From 87e5fc48fa437f3b98a8a55602e48b38566a46be Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 14 Sep 2021 19:32:58 +0200
Subject: [PATCH] split global lnx_security_tools_disabling.yml

---
 rules/linux/lnx_security_tools_disabling.yml  | 24 ++++-----------
 .../lnx_security_tools_disabling_syslog.yml   | 30 +++++++++++++++++++
 2 files changed, 35 insertions(+), 19 deletions(-)
 create mode 100644 rules/linux/lnx_security_tools_disabling_syslog.yml

diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml
index a51eade74..b8e5b816b 100644
--- a/rules/linux/lnx_security_tools_disabling.yml
+++ b/rules/linux/lnx_security_tools_disabling.yml
@@ -1,20 +1,16 @@
-action: global
 title: Disabling Security Tools
+id: e3a8a052-111f-4606-9aee-f28ebeb76776
 status: experimental
 description: Detects disabling security tools
 author: Ömer Günal, Alejandro Ortuno, oscd.community
 date: 2020/06/17
+modified: 2021/09/14
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
-falsepositives:
-    - Legitimate administration activities
-level: medium
 tags:
     - attack.defense_evasion
     - attack.t1562.004
     - attack.t1089 # an old one
----
-id: e3a8a052-111f-4606-9aee-f28ebeb76776
 logsource:
     category: process_creation
     product: linux
@@ -83,16 +79,6 @@ detection:
           - 'disable'
           - 'falcon-sensor'
     condition: 1 of them
----
-id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
-logsource:
-    product: linux
-    service: syslog
-detection: 
-    keywords:
-        - '*stopping iptables*'
-        - '*stopping ip6tables*'
-        - '*stopping firewalld*'
-        - '*stopping cbdaemon*'
-        - '*stopping falcon-sensor*'
-    condition: keywords
+falsepositives:
+    - Legitimate administration activities
+level: medium
\ No newline at end of file
diff --git a/rules/linux/lnx_security_tools_disabling_syslog.yml b/rules/linux/lnx_security_tools_disabling_syslog.yml
new file mode 100644
index 000000000..655b9528e
--- /dev/null
+++ b/rules/linux/lnx_security_tools_disabling_syslog.yml
@@ -0,0 +1,30 @@
+title: Disabling Security Tools
+id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
+related:
+    - id: e3a8a052-111f-4606-9aee-f28ebeb76776
+      type: derived
+status: experimental
+description: Detects disabling security tools
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/06/17
+modified: 2021/09/14
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
+    - attack.t1089 # an old one
+logsource:
+    product: linux
+    service: syslog
+detection: 
+    keywords:
+        - '*stopping iptables*'
+        - '*stopping ip6tables*'
+        - '*stopping firewalld*'
+        - '*stopping cbdaemon*'
+        - '*stopping falcon-sensor*'
+    condition: keywords
+falsepositives:
+    - Legitimate administration activities
+level: medium
\ No newline at end of file