1 Reply Latest reply on Jun 22, 2017 3:40 PM by jhynds

    alerts for stopping windows services rule

    marcusmm8

      anyone trying to trigger an alert when a service is stopped by the user? The below removes false positives when the system is shutdown/rebooted, but any enhancements are welcome.

      one of the issues i found is that the username is 'unable to resolve'.

        • Re: alerts for stopping windows services rule
          jhynds

          Hi Marcos - the 'unable to resolve username' issue is a known issue with Windows event logging for services. The username was included in older OS's such as Server 2003 but the functionality was removed since Server 2008. The only way to audit who stopped/started a service is to setup the auditing on a per-service basis, so you may just want to configure the auditing on your most critical services.

           

          When you stop a service, the event ID will be 7036 and the User will be N/A in the event log (hence the unable to resolve username in LEM)

           

          Screen Shot 2017-06-22 at 2.54.02 PM.png

           

          If you follow the steps in this guide you can then start to monitor for Event ID 4656, which includes the action performed & by which user:

           

          Screen Shot 2017-06-22 at 3.04.25 PM.png

          These events look like this in LEM (AccessRequested shows the 'stop the service' action)

           

          Screen Shot 2017-06-22 at 3.07.30 PM.png

           

          Hope that helps!