The 'Suspicious Git Clone - Linux' rule aims to identify potentially malicious activity related to the 'git clone' command in Linux environments. This detection works by monitoring process creation events and filtering those that involve the 'git' binary along with specific command-line arguments. Specifically, it looks for instances where the command line includes the term 'clone', which typically indicates the cloning of a remote repository. The rule expands its focus to also include suspicious keywords associated with vulnerabilities and exploits, such as 'exploit', 'CVE-', and common exploit names (e.g., 'log4shell', 'eternalblue'). The presence of these keywords suggests potential reconnaissance or attacks by threat actors using git to obtain malicious code. The rule is applicable in situations where detecting unauthorized repository cloning is critical for security, particularly within DevOps and cloud-native environments. The defined conditions ensure that only relevant and concerning activities trigger alerts, reducing false positives and allowing security teams to focus on genuine threats.