This analytic rule detects the execution of the `swapoff` command on Linux systems, which is executed to disable the swapping of paging devices. The rule is critical as this action can be used maliciously, particularly by malware, to evade detection and impede forensic analysis. The detection leverages process execution logs collected from Endpoint Detection and Response (EDR) agents. By monitoring for the invocation of `swapoff`, security teams can identify potentially malicious activity that could allow attackers to manipulate system memory management, leading to data corruption or system instability. The logs must be properly ingested and mapped to support this detection accurately. False positives may occur if administrators disable swapping for legitimate reasons, so filtering is recommended.