Unusual service stop events, termination of AV/EDR processes, registry modifications disabling security tools, and firewall/defender configuration changes. Correlate process creation with service stop requests and registry edits.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7045 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Field | Description |
|---|---|
| ProcessWhitelist | Exclude authorized administrative tools that stop services during maintenance. |
| ServiceNamePatterns | Refine which services are considered security-critical (e.g., AV, EDR, firewall). |
Execution of commands that stop or kill processes associated with logging or security daemons (auditd, syslog, falco). Detect modifications to iptables or disabling SELinux/AppArmor enforcement. Correlate sudo/root context with abrupt service halts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:EXECVE | systemctl stop auditd, kill -9 |
| Process Termination (DC0033) | auditd:SYSCALL | kill syscalls targeting logging/security processes |
| Firewall Rule Modification (DC0051) | linux:syslog | iptables or nftables rule changes |
| Field | Description |
|---|---|
| ServiceList | Adjust monitored security service names depending on host configuration. |
| TimeWindow | Correlate multiple kill/stop events in short succession. |
Execution of commands or APIs that disable Gatekeeper, XProtect, or system integrity protections. Detect configuration changes through unified logs. Monitor termination of system security daemons (e.g., syspolicyd).
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper |
| Process Termination (DC0033) | macos:unifiedlog | Termination of syspolicyd or XProtect processes |
| Field | Description |
|---|---|
| AdminToolWhitelist | Developers may legitimately disable Gatekeeper; whitelist approved contexts. |
Modification of container runtime security profiles (AppArmor, seccomp) or removal of monitoring agents within containers. Detect unauthorized mounting/unmounting of host /proc or /sys to disable logging or auditing.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | kubernetes:audit | seccomp or AppArmor profile changes |
| Process Termination (DC0033) | docker:runtime | Termination of monitoring sidecar or security container |
| Field | Description |
|---|---|
| RuntimeProfiles | Specify which security profiles should be monitored for modification. |
Unusual ESXi shell commands disabling syslog forwarding or stopping hostd/vpxa daemons. Detect modifications to firewall rules on ESXi host or disabling of lockdown mode.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:shell | esxcli system syslog config set --loghost='' or stopping hostd service |
| Firewall Disable (DC0043) | esxi:vmkernel | Disabling or modifying firewall rules |
| Field | Description |
|---|---|
| LogDestination | Tune for environment-specific log forwarding hosts. |
Cloud control plane actions disabling security services (CloudTrail logging, GuardDuty, Security Hub). Detect IAM role abuse correlating with service disable events.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Disable (DC0090) | AWS:CloudTrail | StopLogging, DeleteTrail, or DisableSecurityService |
| Field | Description |
|---|---|
| ServiceScope | Specify which cloud services (logging, monitoring, threat detection) must never be disabled. |
Changes to security configurations such as disabling MFA requirements, reducing session token lifetimes, or turning off risk-based policies. Correlate admin logins with sudden policy downgrades.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | azure:policy | DisableMfaPolicy or change to ConditionalAccess rules |
| Field | Description |
|---|---|
| PolicyList | Adjust for the critical identity provider security policies to monitor. |
Execution of commands disabling AAA, logging, or security features on routers/switches. Detect privilege escalation followed by config changes that disable defense mechanisms.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:syslog | no logging buffered, no aaa new-model, disable firewall |
| Field | Description |
|---|---|
| CommandPatterns | Customize destructive command list per vendor platform. |
Disabling of security macros or safe mode settings within Word/Excel/Outlook. Detect registry edits or configuration file changes that weaken macro enforcement.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | m365:unified | MacroSecuritySettingsChanged or SafeModeDisabled |
| Field | Description |
|---|---|
| ApplicationScope | Specify which Office applications are monitored for macro security configuration changes. |