This rule, authored by Elastic, is designed to detect Polkit version discovery actions on Linux systems, which can signal potential reconnaissance attempts by attackers. This type of activity may indicate that an adversary is trying to exploit existing misconfigurations or vulnerabilities within the Polkit service. The detection mechanism relies on monitoring specific command executions related to Polkit version inquiries. The rule utilizes EQL (Event Query Language) to identify process events where the host operating system is Linux, and the event type is categorized as a 'start'. It looks for specific commands typically associated with version discovery, such as 'dnf info polkit', 'rpm polkit', 'apt show policykit-1', and 'pkaction --version'. The rule includes setup instructions for integrating Elastic Defend, and a detailed triage and analysis section, providing guidance for investigators on how to assess and respond to detected activities. False positive scenarios are also addressed, emphasizing the importance of context in interpreting version checks. The reference to the MITRE ATT&CK framework highlights the rule's alignment with recognized tactics in threat detection, specifically focusing on system information discovery.