This detection rule analyzes the execution of the 'gdrive' tool on Linux systems, a utility for managing Google Drive via command line interface. Given its capabilities, the 'gdrive' tool can be exploited by malicious actors for staging tools and exfiltrating sensitive data, which may lead to significant data compromise. The rule uses data sourced from Endpoint Detection and Response (EDR) agents, focusing on key parameters including process names and command-line executions. Specifically, it identifies instances where 'gdrive' interacts with various command patterns indicative of data handling (such as download, upload, list, etc.). This helps in monitoring potentially malicious usage of this tool, providing valuable insight into user actions that may pose a risk to system integrity and data confidentiality. If any such interactions are confirmed as malicious, it can indicate a serious security issue that warrants immediate attention.