diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml
index 206c9a490..8f812b387 100644
--- a/rules/linux/lnx_security_tools_disabling.yml
+++ b/rules/linux/lnx_security_tools_disabling.yml
@@ -1,34 +1,97 @@
+action: global
 title: Disabling Security Tools
 id: e3a8a052-111f-4606-9aee-f28ebeb76776
 status: experimental
 description: Detects disabling security tools
-author: Ömer Günal
+author: Ömer Günal, Alejandro Ortuno, oscd.community
 date: 2020/06/17
 references:
-    - https://attack.mitre.org/techniques/T1089/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md
-logsource:
-    product: linux
-detection:
-    keywords:
-        - Command|contains:
-          - 'service iptables stop'
-          - 'chkconfig off iptables'
-          - 'service ip6tables stop'
-          - 'chkconfig off ip6tables'
-        - CarbonBlack|contains:
-          - 'service cbdaemon stop'
-          - 'chkconfig off cbdaemon'
-          - 'systemctl stop cbdaemon'
-          - 'systemctl disable cbdaemon'
-        - SELinux:
-          - 'setenforce 0'
-        - Crowdstrike|contains:
-          - 'systemctl stop falcon-sensor.service'
-          - 'systemctl disable falcon-sensor.service'
-    condition: keywords
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
 falsepositives:
     - Legitimate administration activities
 level: medium
 tags:
-    - attack.defense_evasion
\ No newline at end of file
+    - attack.defense_evasion
+    - attack.t1562.004
+    - attack.t1089
+---
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    iptables_1:
+        ProcessName|endswith: '/service'
+        CommandLine|contains|all:
+          - 'iptables'
+          - 'stop'
+    iptables_2:
+        ProcessName|endswith: '/service'
+        CommandLine|contains|all:
+          - 'ip6tables'
+          - 'stop'
+    iptables_3:
+        ProcessName|endswith: '/chkconfig'
+        CommandLine|contains|all:
+          - 'iptables'
+          - 'stop'
+    iptables_4:
+        ProcessName|endswith: '/chkconfig'
+        CommandLine|contains|all:
+          - 'ip6tables'
+          - 'stop'
+    firewall_1:
+        ProcessName|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'firewalld'
+          - 'stop'
+    firewall_2:
+        ProcessName|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'firewalld'
+          - 'disable'
+    carbonblack_1:
+        ProcessName|endswith: '/service'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'stop'
+    carbonblack_2:
+        ProcessName|endswith: '/chkconfig'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'off'
+    carbonblack_3:
+        ProcessName|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'stop'
+    carbonblack_4:
+        ProcessName|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'disable'
+    selinux:
+        ProcessName|endswith: '/setenforce'
+        CommandLine|contains: '0'
+    crowdstrike_1:
+        ProcessName|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'stop'
+          - 'falcon-sensor'
+    crowdstrike_2:
+        ProcessName|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'disable'
+          - 'falcon-sensor'
+    condition: 1 of them
+---
+logsource:
+    product: linux
+    service: syslog
+detection: 
+    keywords:
+        - '*stopping iptables*'
+        - '*stopping ip6tables*'
+        - '*stopping firewalld*'
+        - '*stopping cbdaemon*'
+        - '*stopping falcon-sensor*'
+    condition: keywords