This detection rule identifies the installation of Linux kernel modules using the modprobe utility, which can be indicative of potential rootkit deployment or malicious kernel-level exploits. It analyzes data from Endpoint Detection and Response (EDR) systems, focusing on the names of processes and the command-line arguments used during execution. The rule highlights the security risks associated with kernel module installations, especially in contexts where such actions are unusual or indicative of adversarial behavior. By monitoring for these specific command executions, organizations can gain insights into potentially malicious activities that could lead to escalated privileges and persistent access on compromised systems. The rule deploys a Splunk search that requires mapping the relevant logs to the `Endpoint` data model for effective analysis, leveraging the Common Information Model (CIM) for normalization of data fields.