I noticed a strong gap for particular types of service control manager Windows event logs for starting, stopping, installing, etc Windows events.
The use case for this was driven by a rule to look for privilege escalation attacks using PSEXEC: Services were installed by the attacking user against the target system.
This can also be used for configuration change monitoring.
I obtained most of the event mappings from both real events and the Microsoft technet articles at #http://technet.microsoft.com/en-us/library/dd349427(v=ws.10).aspx
Installation instructions:
place into $ARCSIGHT_HOME/current/user/agent/fcp/windowsfg/windows_2008/ or windows_2012 folder.
The filename on mine is 'hardwareevents.service_control_manager.sdkkeyvaluefilereader.properties' because I am using Windows event forwarding.
If you are using a local Windows unified connector, change the first part of the filename from 'hardwareevents' to 'system'.
Have fun, arcsighters!
For example:
External ID : 7040
Name : The start type of the service was changed
Message : The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start
and
External ID : 7000
Name : Service failed to start
Message : The McAfee McShield service failed to start due to the following error: %53
Category Significance : Informational/Error
Category Behavior : /Execute/Start
Category Device Group : /Operating System
Category Outcome : /Failure
Category Object : Host/Application/Service