This detection rule aims to identify potential persistence attempts through the monitoring of loadable kernel modules. By specifically looking for process events related to the loading (and unloading) of kernel modules via commands such as 'insmod', 'kmod', 'modprobe', and 'rmod', the rule can flag unusual behavior that is not typically executed by ordinary users. Such activities could signify underlying attempts to maintain persistent access or control over a Linux system, as modifying kernel modules can provide attackers with heightened privileges and control over the operating system. The rule is based on analyzing data from specified indices such as 'auditbeat-*' and 'logs-endpoint.events.*', ensuring it scrutinizes relevant process events within the defined timeframe of the last 9 months. Given its nature, this alert is categorized under the low severity level and is associated with the MITRE ATT&CK framework specifically targeting the 'Persistence' tactic and corresponding techniques.