The rule 'Suspicious File Creation via Kworker' is designed to monitor file creation events that originate from the kworker kernel processes on Linux systems. Kworker processes execute kernel-level work and their use in file creation is atypical and could indicate malicious behavior. Attackers may disguise malicious processes as kworker to evade detection. To implement this rule, relevant data must be sent from Elastic Defend and logged through Elastic Agent. The detection mechanism relies on the Elastic Query Language (EQL) to look for specific attributes in the event logs that signal the creation of files by kworker processes. It is particularly focused on exclusions for common kworker-related activities and known benign paths, enhancing its detection capability by reducing false positives. Upon triggering, the rule initiates a series of suggested investigative steps, such as querying additional information about the processes involved, analyzing the file that was created, inspecting running processes for anomalies, and checking user activity. It prompts security teams to validate any benign operations and identify possible malicious intent through established investigation routes and dynamic Osquery queries.