diff --git a/rules/detection/low/linux.json b/rules/detection/low/linux.json
new file mode 100644
index 0000000..9d53d59
--- /dev/null
+++ b/rules/detection/low/linux.json
@@ -0,0 +1,8 @@
+[
+  {
+    "title": "Execution of SELinux Status Check Command",
+    "expression": "to_string(event.action) == 'executed' && (to_string(process.name) == 'sestatus' || contains(to_string(process.title), 'sestatus'))",
+    "severity": "low",
+    "type": "auditbeat"
+  }
+]