This detection rule identifies unusual Linux system information discovery activity by monitoring commands related to system configuration and software version queries executed by atypical user contexts. Such activity may indicate either legitimate troubleshooting or potential misuse by compromised accounts seeking to gather sensitive system intelligence. By leveraging machine learning techniques, the rule flags command executions that deviate significantly from established user behavior patterns. The detection operates on a threshold score of 75, and alerts are generated every 15 minutes based on any anomalies detected over the past 45 minutes. There are built-in provisions for handling false positives, which include workflows for investigating and remediating alerts stemming from common administrative tasks or automated scripts. Critical to the rule's setup is the integration of either the Elastic Defend or Auditd Manager, which collect the necessary data to enable effective monitoring.