This detection rule flags Linux processes that run apparmor_parser with the -o/--output option to write a compiled AppArmor profile to disk. While this action is commonly used by admins and packaging tooling when building or loading policies, attackers can abuse it to craft malicious profiles that weaken confinement, enable privilege escalation, or facilitate stealthy persistence by loading crafted profiles via AppArmor interfaces. The Sigma/EQL query targets Linux hosts where a start event for a process named apparmor_parser includes arguments such as --ofile, -o, or --output. The behavior maps to MITRE ATT&CK tactic Defense Evasion (T1562.001 Disable or Modify Tools). Data sources referenced include auditd manager and multiple EDR/logging integrations (Elastic Defend, Endgame, CrowdStrike, SentinelOne), reflecting cross-sensor visibility on process execution and command-line arguments. Investigation guidance emphasizes validating command lines, parent process lineage, source and output profile paths, correlation with policy load events, and maintenance activity to distinguish legitimate administration from anomalous changes. Remediation guidance covers isolating affected hosts, preserving and removing unauthorized AppArmor profiles, unloading rogue policies, cleaning up related privileged changes (systemd units, cron jobs, sudoers), and restoring policies from trusted sources with AppArmor reloads in enforce mode. If multiple hosts show similar activity or the profile targets critical services (e.g., sshd, sudo, container runtimes), escalate to IR and enforce stricter change control on policy updates.