Skip to content

[Rule Tuning] Name of rule Elastic Agent Service Terminated #5271

New issue
New issue
Open
#5272
Open
[Rule Tuning] Name of rule Elastic Agent Service Terminated#5271
#5272
Assignees
Aegrah
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADE
@alstolten

Description

@alstolten
alstolten
opened on Nov 3, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

I believe we should include

systemctl stop elastic-agent.service

in this rule to also detect if a user stops the service, as tab completion for systemctl matches on elastic-agent.service, while the rule currently only catches elastic-agent.

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADE

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions