This threat detection rule identifies potential enumeration of Kernel Modules (LKMs) in Linux environments, which can indicate malicious attempts to gather system information or identify vulnerabilities. LKMs enhance the functionality of the kernel without requiring a system reboot, making them attractive targets for adversaries. The rule leverages Elastic Defend data to monitor specific user actions related to kernel module commands such as 'lsmod', 'modinfo', and system utilities that may be used to list kernel modules. By focusing on particular process names and arguments while excluding benign parent processes, it reduces the incidence of false positives. The rule generates alerts based on specific criteria which must be validated against expected normal behaviors. A series of investigative steps are suggested, emphasizing the need to correlate alerts with other security logs to ascertain the legitimacy of the actions before defining a response protocol.