← Library
splApache-2.0from splunk/security_content

Linux Auditd Auditd Service Stop

The following analytic detects the suspicious auditd service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_auditd_service_stop.yml
`linux_auditd` type=SERVICE_STOP unit IN ("auditd")
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY type pid comm
       exe unit dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_auditd_service_stop_filter`