This rule is designed to detect attempts to create or rename the SELinux configuration file (/etc/selinux/config) on Linux systems, which may indicate an adversarial effort to weaken system security by disabling or altering the SELinux policies. The rule leverages Elastic’s EQL language to monitor file creation and renaming events specifically associated with SELinux. It is applicable in environments where the Elastic Defend integration is implemented, which allows for thorough monitoring and logging of endpoint events. The detection is set to identify low-severity events but relates to potential high-risk activities like Defense Evasion, according to the MITRE ATT&CK framework. Proper configuration and integration of Elastic Defend in the Elastic Stack are prerequisites to ensure alerting and logging capabilities are enabled for timely response to potential security incidents.