Detects suspicious interactions with security products followed by service crashes, unexpected restarts, driver unloads, telemetry gaps, or tamper-state changes. Correlates exploit precursor behavior with immediate degradation of defensive services and follow-on process execution.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | WinEventLog:System | EventCode=7035 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| WinEventLog:Security | EventCode=4688 | |
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Field | Description |
|---|---|
| CrashCorrelationWindow | Time between suspicious interaction and security service failure |
| ProtectedServiceList | Security agents/services expected to remain stable |
| TelemetryGapThreshold | Acceptable heartbeat silence duration |
Detects exploitation attempts against security daemons or kernel security modules followed by daemon termination, disabled logging, module unload, audit stoppage, or reduced endpoint telemetry. Correlates local execution or network input with control degradation.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | execve, kill, ptrace, insmod, rmmod targeting security processes |
| Service Metadata (DC0041) | auditd:DAEMON | auditd stopped, config changed, logging suspended |
| Field | Description |
|---|---|
| ProtectedProcessNames | Names of EDR, audit, AV, firewall daemons |
| ModuleUnloadAllowlist | Approved maintenance unload operations |
| HealthGapThreshold | Expected telemetry heartbeat tolerance |
Detects exploitation or abuse of SaaS security workflows resulting in disabled alerts, reduced retention, bypassed enforcement, role escalation, or tokenized persistence that weakens monitoring. Correlates unusual admin/API activity with visibility reduction.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:okta | policy.rule.update;system.log.disable;admin.role.assign |
| m365:unified | Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication |
| Field | Description |
|---|---|
| PrivilegedActorAllowlist | Approved admins allowed to change controls |
| RetentionChangeThreshold | Minimum acceptable logging retention |
Detects crafted activity resulting in crashes or impairment of endpoint security extensions, network filters, launch daemons, or telemetry agents. Correlates process activity, system extension state changes, and telemetry interruption.
| Data Component | Name | Channel |
|---|---|---|
| Process Metadata (DC0034) | macos:unifiedlog | Crash or abnormal termination of security agent or system extension host |
| Driver Metadata (DC0074) | macos:unifiedlog | Extension disabled, unloaded, failed to start |
| Network Traffic Content (DC0085) | NSM:Flow | Traffic spike preceding control crash |
| Field | Description |
|---|---|
| ExtensionList | Protected security system extensions |
| CrashBurstThreshold | Multiple failures in short interval |
Detects exploitation of cloud-native security boundaries or management components followed by disabled logging, detached agents, changed security groups, policy bypass, or telemetry suppression. Correlates suspicious API activity with reduced control coverage.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Disable (DC0090) | AWS:CloudTrail | StopLogging, DeleteTrail, or DisableSecurityService |
| Instance Modification (DC0073) | AWS:CloudTrail | ModifyInstanceAttribute |
| Firewall Rule Modification (DC0051) | AWS:CloudTrail | AuthorizeSecurityGroupIngress |
| Field | Description |
|---|---|
| CriticalTrailList | Audit trails that must remain enabled |
| ControlChangeWindow | Time after suspicious API sequence to inspect coverage loss |