This detection rule monitors the creation of Polkit policy files on Linux systems, targeting potential adversarial behavior aimed at modifying the authentication processes. The creation of such policy files can permit unauthorized access or enable persistence mechanisms by attackers. The rule applies to systems running the Linux operating system and utilizes the EQL query language, focusing on specific directories where these files typically reside. The rule is designed to minimize false positives by excluding known legitimate process executions associated with system maintenance tasks, software installations, or container management operations. With a risk score of 21, it falls under low severity, addressing tactics related to persistence and credential access recognized in the MITRE ATT&CK framework.