The rule identifies potential misuse of the `getcap` command on Linux systems, specifically when performed by non-root users. `getcap` is used to enumerate file capabilities, which can be exploited by adversaries to escalate privileges. The detection is triggered when the command is executed with the arguments '-r' and '/' while not running under a root user (user.id != "0"). The rule monitors for processes that match these criteria in the logs of endpoint events from Elastic Defend and CrowdStrike. It aims to aid incident response teams to investigate possible privilege escalations and unauthorized access attempts as users may recursively scan filesystems to gain insight into file capabilities that can be exploited.