The detection rule aims to identify unauthorized shutdowns or reboots of systems, which are tactics employed by adversaries to disrupt access to systems or facilitate destructive actions. The rule monitors processes within the last two hours on Linux and Mac platforms, searching for commands typically associated with shutting down or rebooting systems. These commands include keywords like 'shutdown', 'reboot', 'halt', and 'poweroff'. By focusing on these commands, the rule can effectively catch potential malicious actions by malware families such as Blackbyte, Conti, and DirtyMoe, thereby aiding in the proactive mitigation of adverse impacts on system availability. The monitoring of EDR logs is crucial, as it enables the identification of unusual or unauthorized activity related to system shutdowns or reboots, enhancing the organization's threat detection capabilities.