This rule monitors the syslog for messages indicating instances of tainted kernel module loading, which is a common technique used by rootkits to evade detection. Tainted kernel modules are those that fail signature verification, implying possible unauthorized or malicious modifications to the kernel. Given that rootkits often exploit kernel modules to maintain presence or evade security measures, such detection is critical for system integrity. The rule leverages KQL (Kibana Query Language) to filter logs and alerts on specific conditions that indicate a failure in signature verification during kernel module loading processes. It requires a data source from Filebeat configured to collect syslog messages from Linux systems. The setup is straightforward and involves enabling the System Module in Filebeat. Triage guidance is provided for investigating alerts generated by this detection, including analysis of syslog entries, verification of module legitimacy, and consideration of potential false positives related to custom modules and hardware drivers.