This detection rule, crafted by Elastic, focuses on monitoring access to the /proc/*/maps files on Linux systems, which represent process memory mappings. By reading these memory maps, attackers can find useful addresses for malicious activities such as code injection and process hijacking. The rule is designed to trigger alerts when certain commands like 'cat' or 'grep' are executed, particularly when they target the /proc/*/maps files from common shell environments like bash or zsh. It utilizes EQL for detections and operates on data from the Elastic Defend solution, integrated with the Elastic Agent. The rule's low risk score (21) suggests that while the activity is suspicious, it may not always indicate a serious threat and could be caused by legitimate processes. Investigative steps include analyzing the processes that triggered the alerts, checking user activity for anomalies, and correlating with other security logs. Details for setup and potential false positives are highlighted to assist in accurate detections without overwhelming security teams with noise.