AppArmor Policy Violation Detected

Last updated 4 days ago on 2026-03-20

Created 4 days ago on 2026-03-20

About

Identifies events where the AppArmor security module blocked or restricted an operation due to a policy violation. AppArmor enforces mandatory access control policies that limit how processes interact with system resources such as files, network sockets, and capabilities. When a process attempts an action that is not permitted by the active profile, the kernel generates a policy violation event. While these events can occur during normal operation or misconfiguration, they may also indicate attempted privilege escalation, restricted file access, or malicious activity being prevented by the system's security policy.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionData Source: Auditd ManagerLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-auditd_manager.auditd-*auditbeat-*
Related Integrations: auditd_manager(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗file where host.os.type == "linux" and event.type == "change" and event.action == "violated-apparmor-policy"

Install detection rules in Elastic Security

Detect AppArmor Policy Violation Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).