[Rule Tuning] Elastic Agent Service Terminated (#5272)

* rule-tuning: Elastic Agent service termination improve for detection * [Rule Tuning]: Elastic Agent Service terminated, updated date field * Enhance detection rules for stopping Elastic Agent * Fix syntax for process name checks in TOML file --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2025-11-12 12:34:34 +01:00
parent 7dac1ee803
commit 21217e5536
1 changed files with 5 additions and 5 deletions
@@ -2,7 +2,7 @@
 creation_date = "2022/05/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/04"

 [rule]
 author = ["Elastic"]
@@ -50,12 +50,12 @@ process where
 or
 /* service or systemctl used to stop Elastic Agent on Linux */
 (event.type == "end" and
-  (process.name : ("systemctl", "service") and
-    process.args : "elastic-agent" and
-    process.args : ("stop", "disable"))
+  (process.name in ("systemctl", "service", "chkconfig", "update-rc.d") and
+    process.args : ("elastic-agent", "elastic-agent.service") and
+    process.args : ("stop", "disable", "remove", "off", "kill", "mask"))
  or
  /* pkill , killall used to stop Elastic Agent on Linux */
-  ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
+  ( event.type == "end" and process.name in ("pkill", "killall", "kill") and process.args: "elastic-agent")
  or
  /* Unload Elastic Agent extension on MacOS */
  (process.name : "kextunload" and