This analytic rule identifies a potentially malicious event characterized by a high frequency of file deletions occurring specifically within the /boot/ directory on Linux systems. Leveraging Sysmon for Linux EventID 11, the rule aims to detect instances where 200 or more files are deleted by the same process within a one-hour timeframe. Such behavior is often associated with wiper malware, exemplified by threats like Industroyer2, which can destabilize critical system directories, potentially leading to system failures and security breaches. The detection mechanism employs Splunk queries that analyze filesystem actions logged in the endpoint data model, filtering for significant deletion events. To implement this rule effectively, it is essential to ensure that logs relevant to process names, commands, and other pertinent file events are being ingested. Furthermore, users should be aware of and mitigate potential false positives stemming from legitimate package installation or uninstallation activities.