This rule is designed to detect potential threats in Linux environments by monitoring for manual mount discovery activities through the inspection of the `/etc/exports` and `/etc/fstab` files. These files are crucial for the Network File System (NFS) configuration, as they outline directories shared with remote hosts. Attackers often exploit these configurations to gather information on shared resources, identifying potential targets for further exploitation. The rule employs an EQL (Event Query Language) query to detect when processes commonly associated with inspecting these files (such as `cat`, `grep`, and `tail`) are executed, indicating a possible reconnaissance activity. The automation is integrated within the Elastic Defend framework, providing actionable insights into activities that may reflect a security breach through filesystem access attempts.