This detection rule monitors for manual edits of the Linux crontab by users, particularly targeting the SSH environment within the context of using Gravitational's Teleport service. The rule is triggered when a user issues commands that modify or view the crontab, which is a scheduling utility for running tasks at specified times on UNIX-like systems. With a medium severity level, it alerts when the crontab is edited using the `-e` flag, which opens the crontab in an editor. It aims to identify potentially unauthorized changes to scheduled jobs that could indicate malicious activity or system misconfiguration. The rule is set to trigger after 10 such instances are detected within a 15-minute deduplication period. The rule references a known MITRE ATT&CK technique (T1053) related to scheduled task or job creation and modification. In case of an alert, the recommended action is to validate user behavior and rotate the affected host if necessary.