The detection rule for monitoring the addition of new user accounts on Linux systems is crucial in identifying potential malicious activities that could compromise system security. This analytic focuses on the commands 'useradd' and 'adduser', which are commonly employed to create new accounts. Utilizing data from Endpoint Detection and Response (EDR) agents allows the rule to capture key information such as process names and command-line executions linked to account creation. In the context of cybersecurity, the unauthorized creation of user accounts is often indicative of adversaries attempting to establish persistence on compromised systems, facilitating continued access and potential privilege escalation. If such activities are confirmed as malicious, they represent significant security threats that necessitate immediate attention. The implementation of this detection rule requires the ingestion of relevant EDR logs that include process execution details, ensuring that the searches are tailored to identify these critical events effectively.