This rule monitors the syslog log file for messages indicating the loading of out-of-tree kernel modules, which can taint the kernel and emit warnings about integrity compromises. Rootkits often use kernel modules to evade detection and maintain persistence, thus the detection of such events is integral for system security. The rule implements a query that focuses on Linux operating systems, specifically capturing events where the kernel reports tainting due to out-of-tree modules. It requires data ingestion from syslog, necessitating a setup with Filebeat to facilitate log forwarding and indexing into ElasticSearch. The severity is rated as low, given that such events can sometimes include legitimate kernel module usage but require diligence to ensure no malicious activity is occurring. Investigative steps should include analyzing syslog messages related to the tainted kernel, verifying the legitimacy of the loaded modules, and checking for any recent changes that could have introduced unapproved modules. False positives may arise from legitimate third-party drivers and custom modules used in development and testing environments, necessitating careful validation. In case of detection, immediate action is recommended, such as isolating the system, unloading suspicious modules, and conducting a thorough investigation to identify potential compromises.