Forum Discussion
Is there any way to create a custom detection to detect when a service is stopped?
I have a service that I'd like to create an alert for if it is stopped, but I can't find any related events to the service stopping in MDE, and as far as I can tell, service status isn't recorded in ...
I ended up talking to MS about this, and the answer is you can't. They said MDE only monitors processes related to Windows.
Thanks for the update! If anyone at MS is reading: I appreciate that you can't have MDE collect absolutely everything, but service stoppage would be immensely useful in terms of identifying when a critical service is stopped no matter how the attacker got it.