This detection rule identifies attempts to create new user accounts on Linux systems, which can be a tactic employed by attackers to maintain persistence within a compromised environment. The rule targets the operations performed by the `useradd` and `adduser` commands, which are standard methods for creating user accounts in Linux. By monitoring logs and alerts for these specific commands, security teams can detect potentially unauthorized account creations. The rule uses EQL (Event Query Language) to filter for events where the account creation process is initiated, ensuring that it captures both local and domain user additions. Basic investigation steps are provided for analysts to verify whether the actions are legitimate or indicative of a compromise, along with strategies for response and remediation if unauthorized alterations are confirmed. The effectiveness of this rule relies on integration with Filebeat for data collection and logs management, necessitating proper setup of the Filebeat System Module to receive relevant security logs.