This detection rule identifies the deletion of cron jobs on Linux systems, which is a potential indicator of malicious activity. The rule leverages Sysmon for Linux EventID 11 to monitor filesystem events specifically looking for deletions in the '/etc/cron.*' directory. This is significant because attackers may delete cron jobs to suppress security tasks or evade detection, which could compromise system stability and security. The presence of such deletions can point towards attempts to disrupt system operations or further malicious actions, as documented in real-world incidents like the AcidRain malware attack, which involved wiping critical data. The search implemented in this rule checks for any deletion actions on cron jobs within a one-hour span, aggregating relevant event data for analysis. To effectively implement this rule, logs captured through Sysmon must include detailed process information. There is also a caveat for potential false positives, as legitimate administrative actions may trigger the rule. Users are advised to refine filter macros to mitigate these occurrences.