This detection rule identifies the abuse of common system utilities in Linux, specifically grep and egrep, to probe for the presence of security software on a host. By monitoring process creation events and evaluating the command line parameters, it can detect cases where grep or egrep are used to search for terms associated with known security software, such as 'nessusd', 'td-agent', 'packetbeat', 'filebeat', 'auditbeat', 'osqueryd', 'cbagentd', and 'falcond'. This activity may indicate an attempt by an adversary to discover security defenses present on the system, which could be a precursor to an attack against the host. The rule is currently marked as in a testing phase and has low severity, which suggests that false positives may occur due to legitimate activities. It is important for security teams to analyze the context of such detections to differentiate between benign usage and real adversarial intent.