This rule detects modifications to Linux Access Control Lists (ACLs) that are performed using the `setfacl` command. Such modifications can potentially be a tactic employed by adversaries to stealthily alter permissions, thereby evading detection and persisting in a compromised environment. The detection logic leverages Elastic Query Language (EQL) to identify relevant processes that match specific criteria: it captures instances where the operating system is Linux, the event indicates a starting process, and the process name is `setfacl`. The rule explicitly excludes well-known benign uses of `setfacl` by filtering out command lines associated with system maintenance tasks and backup operations, thus reducing the likelihood of false positives. Security analysts are provided with a comprehensive investigation guide that outlines potential steps and considerations when evaluating an alert, including reviewing process details and correlating with other logs for a holistic view of the security incident. The rule is considered production-ready, integrating well with various endpoint security solutions and ensuring it adheres to strict detection parameters.