This detection rule targets attempts to disable the Auditd service on Linux systems, a critical component responsible for system auditing and logging. Adversaries may seek to disable Auditd to evade detection and thus undermine security measures by preventing important logging of security events. The rule identifies suspicious process actions that are indicative of attempts to stop or disable Auditd, monitoring for specific commands executed through process actions such as `service` or `systemctl`. The rule is designed for integration with Elastic Defend and requires data from various logging sources such as Elastic Endgame and Crowdstrike. It provides a mechanism to detect defense evasion tactics, specifically those where threats may try to impair logging capabilities. The rule includes robust guidelines for investigation, possible false positive scenarios, and recommended responses to incidents involving suspicious attempts to disable critical security services.