Product
medium
advisory
Linux Auditd Daemon Abort Detection
2 rules 1 TTPDetection of abnormal Linux audit daemon (auditd) termination via DAEMON_ABORT events, indicating potential auditing subsystem failure due to resource exhaustion, corruption, or malicious interference.
Splunk Enterprise +3
auditd
linux
anomaly
endpoint
2r
1t
high
advisory
Linux Auditd Detects Firewall Modification or Disabling
3 rules 1 TTPThe analytic detects suspicious disabling or modification of the system firewall on Linux systems, which can indicate unauthorized access or attempts to maintain control over a system by disabling host protections.
Splunk Enterprise +3
defense-evasion
persistence
privilege-escalation
firewall
3r
1t
medium
advisory
Linux Auditd Daemon (Re)Initialization Detection
3 rules 1 TTPDetection of Linux audit daemon (auditd) re-initialization events, which can indicate attempts to re-enable audit logging after evasion or restarts with modified rule sets.
Splunk Enterprise +4
linux
auditd
anomaly
3r
1t