This detection rule monitors for suspicious modifications to cron jobs on Linux systems that utilize the crontab command with list parameters. It is a significant security concern as changes to cron jobs can indicate an attempt to establish persistent execution of malicious tasks or to run unwanted scripts on a scheduled basis. The rule is built on telemetry from Endpoint Detection and Response (EDR) agents and analyzes process names and command-line arguments. Specifically, it checks for instances where the crontab command is executed with a list parameter, which can be a tactic for a malicious user to create a cron job without proper visibility. In the event of suspicious modifications flagged by this detection, the security team should investigate the content of the created cron job, the command associated with it, and any other processes that were active during the modification. This investigation can help determine if the changes were made as part of a legitimate maintenance operation or if they were part of a compromise case being exploited by an attacker.