Attempt to Disable Syslog Serviceedit

Identifies attempts to disable the syslog service, a technique adversaries can use to disrupt event logging and evade detection by security controls.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Linux

Version: 1

Added (Elastic Stack release): 7.8.0

Rule queryedit

event.action:(executed or process_started) and ((process.name:service
and process.args:stop) or (process.name:chkconfig and
process.args:off) or (process.name:systemctl and process.args:(disable
or stop or kill))) and process.args:(syslog or rsyslog or "syslog-ng")

Threat mappingedit

Framework: MITRE ATT&CKTM