// question

On a Linux host, auditing has been turned off. Review process execution or syslog data to determine which command was executed to disable the audit subsystem.

Reference KQL answer and model-by-model comparison.

7906f0a6-b527-46ee-9026-6e81a9184e08
question id
16/23
models correct
1
valid answer
70%
success rate
// reference answer

Human-validated correct answer for this question.

auditctl -e 0
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
auditctl -e 0
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any ("auditctl -e 0", "systemctl stop auditd", "service auditd stop", "killall auditd", "pkill auditd")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName
pass110.69s0.0053
gpt-35-turbo
no answer
no query generatedfail50.00s0.0111
gpt-4-turbo-2024-04-09
auditctl -e 0
DeviceProcessEvents
| where InitiatingProcessCommandLine contains 'auditctl -e 0'
    or InitiatingProcessCommandLine contains 'service auditd stop'
    or InitiatingProcessCommandLine contains '/etc/init.d/auditd stop'
    or InitiatingProcessCommandLine contains 'systemctl stop auditd'
| project DeviceName, AccountName, InitiatingProcessCommandLine, TimeGenerated
pass111.09s0.0532
gpt-4.1
auditctl -e 0
DeviceProcessEvents
| where ProcessCommandLine has_any ('auditctl -e 0', 'auditctl --disable', 'systemctl stop auditd', 'service auditd stop', 'auditd -s disable', 'systemctl disable auditd')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
pass13.64s0.0112
gpt-4.1-finetuned
auditctl -e 0
DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("auditctl", "magic value", "d off", "auditd -s disable", "auditd") or ProcessCommandLine has_any ("auditctl", "magic value", "d off", "auditd -s disable", "auditd")
pass218.75s0.1287
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0079
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0017
gpt-4o
auditctl -e 0
DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("auditctl", "systemctl stop auditd", "service auditd stop", "kill")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessId
pass13.28s0.0187
gpt-5-high
auditctl -D
let linux_devices = DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId, DeviceName, MachineGroup;
// 1) Process executions that likely disabled auditing
let process_evidence =
DeviceProcessEvents
| join kind=inner (linux_devices) on DeviceId
| where 
    // auditctl explicitly disabling auditing or deleting all rules
    (FileName =~ "auditctl" and (tostring(ProcessCommandLine) matches regex @"(?i)\b-e\s*0\b" or tostring(ProcessCommandLine) has " -D"))
    or 
    // systemd/service commands stopping/disable/masking auditd
    (FileName =~ "systemctl" and tostring(ProcessCommandLine) has "auditd" and tostring(ProcessCommandLine) has_any (" stop", " disable", " mask"))
    or (FileName =~ "service" and tostring(ProcessCommandLine) has "auditd" and tostring(ProcessCommandLine) has_any (" stop", " disable"))
    or (FileName in~ ("chkconfig","update-rc.d","rcauditd") and tostring(ProcessCommandLine) has "auditd" and tostring(ProcessCommandLine) has_any (" off", " disable", " stop"))
    or 
    // killing the audit daemon
    (FileName in~ ("kill","pkill","killall") and (tostring(ProcessCommandLine) has "auditd" or tostring(ProcessCommandLine) has_any ("/run/auditd.pid","/var/run/auditd.pid")))
    or 
    // disabling kernel auditing at boot via grub
    (FileName in~ ("grubby","grub2-mkconfig","grub-mkconfig") and tostring(ProcessCommandLine) has "audit=0")
| project TimeGenerated, DeviceName, DeviceId, EventType = "Process", FileName, ProcessCommandLine, 
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, 
          AccountName, InitiatingProcessAccountName, ProcessId, InitiatingProcessId;
// 2) Syslog evidence that auditing/auditd was stopped/disabled
let syslog_evidence =
DeviceEvents
| join kind=inner (linux_devices) on DeviceId
| extend SyslogMessage = coalesce(tostring(AdditionalFields.SyslogMessage), tostring(AdditionalFields.message), tostring(AdditionalFields.Message), tostring(AdditionalFields.MSG), tostring(AdditionalFields.MESSAGE), tostring(AdditionalFields.body))
| where (ActionType has_cs "syslog" or isnotempty(SyslogMessage))
| where 
    // auditd exiting/stopped, or systemd service stopped
    (SyslogMessage has "auditd" and SyslogMessage has_any ("exiting","stopped","stopping","disabled","disable","deactivated","killed","terminated"))
    or (SyslogMessage has "Security Auditing Service" and SyslogMessage has_any ("Stopped","Stopping","Deactivated"))
| project TimeGenerated, DeviceName, DeviceId, EventType = "Syslog", FileName, ProcessCommandLine, SyslogMessage, ActionType, 
          AccountName, InitiatingProcessAccountName;
union process_evidence, syslog_evidence
| sort by TimeGenerated desc
fail1138.31s0.0680
gpt-5-mini-high
auditctl -e 0
let auditRegex = @"(?i)\b(?:auditctl\s+[-\w\s=]+|systemctl\s+(?:stop|disable|mask)\s+auditd|service\s+(?:stop|disable)\s+auditd|/etc/init\.d/auditd\s+(?:stop|disable)|killall\s+(?:auditd|audispd)|pkill\s+(?:-f\s+)?auditd)\b";

let devProc = DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine matches regex auditRegex
| extend RawCommand = ProcessCommandLine, SourceTable = "DeviceProcessEvents", User = AccountName, InitiatingUser = InitiatingProcessAccountName
| project TimeGenerated, SourceTable, DeviceName, User, InitiatingUser, ProcessId, InitiatingProcessId, InitiatingProcessFileName, RawCommand, MatchedCommand = extract(auditRegex, 0, RawCommand);

let devFile = DeviceFileEvents
| where isnotempty(InitiatingProcessCommandLine)
| where InitiatingProcessCommandLine matches regex auditRegex
| extend RawCommand = InitiatingProcessCommandLine, SourceTable = "DeviceFileEvents", User = InitiatingProcessAccountName, InitiatingUser = InitiatingProcessAccountName
| project TimeGenerated, SourceTable, DeviceName, User, InitiatingUser, ProcessId = InitiatingProcessId, InitiatingProcessId, InitiatingProcessFileName, RawCommand, MatchedCommand = extract(auditRegex, 0, RawCommand);

let devEvt = DeviceEvents
| extend AF = tostring(AdditionalFields)
| where (isnotempty(AF) and AF matches regex auditRegex)
    or (isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex auditRegex)
    or (isnotempty(FileName) and FileName contains "audit")
| extend RawCommand = coalesce(InitiatingProcessCommandLine, AF, FileName), SourceTable = "DeviceEvents", User = AccountName, InitiatingUser = InitiatingProcessAccountName
| project TimeGenerated, SourceTable, DeviceName, User, InitiatingUser, ProcessId = InitiatingProcessId, InitiatingProcessId, InitiatingProcessFileName = FileName, RawCommand, MatchedCommand = extract(auditRegex, 0, RawCommand);

union devProc, devFile, devEvt
| order by TimeGenerated desc
| take 500
pass370.84s0.0187
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0196
gpt-5-mini-medium
auditctl -e 0
let patterns = dynamic([
  "auditctl -e 0",
  "auditctl -e=0",
  "auditctl -e 1",
  "echo 0 > /proc/sys/kernel/audit_enabled",
  "echo 0 >/proc/sys/kernel/audit_enabled",
  "/sbin/service auditd stop",
  "service auditd stop",
  "systemctl stop auditd",
  "systemctl disable auditd",
  "systemctl mask auditd",
  "pkill -f auditd",
  "killall auditd",
  "kill -9 auditd",
  "rm /etc/audit/audit.rules",
  "mv /etc/audit/audit.rules",
  "chmod 000 /etc/audit/",
  "> /etc/audit/audit.rules",
  "/etc/init.d/auditd stop",
  "auditd --stop",
  "auditd --no-daemon",
  "/bin/echo 0 > /proc/sys/kernel/audit_enabled",
  "sysctl -w kernel.audit=0",
  "sysctl -w audit=0",
  "truncate -s 0 /etc/audit/audit.rules",
  "echo 0 > /proc/sys/kernel/auditd/enabled",
  "sed -i '/-w.*audit.*/d' /etc/audit/audit.rules",
  "auditctl -e 1"
]);

// Search across process, file and general device events
union isfuzzy=true
(
    DeviceProcessEvents
    | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountUpn, AccountDomain, searchField = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName, ""), FileName, ActionType, SourceTable = "DeviceProcessEvents", _ResourceId
),
(
    DeviceFileEvents
    | project TimeGenerated, DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, AccountUpn = InitiatingProcessAccountUpn, AccountDomain = InitiatingProcessAccountDomain, searchField = coalesce(InitiatingProcessCommandLine, FileName, tostring(AdditionalFields), ""), FileName, ActionType, SourceTable = "DeviceFileEvents", _ResourceId
),
(
    DeviceEvents
    | project TimeGenerated, DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, AccountUpn = InitiatingProcessAccountUpn, AccountDomain = InitiatingProcessAccountDomain, searchField = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields), FileName, ""), FileName, ActionType, SourceTable = "DeviceEvents", _ResourceId
),
(
    DeviceImageLoadEvents
    | project TimeGenerated, DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, AccountUpn = InitiatingProcessAccountUpn, AccountDomain = InitiatingProcessAccountDomain, searchField = coalesce(InitiatingProcessCommandLine, FileName, ""), FileName, ActionType, SourceTable = "DeviceImageLoadEvents", _ResourceId
)
| extend searchLower = tolower(tostring(searchField))
| where isnotempty(searchLower) and searchLower has_any (patterns)
| summarize arg_max(TimeGenerated, *) by DeviceId, _ResourceId, searchLower
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountUpn, AccountDomain, MatchedCommand = searchField, FileName, ActionType, SourceTable
| order by TimeGenerated desc
| take 500
pass476.52s0.0187
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0068
gpt-5-nano-medium
auditctl -e 0
let linuxAuditStopCmds = dynamic([
  "systemctl stop auditd",
  "systemctl stop auditd.service",
  "service auditd stop",
  "auditctl -e 0",
  "auditctl -e disabled",
  "auditctl --disable",
  "killall auditd",
  "pkill -f auditd",
  "/sbin/auditctl -e 0",
  "/usr/sbin/auditctl -e 0"
]);
let StartTime = now() - 1d;
let EndTime = now();

// Look in process execution events for Linux audit-disable commands
let PEvents = (
    DeviceProcessEvents
    | where TimeGenerated between (StartTime .. EndTime)
    | where InitiatingProcessCommandLine has_any (linuxAuditStopCmds)
       or ProcessCommandLine has_any (linuxAuditStopCmds)
    | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, ProcessCommandLine, ProcessId, AccountName, AccountDomain
);

// Also check generic events where such commands may be logged (syslog-like entries)
let SyslogLike = (
    DeviceEvents
    | where TimeGenerated between (StartTime .. EndTime)
    | where InitiatingProcessCommandLine has_any (linuxAuditStopCmds)
       or ProcessCommandLine has_any (linuxAuditStopCmds)
    | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessCommandLine, InitiatingProcessFileName, ProcessCommandLine, FileName, AccountName, AccountDomain
);

PEvents
| union SyslogLike
| sort by TimeGenerated desc
| limit 100
pass156.26s0.0025
grok-3-beta
no answer
no query generatedfail50.00s0.1120
grok-3-mini-beta
auditctl -e 0
let linuxDevices = DeviceInfo | where OSPlatform == 'Linux' | distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where ProcessCommandLine contains 'auditctl' and ProcessCommandLine contains '-e 0'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
pass118.21s0.0016
o1-high
auditctl
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| join kind=inner (
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId
) on DeviceId
| extend normCmdLine = tolower(ProcessCommandLine)
| where normCmdLine has_any ("auditctl", "systemctl", "service")
      and normCmdLine has_any ("-e 0", "stop", "disable")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath, FileName
| order by TimeGenerated desc
| limit 100
pass264.40s0.5270
o1-low
auditctl
let LinuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId;
union DeviceProcessEvents, DeviceEvents
| where DeviceId in (LinuxDevices)
| where tostring(ProcessCommandLine) != "" // ensure we have commands
| where tolower(ProcessCommandLine) has_any ("auditctl -e 0", "systemctl stop auditd", "service auditd stop", "systemctl disable auditd", "chkconfig auditd off", "systemctl mask auditd")
// Add additional keywords if necessary
| project TimeGenerated, DeviceName, ActionType, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, AdditionalFields
| order by TimeGenerated desc
pass148.33s0.3412
o3-high
auditctl -e 0
// 1) Identify Linux endpoints in the tenant
let linux_devices = DeviceInfo
    | where OSPlatform == "Linux"
    | project DeviceId, DeviceName;

// 2) Look for commands that are known to turn-off/disable the Linux audit framework
let suspect_processes = DeviceProcessEvents
    | where DeviceId in (linux_devices)
    // Focus on the most common utilities that can disable the audit service
    | where FileName in~ ("auditctl","service","systemctl","chkconfig")
    | extend cmd = tolower(ProcessCommandLine)
    | where   // --- Run-time audit disable ----------------------------------
            (FileName =~ "auditctl" and cmd matches regex @"\s-e\s*0")      //  auditctl -e 0
        or  // --- Stopping the auditd service --------------------------------
            (FileName in~ ("service","systemctl") and cmd has "auditd" and cmd has_any ("stop","disable","mask"))
        or  // --- Disabling auditd from chkconfig ----------------------------
            (FileName =~ "chkconfig" and cmd has "auditd" and cmd has_any ("off","disable"));

// 3) (Optional) Look for corroborating syslog messages that show auditd stopping
let syslog_indicators = DeviceEvents
    | where DeviceId in (linux_devices)
    | where ActionType =~ "Syslog"
    | extend syslog_msg = tostring(parse_json(AdditionalFields).message)
    | where syslog_msg has_cs "auditd" and syslog_msg has_any ("stopping","exiting","disabled")
    | project TimeGenerated, DeviceName, Evidence = syslog_msg;

// 4) Combine and present
suspect_processes
| project TimeGenerated,
          DeviceName,
          ActingProcess = FileName,
          ExecutedCommand = ProcessCommandLine,
          AccountName,
          AccountDomain,
          InitiatingProcessCommandLine,
          ProcessId,
          Evidence = "Process execution"
| union syslog_indicators
| sort by TimeGenerated desc
pass136.58s0.0254
o3-mini-high
auditctl
union withsource=SourceTable DeviceProcessEvents, DeviceEvents
| where 
    (
      // Check command line fields from process execution events
      ((ProcessCommandLine has "auditctl" or ProcessCommandLine has "auditd" or ProcessCommandLine has "systemctl")
       and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable" or ProcessCommandLine has "-e 0"))
       
      // Also check the initiating process command line
      or ((InitiatingProcessCommandLine has "auditctl" or InitiatingProcessCommandLine has "auditd" or InitiatingProcessCommandLine has "systemctl")
       and (InitiatingProcessCommandLine has "stop" or InitiatingProcessCommandLine has "disable" or InitiatingProcessCommandLine has "-e 0"))
    )
| project TimeGenerated, DeviceName, SourceTable, ProcessCommandLine, InitiatingProcessCommandLine, FileName, FolderPath, ProcessId, InitiatingProcessId
| order by TimeGenerated desc
pass339.89s0.0518
o3-mini-low
auditctl
union DeviceProcessEvents, DeviceEvents
| where ( (isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) has "auditctl")
       or (isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) has "auditd")
       or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has "auditctl")
       or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has "auditd")
       or (tostring(AdditionalFields) has "auditctl")
       or (tostring(AdditionalFields) has "auditd") )
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields, Type
| sort by TimeGenerated desc
pass126.01s0.0509
o4-mini-high
auditctl -e 0
let linuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;

DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d))..now())            // adjust time range as needed
| where DeviceId in (linuxDevices)
| where 
    (FileName == "auditctl" and ProcessCommandLine has "-e 0") or
    (FileName == "systemctl" and ProcessCommandLine has "auditd" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable")) or
    ProcessCommandLine has "service auditd stop" or
    ProcessCommandLine has "auditoff" or
    ProcessCommandLine has "chkconfig auditd off"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| sort by TimeGenerated desc
pass137.10s0.0100
o4-mini-low
auditctl -e 0
let DisabledByProcess = DeviceProcessEvents
| where 
    (
      ProcessCommandLine has "auditctl" and (ProcessCommandLine has "-e 0" or ProcessCommandLine has "--disable")
      or ProcessCommandLine has "systemctl stop auditd"
      or ProcessCommandLine has "systemctl disable auditd"
      or ProcessCommandLine has "service auditd stop"
    )
| project TimeGenerated, Source = "ProcessEvent", HostName = DeviceName, Account = InitiatingProcessAccountName, Command = ProcessCommandLine;

let DisabledBySyslog = Syslog
| where 
    (
      ProcessName == "auditd" and (SyslogMessage has "stopped" or SyslogMessage has "disabled")
      or SyslogMessage has "audit subsystem disabled"
    )
| project TimeGenerated, Source = "Syslog", HostName = Computer, Account = "", Command = SyslogMessage;

union isfuzzy=true DisabledByProcess, DisabledBySyslog
| sort by TimeGenerated desc
pass2121.54s0.0209