From b6ffb10ab27e53f8bb8e4110b5106aeafdc9f30e Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Sat, 10 Aug 2024 10:04:56 +0200
Subject: [PATCH] [Rule Tuning] System Log File Deletion (#3970)

---
 rules/linux/defense_evasion_log_files_deleted.toml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml
index 446e8c07c..c18de6fb4 100644
--- a/rules/linux/defense_evasion_log_files_deleted.toml
+++ b/rules/linux/defense_evasion_log_files_deleted.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/08"
 
 [rule]
 author = ["Elastic"]
@@ -86,27 +86,26 @@ file where host.os.type == "linux" and event.type == "deletion" and
     "/var/log/secure",
     "/var/log/auth.log",
     "/var/log/boot.log",
-    "/var/log/kern.log"
+    "/var/log/kern.log",
+    "/var/log/dmesg"
     ) and
     not process.name in ("gzip", "executor", "dockerd")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.002"
 name = "Clear Linux or Mac System Logs"
 reference = "https://attack.mitre.org/techniques/T1070/002/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-