diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml
index 0599cdb0b..94b77fed6 100644
--- a/rules/linux/defense_evasion_log_files_deleted.toml
+++ b/rules/linux/defense_evasion_log_files_deleted.toml
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -42,7 +42,9 @@ file where event.type == "deletion" and
     "/var/log/syslog",
     "/var/log/messages",
     "/var/log/secure",
-    "/var/log/auth.log"
+    "/var/log/auth.log",
+    "/var/log/boot.log",
+    "/var/log/kern.log"
     ) and
     not process.name : ("gzip")
 '''
@@ -54,7 +56,10 @@ framework = "MITRE ATT&CK"
 id = "T1070"
 name = "Indicator Removal on Host"
 reference = "https://attack.mitre.org/techniques/T1070/"
-
+[[rule.threat.technique.subtechnique]]
+id = "T1070.002"
+name = "Clear Linux or Mac System Logs"
+reference = "https://attack.mitre.org/techniques/T1070/002/"
 
 [rule.threat.tactic]
 id = "TA0005"