Update windows_event_logging_service_has_shutdown.yml

Author: nasbench

detections/endpoint/windows_event_logging_service_has_shutdown.yml

@@ -4,23 +4,13 @@ version: 1
 date: '2025-01-28'
 author: Mauricio Velazco, Splunk
 status: production
-type: Anomaly
-description: The following analytic detects the shutdown of the Windows Event Log
-  service using Windows Event ID 1100. This event is logged every time the service
-  stops, including during normal system shutdowns. Monitoring this activity is crucial
-  as it can indicate attempts to cover tracks or disable logging. If confirmed malicious,
-  an attacker could hide their activities, making it difficult to trace their actions
-  and investigate further incidents. Analysts should verify if the shutdown was planned
-  and review other alerts and data sources for additional suspicious behavior.
+type: Hunting
+description: The following analytic detects the shutdown of the Windows Event Log service by leveraging Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.
 data_source:
 - Windows Event Log Security 1100
-search: (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime
-  max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`
-how_to_implement: To successfully implement this search, you need to be ingesting
-  Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.
-known_false_positives: It is possible the Event Logging service gets shut down due
-  to system errors or legitimately administration tasks. Investigate the cause of this issue and apply additional filters as needed.
+search: (`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`
+how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.
+known_false_positives: It is possible the Event Logging service gets shut down due to system errors or legitimate administration tasks. Investigate the cause of this issue and apply additional filters as needed.
 references:
 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100
 - https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads