The rule "Potential Hidden Process via Mount Hidepid" targets the execution of the mount process with the hidepid parameter on Linux systems, specifically kernel versions 3.2+ and RHEL/CentOS v6.5+. By using the hidepid=2 option during the mount of the /proc filesystem, processes become hidden from other users, allowing adversaries to conceal their activities and evade detection by common monitoring tools like ps and top. The rule is designed to identify this potentially malicious behavior by monitoring for specific command execution patterns that indicate the mount command being used with the hidepid=2 option. The setup prerequisites include the Elastic Defend integration which requires the Elastic Agent for logging related events. The alert generated by this rule provides detailed steps for investigation to confirm if the execution was legitimate or malicious and includes false positive analysis to minimize unnecessary alerts resulting from standard operational behaviors. The rule is tagged for medium severity and has a risk score of 47, indicating a notable threat that should be investigated promptly.