From 46e887ef38927ee1f0c8ebcf91ca5253effa6bad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= <o.gunal977@gmail.com>
Date: Fri, 16 Oct 2020 10:32:25 +0300
Subject: [PATCH] Update lnx_clear_logs.yml

---
 rules/linux/lnx_clear_logs.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml
index d914293bb..057fb4702 100644
--- a/rules/linux/lnx_clear_logs.yml
+++ b/rules/linux/lnx_clear_logs.yml
@@ -8,6 +8,7 @@ references:
     - https://attack.mitre.org/techniques/T1070/002/
 logsource:
     product: linux
+    category: process_creation
 detection:
     keywords:
         - Commands|contains:
@@ -15,6 +16,8 @@ detection:
           - 'shred -u /var/log*'
           - 'echo * > /var/log*'
           - 'rmdir * /var/log*'
+          - 'rm * /private/var/audit/*'
+          - 'rm * /private/var/log/system.log*'
     condition: keywords
 falsepositives:
     - Legitimate administration activities