This analytic rule detects the use of the base64 decode command on Linux systems, which signals potential malicious activity. By examining command-line executions that include 'base64 -d' or 'base64 --decode', the rule identifies attempts to deobfuscate files, which is commonly associated with concealing malicious payloads. The detection relies on data processed by Endpoint Detection and Response (EDR) agents, ensuring visibility into relevant process activity on endpoints. If the use of base64 decoding is confirmed as malicious, it may indicate attempts at unauthorized access, data exfiltration, or deeper system compromises. Essential to detection accuracy, the implementation of this rule also references common mitigations against false positives, necessitating some tuning of the detection parameters based on the context of the executing processes.