Detects Linux AppArmor policy violations where the kernel denies an action because it falls outside the active security profile. The rule relies on the auditd_manager integration and triggers when an audit event of type 'change' with action 'violated-apparmor-policy' is observed (host.os.type == linux). Such events can indicate attempted privilege escalation, restricted file access, or defense-evasion activity that AppArmor blocked. MITRE ATT&CK alignment is Defense Evasion (T1562, with T1562.001 Disable or Modify Tools). Practical triage steps include identifying the implicated AppArmor profile and blocked resource, correlating with preceding process trees and host changes, reviewing recent deployments or profile modifications, and validating binaries against known-good versions. Remediation emphasizes isolating the affected host, stopping the triggering process, hardening AppArmor policies, and restoring from trusted images if needed. False positives may arise from legitimate updates or maintenance tasks that temporarily alter file paths or socket usage; verify timing and user context to distinguish legitimate activity from potential abuse.