This rule identifies potentially malicious process executions that occur in temporary directories, which is a behavior sometimes adopted by adversaries to conceal malware activity. Specifically, the rule queries for processes that are initiated in the '/tmp' directory, a common temporary location in Linux systems, while excluding legitimate process names often associated with system operations like updates and package management. The rule applies to events logged through Elastic's Auditbeat and other related logs over the past nine months. It has a medium risk score of 47, indicating a moderate likelihood of real threats but also recognizing potential false positives from legitimate system processes, such as those run by build systems like Jenkins. The rule is categorized under the Execution tactic of the MITRE ATT&CK framework, highlighting its relevance in tracking unconventional execution practices that may relate to malicious activities. Due to its deprecation, this rule is no longer recommended for use, and users are encouraged to refer to updated rules for threat detection.