This analytic rule detects attempts to stop services on Linux systems using data sourced from the Linux Audit daemon (Auditd). Such activity is significant because malicious actors often target security or critical services to disable defenses, which can lead to operational disruptions and severe security implications. For instance, in the case of malware like Industroyer2, stopping these services allows attackers to bypass security mechanisms, escalate privileges, or deploy harmful payloads that compromise system integrity and availability. The detection is implemented by running a search in Splunk that identifies Service Stop events from the Linux Auditd logs. The search renames the host field, aggregates event data by process ID (pid), user ID (UID), command (comm), execution path (exe), and destination (dest). The results then provide insight into when services were stopped, useful for identifying patterns of malicious behavior. To ensure this detection rule is effective, it is crucial to properly configure the ingestion of Auditd logs, normalizing the fields to align with the Common Information Model (CIM). Users are also advised to update filter macros to reduce false positives that may arise from legitimate administrative actions, enhancing the rule's precision in a production environment.