This detection rule identifies suspicious modifications of file permissions on Linux systems made via the `chattr` command, which is commonly used to manipulate file attributes such as immutability. Attackers may use this command to prevent file changes to maintain persistence or evade detection. By monitoring `auditd` logs for unusual `chattr` command usage, this analytic aims to detect potential manipulation of critical files. The implementation involves integrating `auditd` logs into Splunk, ensuring proper normalization of field names according to the Splunk Common Information Model (CIM), which guarantees effective monitoring of Linux endpoints. The rule provides visibility into unauthorized usage of `chattr`, allowing security personnel to respond to potential security incidents promptly. Additionally, organizations are advised to consider potential false positives where legitimate administrative uses of `chattr` occur. Overall, this detection rule enhances the protection of critical system files against tampering and secures the integrity of Linux environments.