This detection rule identifies the execution of the `userdel` command on Linux systems, which is used to delete user accounts and their associated files. Threat actors may utilize this command to eliminate accounts and erase traces of their presence on the system, particularly in response to detection or suspicion. The rule focuses on process creation events where the command executing ends with `/userdel`. Given that legitimate system administrators may also delete user accounts, the detection comes with a medium false positive risk.