Question Analysis
On a Linux host, auditing has been turned off. Review process execution or syslog data to determine which command was executed to disable the audit subsystem.
7906f0a6-b527-46ee-9026-6e81a9184e08
Question ID
16/23
Models Correct
1
Valid Answer
70%
Success Rate
Reference Answer
Human-validated correct answer for this question
auditctl -e 0
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | auditctl -e 0 | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any ("auditctl -e 0", "systemctl stop auditd", "service auditd stop", "killall auditd", "pkill auditd")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName | Correct | 1 | 10.69s | 0.0053 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0111 |
| gpt-4-turbo-2024-04-09 | auditctl -e 0 | DeviceProcessEvents
| where InitiatingProcessCommandLine contains 'auditctl -e 0'
or InitiatingProcessCommandLine contains 'service auditd stop'
or InitiatingProcessCommandLine contains '/etc/init.d/auditd stop'
or InitiatingProcessCommandLine contains 'systemctl stop auditd'
| project DeviceName, AccountName, InitiatingProcessCommandLine, TimeGenerated | Correct | 1 | 11.09s | 0.0532 |
| gpt-4.1 | auditctl -e 0 | DeviceProcessEvents
| where ProcessCommandLine has_any ('auditctl -e 0', 'auditctl --disable', 'systemctl stop auditd', 'service auditd stop', 'auditd -s disable', 'systemctl disable auditd')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 3.64s | 0.0112 |
| gpt-4.1-finetuned | auditctl -e 0 | DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("auditctl", "magic value", "d off", "auditd -s disable", "auditd") or ProcessCommandLine has_any ("auditctl", "magic value", "d off", "auditd -s disable", "auditd") | Correct | 2 | 18.75s | 0.1287 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0079 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0017 |
| gpt-4o | auditctl -e 0 | DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("auditctl", "systemctl stop auditd", "service auditd stop", "kill")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessId | Correct | 1 | 3.28s | 0.0187 |
| gpt-5-high | auditctl -D | let linux_devices = DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId, DeviceName, MachineGroup;
// 1) Process executions that likely disabled auditing
let process_evidence =
DeviceProcessEvents
| join kind=inner (linux_devices) on DeviceId
| where
// auditctl explicitly disabling auditing or deleting all rules
(FileName =~ "auditctl" and (tostring(ProcessCommandLine) matches regex @"(?i)\b-e\s*0\b" or tostring(ProcessCommandLine) has " -D"))
or
// systemd/service commands stopping/disable/masking auditd
(FileName =~ "systemctl" and tostring(ProcessCommandLine) has "auditd" and tostring(ProcessCommandLine) has_any (" stop", " disable", " mask"))
or (FileName =~ "service" and tostring(ProcessCommandLine) has "auditd" and tostring(ProcessCommandLine) has_any (" stop", " disable"))
or (FileName in~ ("chkconfig","update-rc.d","rcauditd") and tostring(ProcessCommandLine) has "auditd" and tostring(ProcessCommandLine) has_any (" off", " disable", " stop"))
or
// killing the audit daemon
(FileName in~ ("kill","pkill","killall") and (tostring(ProcessCommandLine) has "auditd" or tostring(ProcessCommandLine) has_any ("/run/auditd.pid","/var/run/auditd.pid")))
or
// disabling kernel auditing at boot via grub
(FileName in~ ("grubby","grub2-mkconfig","grub-mkconfig") and tostring(ProcessCommandLine) has "audit=0")
| project TimeGenerated, DeviceName, DeviceId, EventType = "Process", FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
AccountName, InitiatingProcessAccountName, ProcessId, InitiatingProcessId;
// 2) Syslog evidence that auditing/auditd was stopped/disabled
let syslog_evidence =
DeviceEvents
| join kind=inner (linux_devices) on DeviceId
| extend SyslogMessage = coalesce(tostring(AdditionalFields.SyslogMessage), tostring(AdditionalFields.message), tostring(AdditionalFields.Message), tostring(AdditionalFields.MSG), tostring(AdditionalFields.MESSAGE), tostring(AdditionalFields.body))
| where (ActionType has_cs "syslog" or isnotempty(SyslogMessage))
| where
// auditd exiting/stopped, or systemd service stopped
(SyslogMessage has "auditd" and SyslogMessage has_any ("exiting","stopped","stopping","disabled","disable","deactivated","killed","terminated"))
or (SyslogMessage has "Security Auditing Service" and SyslogMessage has_any ("Stopped","Stopping","Deactivated"))
| project TimeGenerated, DeviceName, DeviceId, EventType = "Syslog", FileName, ProcessCommandLine, SyslogMessage, ActionType,
AccountName, InitiatingProcessAccountName;
union process_evidence, syslog_evidence
| sort by TimeGenerated desc | Incorrect | 1 | 138.31s | 0.0680 |
| gpt-5-mini-high | auditctl -e 0 | let auditRegex = @"(?i)\b(?:auditctl\s+[-\w\s=]+|systemctl\s+(?:stop|disable|mask)\s+auditd|service\s+(?:stop|disable)\s+auditd|/etc/init\.d/auditd\s+(?:stop|disable)|killall\s+(?:auditd|audispd)|pkill\s+(?:-f\s+)?auditd)\b";
let devProc = DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine matches regex auditRegex
| extend RawCommand = ProcessCommandLine, SourceTable = "DeviceProcessEvents", User = AccountName, InitiatingUser = InitiatingProcessAccountName
| project TimeGenerated, SourceTable, DeviceName, User, InitiatingUser, ProcessId, InitiatingProcessId, InitiatingProcessFileName, RawCommand, MatchedCommand = extract(auditRegex, 0, RawCommand);
let devFile = DeviceFileEvents
| where isnotempty(InitiatingProcessCommandLine)
| where InitiatingProcessCommandLine matches regex auditRegex
| extend RawCommand = InitiatingProcessCommandLine, SourceTable = "DeviceFileEvents", User = InitiatingProcessAccountName, InitiatingUser = InitiatingProcessAccountName
| project TimeGenerated, SourceTable, DeviceName, User, InitiatingUser, ProcessId = InitiatingProcessId, InitiatingProcessId, InitiatingProcessFileName, RawCommand, MatchedCommand = extract(auditRegex, 0, RawCommand);
let devEvt = DeviceEvents
| extend AF = tostring(AdditionalFields)
| where (isnotempty(AF) and AF matches regex auditRegex)
or (isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex auditRegex)
or (isnotempty(FileName) and FileName contains "audit")
| extend RawCommand = coalesce(InitiatingProcessCommandLine, AF, FileName), SourceTable = "DeviceEvents", User = AccountName, InitiatingUser = InitiatingProcessAccountName
| project TimeGenerated, SourceTable, DeviceName, User, InitiatingUser, ProcessId = InitiatingProcessId, InitiatingProcessId, InitiatingProcessFileName = FileName, RawCommand, MatchedCommand = extract(auditRegex, 0, RawCommand);
union devProc, devFile, devEvt
| order by TimeGenerated desc
| take 500 | Correct | 3 | 70.84s | 0.0187 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0196 |
| gpt-5-mini-medium | auditctl -e 0 | let patterns = dynamic([
"auditctl -e 0",
"auditctl -e=0",
"auditctl -e 1",
"echo 0 > /proc/sys/kernel/audit_enabled",
"echo 0 >/proc/sys/kernel/audit_enabled",
"/sbin/service auditd stop",
"service auditd stop",
"systemctl stop auditd",
"systemctl disable auditd",
"systemctl mask auditd",
"pkill -f auditd",
"killall auditd",
"kill -9 auditd",
"rm /etc/audit/audit.rules",
"mv /etc/audit/audit.rules",
"chmod 000 /etc/audit/",
"> /etc/audit/audit.rules",
"/etc/init.d/auditd stop",
"auditd --stop",
"auditd --no-daemon",
"/bin/echo 0 > /proc/sys/kernel/audit_enabled",
"sysctl -w kernel.audit=0",
"sysctl -w audit=0",
"truncate -s 0 /etc/audit/audit.rules",
"echo 0 > /proc/sys/kernel/auditd/enabled",
"sed -i '/-w.*audit.*/d' /etc/audit/audit.rules",
"auditctl -e 1"
]);
// Search across process, file and general device events
union isfuzzy=true
(
DeviceProcessEvents
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountUpn, AccountDomain, searchField = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName, ""), FileName, ActionType, SourceTable = "DeviceProcessEvents", _ResourceId
),
(
DeviceFileEvents
| project TimeGenerated, DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, AccountUpn = InitiatingProcessAccountUpn, AccountDomain = InitiatingProcessAccountDomain, searchField = coalesce(InitiatingProcessCommandLine, FileName, tostring(AdditionalFields), ""), FileName, ActionType, SourceTable = "DeviceFileEvents", _ResourceId
),
(
DeviceEvents
| project TimeGenerated, DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, AccountUpn = InitiatingProcessAccountUpn, AccountDomain = InitiatingProcessAccountDomain, searchField = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields), FileName, ""), FileName, ActionType, SourceTable = "DeviceEvents", _ResourceId
),
(
DeviceImageLoadEvents
| project TimeGenerated, DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, AccountUpn = InitiatingProcessAccountUpn, AccountDomain = InitiatingProcessAccountDomain, searchField = coalesce(InitiatingProcessCommandLine, FileName, ""), FileName, ActionType, SourceTable = "DeviceImageLoadEvents", _ResourceId
)
| extend searchLower = tolower(tostring(searchField))
| where isnotempty(searchLower) and searchLower has_any (patterns)
| summarize arg_max(TimeGenerated, *) by DeviceId, _ResourceId, searchLower
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountUpn, AccountDomain, MatchedCommand = searchField, FileName, ActionType, SourceTable
| order by TimeGenerated desc
| take 500 | Correct | 4 | 76.52s | 0.0187 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0068 |
| gpt-5-nano-medium | auditctl -e 0 | let linuxAuditStopCmds = dynamic([
"systemctl stop auditd",
"systemctl stop auditd.service",
"service auditd stop",
"auditctl -e 0",
"auditctl -e disabled",
"auditctl --disable",
"killall auditd",
"pkill -f auditd",
"/sbin/auditctl -e 0",
"/usr/sbin/auditctl -e 0"
]);
let StartTime = now() - 1d;
let EndTime = now();
// Look in process execution events for Linux audit-disable commands
let PEvents = (
DeviceProcessEvents
| where TimeGenerated between (StartTime .. EndTime)
| where InitiatingProcessCommandLine has_any (linuxAuditStopCmds)
or ProcessCommandLine has_any (linuxAuditStopCmds)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, ProcessCommandLine, ProcessId, AccountName, AccountDomain
);
// Also check generic events where such commands may be logged (syslog-like entries)
let SyslogLike = (
DeviceEvents
| where TimeGenerated between (StartTime .. EndTime)
| where InitiatingProcessCommandLine has_any (linuxAuditStopCmds)
or ProcessCommandLine has_any (linuxAuditStopCmds)
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessCommandLine, InitiatingProcessFileName, ProcessCommandLine, FileName, AccountName, AccountDomain
);
PEvents
| union SyslogLike
| sort by TimeGenerated desc
| limit 100
| Correct | 1 | 56.26s | 0.0025 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1120 |
| grok-3-mini-beta | auditctl -e 0 | let linuxDevices = DeviceInfo | where OSPlatform == 'Linux' | distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where ProcessCommandLine contains 'auditctl' and ProcessCommandLine contains '-e 0'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 18.21s | 0.0016 |
| o1-high | auditctl | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| join kind=inner (
DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId
) on DeviceId
| extend normCmdLine = tolower(ProcessCommandLine)
| where normCmdLine has_any ("auditctl", "systemctl", "service")
and normCmdLine has_any ("-e 0", "stop", "disable")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath, FileName
| order by TimeGenerated desc
| limit 100 | Correct | 2 | 64.40s | 0.5270 |
| o1-low | auditctl | let LinuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId;
union DeviceProcessEvents, DeviceEvents
| where DeviceId in (LinuxDevices)
| where tostring(ProcessCommandLine) != "" // ensure we have commands
| where tolower(ProcessCommandLine) has_any ("auditctl -e 0", "systemctl stop auditd", "service auditd stop", "systemctl disable auditd", "chkconfig auditd off", "systemctl mask auditd")
// Add additional keywords if necessary
| project TimeGenerated, DeviceName, ActionType, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, AdditionalFields
| order by TimeGenerated desc | Correct | 1 | 48.33s | 0.3412 |
| o3-high | auditctl -e 0 | // 1) Identify Linux endpoints in the tenant
let linux_devices = DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId, DeviceName;
// 2) Look for commands that are known to turn-off/disable the Linux audit framework
let suspect_processes = DeviceProcessEvents
| where DeviceId in (linux_devices)
// Focus on the most common utilities that can disable the audit service
| where FileName in~ ("auditctl","service","systemctl","chkconfig")
| extend cmd = tolower(ProcessCommandLine)
| where // --- Run-time audit disable ----------------------------------
(FileName =~ "auditctl" and cmd matches regex @"\s-e\s*0") // auditctl -e 0
or // --- Stopping the auditd service --------------------------------
(FileName in~ ("service","systemctl") and cmd has "auditd" and cmd has_any ("stop","disable","mask"))
or // --- Disabling auditd from chkconfig ----------------------------
(FileName =~ "chkconfig" and cmd has "auditd" and cmd has_any ("off","disable"));
// 3) (Optional) Look for corroborating syslog messages that show auditd stopping
let syslog_indicators = DeviceEvents
| where DeviceId in (linux_devices)
| where ActionType =~ "Syslog"
| extend syslog_msg = tostring(parse_json(AdditionalFields).message)
| where syslog_msg has_cs "auditd" and syslog_msg has_any ("stopping","exiting","disabled")
| project TimeGenerated, DeviceName, Evidence = syslog_msg;
// 4) Combine and present
suspect_processes
| project TimeGenerated,
DeviceName,
ActingProcess = FileName,
ExecutedCommand = ProcessCommandLine,
AccountName,
AccountDomain,
InitiatingProcessCommandLine,
ProcessId,
Evidence = "Process execution"
| union syslog_indicators
| sort by TimeGenerated desc | Correct | 1 | 36.58s | 0.0254 |
| o3-mini-high | auditctl | union withsource=SourceTable DeviceProcessEvents, DeviceEvents
| where
(
// Check command line fields from process execution events
((ProcessCommandLine has "auditctl" or ProcessCommandLine has "auditd" or ProcessCommandLine has "systemctl")
and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable" or ProcessCommandLine has "-e 0"))
// Also check the initiating process command line
or ((InitiatingProcessCommandLine has "auditctl" or InitiatingProcessCommandLine has "auditd" or InitiatingProcessCommandLine has "systemctl")
and (InitiatingProcessCommandLine has "stop" or InitiatingProcessCommandLine has "disable" or InitiatingProcessCommandLine has "-e 0"))
)
| project TimeGenerated, DeviceName, SourceTable, ProcessCommandLine, InitiatingProcessCommandLine, FileName, FolderPath, ProcessId, InitiatingProcessId
| order by TimeGenerated desc | Correct | 3 | 39.89s | 0.0518 |
| o3-mini-low | auditctl | union DeviceProcessEvents, DeviceEvents
| where ( (isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) has "auditctl")
or (isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) has "auditd")
or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has "auditctl")
or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has "auditd")
or (tostring(AdditionalFields) has "auditctl")
or (tostring(AdditionalFields) has "auditd") )
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields, Type
| sort by TimeGenerated desc | Correct | 1 | 26.01s | 0.0509 |
| o4-mini-high | auditctl -e 0 | let linuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d))..now()) // adjust time range as needed
| where DeviceId in (linuxDevices)
| where
(FileName == "auditctl" and ProcessCommandLine has "-e 0") or
(FileName == "systemctl" and ProcessCommandLine has "auditd" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable")) or
ProcessCommandLine has "service auditd stop" or
ProcessCommandLine has "auditoff" or
ProcessCommandLine has "chkconfig auditd off"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 37.10s | 0.0100 |
| o4-mini-low | auditctl -e 0 | let DisabledByProcess = DeviceProcessEvents
| where
(
ProcessCommandLine has "auditctl" and (ProcessCommandLine has "-e 0" or ProcessCommandLine has "--disable")
or ProcessCommandLine has "systemctl stop auditd"
or ProcessCommandLine has "systemctl disable auditd"
or ProcessCommandLine has "service auditd stop"
)
| project TimeGenerated, Source = "ProcessEvent", HostName = DeviceName, Account = InitiatingProcessAccountName, Command = ProcessCommandLine;
let DisabledBySyslog = Syslog
| where
(
ProcessName == "auditd" and (SyslogMessage has "stopped" or SyslogMessage has "disabled")
or SyslogMessage has "audit subsystem disabled"
)
| project TimeGenerated, Source = "Syslog", HostName = Computer, Account = "", Command = SyslogMessage;
union isfuzzy=true DisabledByProcess, DisabledBySyslog
| sort by TimeGenerated desc | Correct | 2 | 121.54s | 0.0209 |