The 'Linux Service Restarted' rule is an anomaly detection analytic designed to identify when services on Linux systems are restarted or re-enabled using specific commands such as 'systemctl' or 'service'. This behavior is particularly concerning as it may indicate malicious activity aiming to maintain persistence or execute unauthorized actions on a compromised system. It utilizes telemetry data from Endpoint Detection and Response (EDR) agents, focusing on logs related to process and command-line execution. The detection logic counts occurrences of the specified commands that include the keywords 'restart', 'reload', or 'reenable', pulling relevant data from the Endpoint Processes data model in Splunk. Analysts are urged to investigate any detected instances as these could signify attempts to execute malicious payloads, gain unauthorized access, or sabotage data. To successfully implement this detection, logs from EDR agents capturing process-related data are required, and configurations must be aligned with the Splunk Common Information Model (CIM) for accurate mapping. False positives may arise when administrative users legitimately restart services, thus analysts are encouraged to fine-tune search filters to mitigate such instances.