

spl

index=linux_auditd sourcetype="linux:audit" type=SYSCALL (syscall=unlink OR syscall=unlinkat OR syscall=truncate OR syscall=ftruncate OR syscall=open OR syscall=openat)
| rex field=msg_audit "name=\"(?<filepath>[^\"]+)\""
| where match(filepath, "(/var/log/|/Library/Logs/)")
| where match(filepath, "(\.log$|auth\.log|syslog|messages|secure|wtmp|btmp|lastlog|kern\.log)")
| where NOT match(exe, "(logrotate|rsyslog|syslogd|newsyslog)")
| eval ActionType=case(syscall="unlink" OR syscall="unlinkat", "FileDeleted", syscall="truncate" OR syscall="ftruncate", "FileTruncated", match(oflags, "O_TRUNC"), "FileTruncated", true(), "FileAccess")
| where ActionType in ("FileDeleted", "FileTruncated")
| table _time, host, auid, uid, exe, filepath, ActionType, syscall
| sort - _time

high severity high confidence

Data Sources

File: File Deletion File: File Modification Linux auditd

Required Sourcetypes

linux:audit

False Positives

Logrotate running as root with copytruncate option for files that can't be renamed
Custom log management scripts that rotate or clear logs
Container orchestration systems cleaning up log files
Backup scripts that truncate logs after archiving

Elastic Security (EQL)

eql

file where event.action in ("deletion", "overwrite", "truncation") and
(
  file.path like~ "/var/log/*" or
  file.path like~ "/Library/Logs/*" or
  file.path like~ "/private/var/log/*"
) and
(
  file.name like~ "*.log" or
  file.name in~ ("auth.log", "syslog", "messages", "secure", "wtmp", "btmp", "lastlog", "kern.log")
) and
not process.name in ("logrotate", "newsyslog", "rsyslog", "syslogd", "aslmanager", "logger")

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.file) Elastic Agent with auditd integration Elastic Agent with system integration on Linux/macOS

Required Tables

logs-endpoint.events.file-* logs-system.syslog-* auditbeat-*

False Positives

Log rotation daemons (logrotate on Linux, newsyslog on macOS) that are not excluded by the process filter — verify process.name and parent context
Security or observability agents (Elastic Agent, Filebeat, Splunk UF) that manage their own log files within monitored paths
Container orchestration environments where ephemeral containers routinely delete log files on shutdown or cleanup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  "hostname" AS Host,
  "process_name" AS ProcessName,
  "filepath" AS FilePath,
  "syscall" AS Syscall,
  CATEGORYNAME(category) AS EventCategory
FROM events
WHERE LOGSOURCETYPEID IN (13, 88)
  AND (
    "syscall" IN ('unlink', 'unlinkat', 'truncate', 'ftruncate')
    OR ("syscall" IN ('open', 'openat') AND "oflags" LIKE '%O_TRUNC%')
  )
  AND (
    "filepath" LIKE '/var/log/%'
    OR "filepath" LIKE '/Library/Logs/%'
    OR "filepath" LIKE '/private/var/log/%'
  )
  AND (
    "filepath" LIKE '%.log'
    OR "filename" IN ('auth.log', 'syslog', 'messages', 'secure', 'wtmp', 'btmp', 'lastlog', 'kern.log')
  )
  AND "process_name" NOT IN ('logrotate', 'rsyslog', 'syslogd', 'newsyslog', 'aslmanager')
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar Linux OS log source (auditd) QRadar LEEF/CEF syslog from Linux endpoints QRadar Universal DSM for auditd

Required Tables

events (QRadar normalized event store) Linux auditd log source configured in QRadar

False Positives

Automated log archival scripts running under service accounts that do not match the excluded process list — tune by adding process names or source IPs to the exclusion
System upgrades or package managers (apt, yum, dnf) that remove old log files as part of package removal post-install scripts
Penetration testing or red team exercises targeting the same log paths with authorized tooling

Sumo Logic CSE

sql

_sourceCategory=linux/auditd OR _sourceCategory=linux/secure
| parse regex "type=SYSCALL\s.*?syscall=(?<syscall>\w+)" nodrop
| parse regex "name=\"(?<filepath>[^\"]+)\"" nodrop
| parse regex "exe=\"(?<exe>[^\"]+)\"" nodrop
| parse regex "auid=(?<auid>\d+)" nodrop
| parse regex "uid=(?<uid>\d+)" nodrop
| where syscall in ("unlink", "unlinkat", "truncate", "ftruncate", "open", "openat")
| where filepath matches "/var/log/*" or filepath matches "/Library/Logs/*" or filepath matches "/private/var/log/*"
| where filepath matches "*.log" or filepath in ["auth.log", "syslog", "messages", "secure", "wtmp", "btmp", "lastlog", "kern.log"]
| where !(exe matches "*logrotate*" or exe matches "*rsyslog*" or exe matches "*syslogd*" or exe matches "*newsyslog*")
| eval ActionType = if(syscall in ("unlink", "unlinkat"), "FileDeleted", if(syscall in ("truncate", "ftruncate"), "FileTruncated", "FileOpenTrunc"))
| fields _messageTime, _sourceHost, auid, uid, exe, filepath, ActionType, syscall
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Linux OS Source (auditd) Sumo Logic Cloud Syslog Source for Linux /var/log/audit/audit.log Sumo Logic Installed Collector with /var/log/secure or /var/log/auth.log source

Required Tables

_sourceCategory=linux/auditd _sourceCategory=linux/secure

False Positives

Third-party log shippers or SIEM forwarders (Splunk UF, Elastic Agent) that move and recreate log files, appearing as deletions with their own process name
Application deployments using Ansible, Chef, or Puppet where handlers clean up stale log files after config changes
Docker or Kubernetes node-level log cleanup by the container runtime's log rotation mechanism (e.g., containerd log-opt max-file settings)

Google Chronicle / SecOps

yaral

rule linux_mac_system_log_cleared {
  meta:
    author = "Detection Engineering"
    description = "Detects deletion or truncation of Linux and macOS system log files by unauthorized processes — T1070.002"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "FILE_DELETION"
      or $e.metadata.event_type = "FILE_MODIFICATION"
    )
    re.regex($e.target.file.full_path, `/var/log/|/Library/Logs/|/private/var/log/`)
    (
      re.regex($e.target.file.full_path, `\.log$`)
      or re.regex($e.target.file.full_path, `(auth\.log|syslog|messages|secure|wtmp|btmp|lastlog|kern\.log)$`)
    )
    not re.regex($e.principal.process.file.full_path, `(logrotate|newsyslog|rsyslog|syslogd|aslmanager)$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) — Linux endpoint telemetry Chronicle ingestion from CrowdStrike Falcon, Carbon Black, or SentinelOne normalized to UDM Chronicle Forwarder with auditd or osquery Linux log source

Required Tables

UDM events (Chronicle normalized event store) FILE_DELETION and FILE_MODIFICATION event types

False Positives

Legitimate log archival and cleanup scripts executed by the root or syslog service account that are not excluded by the process path regex — extend the exclusion regex with additional binary paths as needed
macOS newsyslog or asl rotation triggered by launchd on a schedule that does not match the aslmanager exclusion — verify principal.process.file.full_path in matched events
SIEM or observability agent upgrades that briefly modify or recreate log files they are tailing, particularly Elastic Agent or Splunk UF self-update routines

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(FileDeleteInfo|PeFileWritten|EngineFileWritten)$/
| TargetFileName = /\/(var\/log|Library\/Logs|private\/var\/log)\//
| TargetFileName = /(\.log$|auth\.log|syslog|messages|secure|wtmp|btmp|lastlog|kern\.log)/
| CommandLine != /logrotate|newsyslog|rsyslog|syslogd|aslmanager/
| FileName != /logrotate|newsyslog|rsyslog|syslogd/
| select([timestamp, ComputerName, UserName, FileName, TargetFileName, CommandLine, #event_simpleName])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor — Linux and macOS endpoint agents CrowdStrike LogScale (Humio) — Falcon Data Replicator (FDR) or direct event stream CrowdStrike FileVantage (file integrity monitoring) events if licensed

Required Tables

Falcon event stream: FileDeleteInfo Falcon event stream: PeFileWritten, EngineFileWritten FDR log data in LogScale repository

False Positives

CrowdStrike Falcon sensor self-diagnostics or log cleanup within monitored paths that use non-standard process names not captured in the exclusion filter
Linux package managers (rpm, dpkg) triggering prerm or postrm scripts that remove log files associated with an uninstalled service package
macOS Time Machine or third-party backup agents that stage log files before archival, temporarily appearing as deletion events

Clear Linux or Mac System Logs

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections