LoFP / false positives could occur since service termination could happen due to multiple reasons

Techniques

Sample rules

Windows Service Terminated With Error

• source: sigma
• technicques:

Description

Detects Windows services that got terminated for whatever reason

Detection logic

condition: selection
selection:
  EventID: 7023
  Provider_Name: Service Control Manager