[Rule Tuning] Potential Disabling of AppArmor - Restore AppArmor service filters (#5574)

rules/linux/defense_evasion_disable_apparmor_attempt.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/28"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/17"
+updated_date = "2026/01/18"
 
 [rule]
 author = ["Elastic"]
@@ -104,10 +104,10 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 (
-  (process.name == "service" and process.args == "stop") or
-  (process.name == "chkconfig" and process.args == "off") or
-  (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
-  (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask")) or
+  (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask") and process.args in ("apparmor", "apparmor.service")) or
+  (process.name == "service" and process.args == "apparmor" and process.args == "stop") or
+  (process.name == "chkconfig" and process.args == "apparmor" and process.args == "off") or
+  (process.name == "update-rc.d" and process.args == "apparmor" and process.args in ("remove", "disable")) or
   (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/")
 ) and
 not ?process.parent.executable == "/opt/puppetlabs/puppet/bin/ruby"