Detects Linux processes attempting to write to AppArmor policy management pseudo-files located under /sys/kernel/security/apparmor/ (.load, .replace, .remove). In normal systems, AppArmor policy changes are performed by administrative tools during boot or package installation. Direct writes from shells, scripting runtimes, or basic utilities to these pseudo-files are unusual and may indicate runtime modification of security policy. The rule triggers when a start-event for a process (e.g., cat, echo, tee, bash, sh, python*, etc.) is observed and the process command_line references AppArmor policy control files. This activity is mapped to MITRE ATT&CK technique T1562.001 (Disable or Modify Tools) under Defense Evasion (TA0005). The rule aggregates data from multiple endpoints/sensors (Elastic Defend, Elastic Endgame, CrowdStrike, SentinelOne) to enable cross-sensor visibility. Potential risk includes weakening or bypassing AppArmor protections, loading malicious profiles, or enabling local privilege escalation. Timely detection supports containment, investigation, and remediation of policy manipulation attempts, and should be followed by validation of current profiles against baselines and enforcement status, and checks for related persistence or credential access activity.