This rule detects potential database dumping activity on Linux endpoints by monitoring for the invocation of common database dumping utilities (pg_dump, pg_dumpall, mysqldump, mariadb-dump, mongodump) at process start. The Elastic EQL query runs on Linux hosts and triggers when a process starts and the process name matches one of the dump tools, with event.action values such as exec, exec_event, start, or ProcessRollup2. Such activity can indicate an attacker dumping database contents to a local file for later exfiltration to a remote server. The rule maps to MITRE MITRE ATT&CK: Exfiltration (TA0010) and Exfiltration Over Alternative Protocol (T1048). It is designed to work with telemetry from multiple data sources (Elastic Defend, CrowdStrike, SentinelOne, Elastic Endgame) as indicated in the setup notes. The rule is labeled low severity with a risk_score of 21. The setup section explains Elastic Defend integration via Fleet on Linux endpoints. Overall, this detection targets the initial stage of data exfiltration by flagging the execution of known database dump utilities on Linux hosts.