Many attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.
This detection monitors the deletion of any log files under
/var/log which is where many critical Linux log files are stored.