This rule, authored by Elastic, is designed to detect the installation of root certificates on Linux systems, a tactic often exploited by adversaries to facilitate unauthorized access and communication with command-and-control servers. Root certificates allow untrusted certificates to bypass security alerts, establishing a chain of trust that attackers can leverage. The rule uses EQL (Event Query Language) to filter for processes like 'update-ca-trust' and 'update-ca-certificates', excluding known legitimate processes to avoid false positives. By monitoring the installation of root certificates over a timeframe of the last nine months, this rule enables proactive identification of potential threat activities involving certificate trust exploitations. The rule requires integration with Elastic Defend and involves careful setup with the Elastic Agent, ensuring all relevant endpoint monitoring configurations are correctly applied to effectively track suspicious installations. Detailed investigation and remediation steps are included, emphasizing the importance of isolating affected systems and perpetual monitoring for similar incidents.