Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains "auditctl -D" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains 'auditctl' | project ProcessCommandLine, ProcessCreationTime, DeviceName

DeviceProcessEvents | where ProcessCommandLine has 'auditctl -D' | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | distinct ProcessCommandLine

DeviceProcessEvents | where (tolower(ProcessCommandLine) contains "auditctl" and ProcessCommandLine contains "-D") or (tolower(ProcessCommandLine) contains "augenrules" and ProcessCommandLine contains "--remove") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

// Remove redundant wildcards for efficiency. let auditRemovalCommands = dynamic(['-d erase', '-d= erase', '--delete-all', 'delete', '-D']); DeviceProcessEvents | where ProcessCommandLine contains "auditctl" | where ProcessCommandLine has_any(auditRemovalCommands) | project-reorder AccountName, DeviceName, ProcessCommandLine | limit 100 | extend hostname = tostring(split(DeviceName, ".")[0]) | extend local_account = tostring(split(AccountName, "@")[0]) | extend domain = tostring(split(AccountName, "@")[1])

DeviceProcessEvents | where ProcessCommandLine has_any ("auditctl -D", "auditctl --remove-all-rules", "auditctl --delete-all-rules", "auditctl -d") | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessId, ProcessCommandLine, ProcessId | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has_any ("auditctl -D", "auditctl")

let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | summarize arg_max(TimeGenerated, *) by DeviceId | project DeviceId; DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linuxDevices) | where FileName =~ "auditctl" or ProcessCommandLine has "auditctl" | where ProcessCommandLine contains_cs " -D" or ProcessCommandLine contains "--delete_rules" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, FullCommand=ProcessCommandLine, ParentProcess=InitiatingProcessParentFileName, ParentCommand=InitiatingProcessCommandLine, InitiatingProcessId, ReportId | order by TimeGenerated asc

union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents | extend FullCommand = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) // Keep records that either have a commandline or touch audit-related paths/files | where isnotempty(FullCommand) or (tolower(FileName) contains "audit" or tostring(FolderPath) contains "/etc/audit") // Look for common ways rules might be removed/reset | where ( FullCommand matches regex "(?i)\\bauditctl\\b.*\\b(-D|--delete-all)\\b" or FullCommand matches regex "(?i)\\baugenrules\\b.*\\b(--load|--replace)\\b" or FullCommand matches regex "(?i)\\b(systemctl|service)\\b.*\\bauditd\\b.*\\b(restart|reload|stop|start)\\b" or FullCommand matches regex "(?i)\\brm\\b.*(/etc/audit|/etc/audit/rules.d|/etc/audit/audit.rules)" or FullCommand matches regex "(?i)\\btruncate\\b.*(/etc/audit|/etc/audit/audit.rules|/etc/audit/rules.d)" or FullCommand matches regex "(?i)\\b(cp|mv)\\b.*(/dev/null|/etc/audit|/etc/audit/audit.rules|/etc/audit/rules.d)" or FullCommand matches regex "(?i)\\b(cat|echo)\\b.*(/dev/null|/etc/audit|audit.rules|rules.d)" or (tolower(FileName) contains "audit.rules") or (tolower(tostring(FolderPath)) contains "/etc/audit") ) // Provide useful context to verify the exact invocation | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, FolderPath, ProcessId, ProcessCreationTime, FullCommand, ActionType, ReportId | sort by TimeGenerated desc // Deduplicate similar results, returning the most recent instance for each FullCommand + device | summarize LatestTime = max(TimeGenerated) by FullCommand, DeviceName, AccountName, InitiatingProcessAccountName, FileName, FolderPath, ProcessId, ProcessCreationTime, ActionType, ReportId | sort by LatestTime desc | take 100

// Find exact auditctl delete-all and broader audit-rule clearing activity let sources = union DeviceProcessEvents, DeviceEvents; sources | extend cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where isnotempty(cmd) | extend cmd_l = tolower(cmd) // exact auditctl -D or --delete-all (match -D or --delete-all) | extend is_exact_delete = cmd_l has "auditctl" and (cmd_l has "-d" or cmd_l has "--delete-all") // broader heuristics: manipulations of audit rules files or restarting/stopping auditd | extend is_heuristic = ( cmd_l has "auditctl" or cmd_l has "augenrules" or cmd_l has "audit.rules" or cmd_l has "/etc/audit" or (cmd_l has "truncate" and cmd_l has "audit") or (cmd_l has "rm" and cmd_l has "/etc/audit") or (cmd_l has "tee" and cmd_l has "/etc/audit") or (cmd_l has "cp" and cmd_l has "audit.rules") or (cmd_l has "mv" and cmd_l has "audit.rules") or (cmd_l has "> /etc/audit" ) or (cmd_l has ">/etc/audit" ) or (cmd_l matches regex "\\b(systemctl|service)\\b.*\\bauditd\\b") ) | where is_exact_delete or is_heuristic | project TimeGenerated, DeviceName, Account = coalesce(AccountName, InitiatingProcessAccountName, InitiatingProcessAccountName), InitiatingProcessFileName, ProcessId, ParentProcessId = coalesce(InitiatingProcessParentId, InitiatingProcessParentId), Command = cmd, CommandLower = cmd_l, is_exact_delete, is_heuristic, ReportId, _ResourceId | sort by TimeGenerated desc | take 500

let candidates = union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents | extend CommandLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine)) | where isnotempty(CommandLine) | where CommandLine matches regex @"(?i)(\bauditctl\b.*\b(-D|--delete-all)\b)|(\b(systemctl|service)\b\s+(stop|disable|restart)\s+auditd\b)|(\brm\b.*\b(/etc/audit(?:/|\b)|/etc/audit/audit.rules|/etc/audit/rules.d))|(\btruncate\b.*\b/etc/audit(?:/|\b)|/etc/audit/audit.rules)|((>|:\>)\s*/etc/audit/audit.rules\b)|(\becho\b.*(>\s*/etc/audit/audit.rules|>\s*/etc/audit/rules.d))|(\bcp\b\s+/dev/null\s+/etc/audit/audit.rules)" | extend EventTime = coalesce(TimeGenerated, Timestamp, ProcessCreationTime, InitiatingProcessCreationTime) | extend User = tostring(coalesce(InitiatingProcessAccountName, AccountName, RequestAccountName, InitiatingProcessAccountName)); // Detailed matching events (shows the full command executed) candidates | project EventTime, DeviceName, DeviceId, User, InitiatingProcessFileName, FileName, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessParentId, CommandLine, SourceSystem, ReportId | sort by EventTime desc | limit 200 // Summary of unique full commands that matched ; candidates | summarize Events = count(), FirstSeen = min(EventTime), LastSeen = max(EventTime) by CommandLine, DeviceName, User | sort by LastSeen desc | limit 100

let TimeRangeStart = ago(1d); let TimeRangeEnd = now(); DeviceProcessEvents | where TimeGenerated between (TimeRangeStart .. TimeRangeEnd) | where (InitiatingProcessCommandLine contains "auditctl" or InitiatingProcessFileName contains "auditctl" or ProcessCommandLine contains "auditctl" or InitiatingProcessCommandLine contains "auditd" or InitiatingProcessFileName contains "auditd" or ProcessCommandLine contains "auditd") | extend CmdLine = strcat(coalesce(InitiatingProcessCommandLine, ''), ' ', coalesce(ProcessCommandLine, '')) | where CmdLine contains "-D" or CmdLine contains "-e 0" or CmdLine contains "auditctl -D" or CmdLine contains "auditctl -e 0" | project TimeGenerated, InitiatingProcessCreationTime, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessFileName, ProcessCommandLine, CmdLine, SourceSystem, TenantId, _ResourceId

DeviceProcessEvents | where ProcessCommandLine contains "auditctl" and ProcessCommandLine contains "-D" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine contains "auditctl" and ProcessCommandLine contains "-D" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "auditctl" | where ProcessCommandLine has_any("-D", "--delete-rules") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "auditctl" | where ProcessCommandLine has_any ("-D", "--delete-rules") | order by TimeGenerated desc | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

// Find Linux processes that wiped auditd rules (e.g. "auditctl -D") let linux_devices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, DeviceName; DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (linux_devices) on DeviceId | where FileName =~ "auditctl" // look for any of the arguments that delete or flush rules (-D, --delete, --flush) | where ProcessCommandLine has_any (" -D", " --delete", " --flush", " --init") | project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, InitiatingProcessSHA256 | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "auditctl" and ProcessCommandLine has "-D" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessCommandLine has 'auditctl' and InitiatingProcessCommandLine has '-D' | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | order by TimeGenerated desc