This rule is designed to detect the creation of systemd timer files, which can be utilized by attackers to establish persistence on Linux systems. Systemd timers act similarly to cron jobs, enabling scheduled execution of commands or scripts at boot time or at designated intervals. The detection process includes monitoring file actions in specific systemd timer directories, which typically house timer files. Detection is achieved through EQL queries analyzing file creation and renaming events within the prescribed directories, filtering out expected or benign system processes to focus on potentially malicious actions. Additionally, the rule provides guidance for investigation, including examining newly created timer files, checking enabled timers, and assessing associated service files and processes.