This detection rule identifies abnormal terminations of the Linux audit daemon (auditd) by monitoring for DAEMON_ABORT events logged in the audit logs. An audit daemon abort signals a potential issue with the integrity or availability of audit logging. Causes may include resource exhaustion, corruption, or engagement of malicious activities. As opposed to a normal shutdown, a DAEMON_ABORT suggests that audit logging might have been inadvertently disabled, which can compromise overall security monitoring. Alerts are raised when this event is triggered, and they should be correlated with instances of DAEMON_START and DAEMON_END to assess the severity and root cause of the problem. Repeated occurrences without subsequent DAEMON_START events indicate critical issues requiring immediate attention to maintain log integrity and system security.