LoFP / little to no false positives in most environments. tune as needed.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/lib/libseconf", "*.backup_ld.so", "*.boot.sh", "*.logpam", "*sshpass.txt", "*sshpass2.txt", "*/lib/libdsx.so", "*rkload", "*/lib/libseconf/local.txt", "*/lib/locate/local.txt", "*/var/log/remote.txt", "*/lib/libseconf/.pts", "*/lib/locate /.pts", "*/libseconf/.ports") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `linux_medusa_rootkit_filter`