This rule implements detection for unauthorized file modifications indicative of potential persistence mechanisms on Linux systems by leveraging the File Integrity Monitoring (FIM) integration. The focus is on critical files commonly exploited by adversaries to achieve and maintain persistence, such as cron jobs, systemd service files, SSH configuration files, and various shell configuration files, among others. By monitoring these files, the rule aims to identify suspicious modifications that could suggest malicious activity. The rule is set to trigger alerts on updates made to these sensitive files and requires specific paths to be included in the FIM monitoring policy for effective operation. A detailed setup guide is provided to ensure proper configuration of the Elastic FIM integration before deploying this rule. The potential risk associated with alerts derived from this rule includes false positives from benign operations such as routine updates, which may necessitate careful analysis to distinguish between legitimate changes and potential threats. The rule is categorized under low severity and plays an important role in detecting persistence and credential access tactics used by attackers.