I have a service that I'd like to create an alert for if it is stopped, but I can't find any related events to the service stopping in MDE, and as far as I can tell, service status isn't recorded in the registry.
Excellent question that I have as well. I want to detect when certain services are stopped, no matter the cause (e.g. Powershell, cmd, etc). But none of the MDE tables seem to record service stop events.
Thanks for the update! If anyone at MS is reading: I appreciate that you can't have MDE collect absolutely everything, but service stoppage would be immensely useful in terms of identifying when a critical service is stopped no matter how the attacker got it.
