This rule detects timestamp manipulation activities, commonly referred to as 'timestomping', where adversaries modify the file time attributes of files to obfuscate their presence or changes within a filesystem. Timestomping is often used to evade detection by mimicking timestamps of legitimate files in the same directory. This rule utilizes Splunk to analyze command-line interactions, specifically looking for the usage of the 'touch' command alongside specific flags that manipulate timestamps. It captures events and stats occurring within specified time intervals to identify abnormal patterns of timestamp modifications. By monitoring for less frequent usage (less than 10 counts) of the 'touch' command, the rule aims to flag potential attempts to cover up malicious file activities. This detection strategy aligns with the technique ID T1070.006 under the defense evasion tactics.