This detection rule is designed to identify attempts to discover files, directories, and network shares on a Linux system using common command-line utilities. The rule targets essential commands like `find`, `ls`, `tree`, `findmnt`, and `mlocate`, which are frequently employed in legitimate file discovery processes. By monitoring the command-line arguments of process creations, this detection rule can effectively flag suspicious activities indicative of reconnaissance efforts by malicious actors. The rule is structured to trigger an alert when any of the specified utilities are executed with the relevant patterns in their command line, allowing analysts to differentiate between regular system management tasks and potentially harmful exploratory behavior. The underlying primary goal is to provide visibility into processes on systems where these types of file and directory discovery commands are run, which could indicate an attacker's intent to map the file structure of the compromised system.