This analytic rule leverages Linux Auditd logs to detect unauthorized modifications made to Unix shell configuration files such as .bashrc and .profile. Such changes can signal attempts to alter system behavior or gain unauthorized access by executing malicious commands or elevating privileges. The rule continuously monitors a specified list of sensitive configuration files across system directories and user home directories. When unusual or unauthorized changes are detected, the rule generates alerts, enabling security teams to investigate and respond to potential threats and mitigate risks effectively. By analyzing the frequency and timing of these modifications, security analysts can better understand the context and urgency of the threats against the system.