This detection rule focuses on identifying the creation of new user accounts within a Linux environment using the audit daemon (auditd). The rule is particularly relevant as new user accounts can be created as a means of persistence by malicious actors, potentially allowing unauthorized access to systems without the need for malware or remote access tools. The detection mechanism hinges on monitoring specific syscall record types associated with the execution of the useradd command, as well as recognizing audit log entries that signify the addition of a new user. It combines rules that trigger on either the syscall for adding users or a dedicated log entry for user addition, ensuring comprehensive coverage of account creation activities.