This rule monitors the creation of udev rule files in the Linux operating system, specifically targeting the directories where these configuration files are stored, such as /lib/udev, /etc/udev/rules.d/, and similar locations. Adversaries may exploit the systemd-udevd component to establish persistence by crafting malicious udev rules that execute arbitrary commands upon specific device events, making it crucial to detect any unauthorized files being created. The detection logic uses EQL to identify file creation events tied to specific file extensions, while ensuring it does not flag legitimate processes like package managers and known system executables. The investigation guide offers steps to verify the legitimacy of these files while providing strategies to mitigate false positives coming from routine OS updates or container management activities.