I noticed a strong gap for particular types of service control manager Windows event logs for starting, stopping, installing, etc Windows events.

The use case for this was driven by a rule to look for privilege escalation attacks using PSEXEC:  Services were installed by the attacking user against the target system.

This can also be used for configuration change monitoring.

I obtained most of the event mappings from both real events and the Microsoft technet articles at #http://technet.microsoft.com/en-us/library/dd349427(v=ws.10).aspx

Installation instructions:

place into $ARCSIGHT_HOME/current/user/agent/fcp/windowsfg/windows_2008/ or windows_2012 folder.

The filename on mine is 'hardwareevents.service_control_manager.sdkkeyvaluefilereader.properties' because I am using Windows event forwarding.

If you are using a local Windows unified connector, change the first part of the filename from 'hardwareevents' to 'system'.

Have fun, arcsighters!

For example:

External ID : 7040

Name : The start type of the service was changed

Message : The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start

and

External ID : 7000

Name : Service failed to start

Message : The McAfee McShield service failed to start due to the following error: %53

Category Significance : Informational/Error

Category Behavior : /Execute/Start

Category Device Group : /Operating System

Category Outcome : /Failure

Category Object : Host/Application/Service