This analytic rule detects the deletion of SSL certificates on Linux systems, utilizing filesystem event logs to monitor specific file activities. It focuses on file deletion events within the '/etc/ssl/certs/' directory, particularly looking for changes to files with the '.pem' or '.crt' extensions. Such modifications are critical as they can indicate malicious attempts to disrupt secure communications, evade detection, or facilitate destructive payloads. Criminal actors may target SSL certificate files to disable security measures, making this detection rule vital for maintaining the integrity and confidentiality of communications on Linux systems. The detection leverages Sysmon for Linux, capturing relevant events that could signal unauthorized activity.