LoFP / a previously unseen service is not necessarily malicious. verify that the service is legitimate and that was installed by a legitimate process.

`wineventlog_system` EventCode=7036 
| rex field=Message "The (?<service>[-\(\)\s\w]+) service entered the (?<state>\w+) state" 
| where state="running" 
| lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen 
| where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) 
| table _time dest service 
| `first_time_seen_running_windows_service_filter`