This detection rule identifies suspicious memory swap modification events on Linux systems, which may indicate malicious activity such as the deployment of cryptominer software like XMRig. The rule specifically looks for processes related to the commands 'swapon' and 'swapoff', which control swap space in Linux. Moreover, it checks the command line for attempts to modify the virtual memory swappiness parameter using system tools like 'sysctl'. By monitoring these behaviors, the rule aims to prevent potential performance degradation and unauthorized resource usage. Triage steps involve examining parent processes, command line arguments, user context, recent performance issues, correlating with other alerts, and investigating unauthorized software installations. It also provides guidance on handling false positives and suggests a series of response actions if a potential threat is detected. The rule requires integration with Elastic Defend and is applicable to Linux environments, intended for production use.