This detection rule by Elastic targets the installation of RPM packages initiated by unusual parent processes on Linux systems, specifically for distributions like Red Hat, CentOS, and Fedora. RPM (Red Hat Package Manager) is a crucial package management system, and attackers may leverage it to install backdoored or malicious packages, aiming for initial access or persistence. The rule employs the 'new_terms' type to monitor processes where the executable is 'rpm' and the command-line arguments include installation flags ('-i' or '--install'). With a risk score of 21, it fits within a low severity category, targeting endpoint domains through data sourced from Elastic Defend. Investigating triggered alerts involves reviewing the parent process of RPM installations, correlating timestamps with other activities, checking the user account executing the command, and analyzing network activity during the event. The rule also provides guidance on how to create exceptions for known administrative actions and how to respond in case of a detected threat. Recommended responses include isolating affected systems, examining installed packages, and enforcing stricter access controls.