EVID 4 : Service State Changed (Sysmon 8/9/10)

Event Details

Event Type	Service State Change
Event Description	4 : Reports the state of the Sysmon service.
Event ID	4

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Provider	N/A	N/A
EventID	<vmid>	<vmid>
Version	N/A	N/A
Level	<severity>	<severity>
Task	<vendorinfo>	<vendorinfo>
Opcode	N/A	N/A
Keywords	N/A	<result>
TimeCreated	N/A	N/A
EventRecordID	N/A	N/A
Correlation	N/A	N/A
Execution	N/A	N/A
Channel	N/A	N/A
Computer	<dname>	<dname>
Security	N/A	N/A
State	<action>, <tag1>	<action>, <tag1>
Version	<version>	N/A
SchemaVersion	N/A	N/A
UserId	<domain>, <login>	N/A
RuleName	<policy>	<policy>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1009723	EVID 4 : Sysmon Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
	EVID 4 : Sysmon Started	Sub Rule	Process/Service Started	Startup and Shutdown
	EVID 4 : Sysmon Service Started/Stopped	Base Rule	Process/Service Startup Or Shutdown Activity	Startup and Shutdown

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1011221	V 2.0 : EVID 4 : Sysmon Service State Changed	Base Rule	Process/Service Startup Or Shutdown Activity	Startup and Shutdown
	V 2.0 : EVID 4 : Sysmon Service Started	Sub Rule	Process/Service Started	Startup and Shutdown
	V 2.0 : EVID 4 : Sysmon Service Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown