This detection rule monitors the creation of new user accounts on Linux systems through the execution of commands like 'useradd' or 'adduser'. It utilizes data sourced from Linux Audit daemon (auditd) logs, particularly focusing on process execution details captured via Endpoint Detection and Response (EDR) agents. Given that attackers often create new accounts to persist on compromised machines, this detection is crucial for identifying potentially malicious activities that could lead to privilege escalation and broader system compromises. The rule is structured to efficiently analyze Linux audit logs, specifically processing events related to SYSCALL and EXECVE to identify user account creation attempts. By filtering based on the command names, the detection aims to surface any unauthorized account creations that could indicate a security breach.