AN0471: Analytic 0471
Detects use of `clear history` or `clear logging` commands on network device CLI to remove past activity logs.
Analyst context for executives and security teams
This analytic matters because attempts to clear command history or logging on network devices can remove the evidence needed to understand what changed, who changed it, and whether network operations are still trustworthy. For executives and security leaders, the decision value is not just detecting two CLI commands; it is validating whether critical routing, switching, firewall, or other network infrastructure produces tamper-resistant activity records that SOC and incident response teams can use during an outage or suspected compromise.
Executive priority
Prioritize this as an operational resilience and audit-evidence issue for network infrastructure. Leaders should ask whether privileged network-device activity is centrally logged, retained outside the device, and reviewed quickly enough to support incident decisions. If local device logs can be cleared without independent evidence, investigations, compliance attestations, and root-cause analysis may be materially weakened.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into network device CLI activity and administrative command execution for Network Devices. The supplied analytic is focused on identifying use of `clear history` or `clear logging` commands intended to remove past activity logs. Because no official detection logic is provided, teams should implement and test environment-specific detections against centrally collected network-device command accounting, syslog, AAA/TACACS+/RADIUS records, and configuration/change-management records where available. Treat matches as context-dependent: legitimate administrators may clear logs during maintenance or troubleshooting, so alerts should be enriched with user identity, device criticality, change ticket context, session source, and nearby configuration or authentication events.
Likely telemetry
- Network device CLI command accounting records
- Syslog or equivalent network-device event logs
- AAA/TACACS+/RADIUS authentication and authorization logs
- Administrative session metadata such as user, source address, device, and timestamp
- Configuration change records or network change-management evidence
Detection direction
- Confirm that network device administrative commands are logged centrally before local device logs can be cleared.
- Create detections for observed `clear history` and `clear logging` command execution in network-device telemetry.
- Enrich alerts with administrator identity, source location, device role, maintenance window, and approved change record to reduce false positives.
- Look for surrounding evidence such as recent failed logins, privilege changes, configuration changes, or gaps in device logging after the command.
- Validate coverage across critical network device classes; the ATT&CK object only specifies Network Devices and does not provide vendor-specific logic.
Mitigation priorities
- Centralize network-device logs and command accounting so evidence survives local log clearing.
- Restrict privileged CLI access to authorized administrators and require strong authentication through centralized identity/AAA controls.
- Require change-management justification for log-clearing activity and preserve approval evidence for audit and IR use.
- Review network-device logging configuration, retention, and forwarding reliability for critical infrastructure components.
- Test incident response procedures for cases where local network-device logs are missing or intentionally cleared.
Analyst notes and limits
This is a detection analytic, not a technique object, and the supplied ATT&CK fields provide a narrow behavior description with no tactic assignment, no relationship context, and no official detection logic. The strongest defensive use is as a validation prompt: can the organization prove who cleared network-device history or logs, on which device, and whether independent records remain available?
Assessment is limited to the supplied official STIX fields and external reference. No active exploitation, attribution, impact, vendor-specific command syntax beyond the supplied command strings, or guaranteed detection coverage is implied. Local device types, logging architecture, identity controls, and change-management practices are required to determine true risk and detection quality.
Analytic 0471
Detects use of `clear history` or `clear logging` commands on network device CLI to remove past activity logs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5eec356df032… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0471Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.