Hi there! My team has been trying to figure out a way to detect if a user turns off a service via Service Manager. Does anyone know of a way to setup a custom detection rule that would pick up and alert if this happens? And if so, can it be customzied to look for a specific service being shut off?
@awillett I don’t believe we have this event collected when a service is turned off, if you try taking this action there may be a pattern of behavior in the process start logs.
Just to share, these are the events we natively collect via Sysmon
Another thing you could look for is the absence of a service, like if you always expect X service to appear in Service Creation logs, then not seeing it would be suspicious, and you could build a Custom Inactivity Alert, or a Change Detection alert to alert for its total absence or using Change Detection, a relative change in for example, the number of unique machines running service X on a daily basis.
David