This rule is designed to detect the unauthorized deletion of SSH authorized keys files, specifically 'authorized_keys' and 'authorized_keys2', on Linux systems. These files are crucial for SSH authentication as they store public keys that permit user access. The deletion of these files may indicate potential malicious activity, such as an attacker attempting to remove access or cover their tracks post-intrusion. The rule is implemented using EQL (Event Query Language) and targets specific endpoints that have the Elastic Defend integration set up. The identification is based on events that correspond to file deletion where certain processes are not involved, which could suggest legitimate operations. The rule incorporates the MITRE ATT&CK framework, aligning it with techniques related to indicator removal and defense evasion.