Evidence hidden by deleting system log file

Classification:

attack

Tactic:

Technique:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

What happened

The file {{ @file.path }} was deleted by the process {{ @process.comm }}. This may have been done to hide evidence.

Detect the removal of system log files in order to hide evidence of malicious activity.

Monitor the file system for the deletion of specific system logs.

Review the signal to understand how the file {{ @file.path }} was deleted.
If the activity is malicious, isolate the affected host to prevent further compromise.
Use related signals and other logs to find and repair the root cause.

Requires Agent version 7.27 or later.