Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Starting or Stopping HealthService to Avoid Detection

RulenameStarting or Stopping HealthService to Avoid Detection
DescriptionThis query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.

The query requires a SACL to audit for access request to the service.
Required data connectorsSecurityEvents
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Uri Security Events/Analytic Rules/StartStopHealthService.yaml
Arm template2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae.json
Deploy To Azure
| where EventID == 4656
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)
| extend ObjectServer = column_ifexists('ObjectServer', ""), ObjectType = column_ifexists('ObjectType', ""), ObjectName = column_ifexists('ObjectName', "")
| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)
| where ObjectServer =~ "SC Manager" and ObjectType =~ "SERVICE OBJECT" and ObjectName =~ "HealthService"
// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to "NU."
| join kind=leftouter (
  | where EventID == 4624
) on TargetLogonId
| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])
| extend timestamp = TimeGenerated
triggerOperator: gt
queryFrequency: 1d
description: |
  'This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.
   The query requires a SACL to audit for access request to the service.'  
status: Available
kind: Scheduled
triggerThreshold: 0
- connectorId: SecurityEvents
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  - SecurityEvent
version: 1.0.2
queryPeriod: 1d
name: Starting or Stopping HealthService to Avoid Detection
OriginalUri: Security Events/Analytic Rules/StartStopHealthService.yaml
id: 2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae
- Solorigate
- DefenseEvasion
- T1562.001
severity: Medium
- fieldMappings:
  - identifier: FullName
    columnName: TargetAccount
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IpAddress
  entityType: IP
query: |
  | where EventID == 4656
  | extend EventData = parse_xml(EventData).EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
  | evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)
  | extend ObjectServer = column_ifexists('ObjectServer', ""), ObjectType = column_ifexists('ObjectType', ""), ObjectName = column_ifexists('ObjectName', "")
  | where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)
  | where ObjectServer =~ "SC Manager" and ObjectType =~ "SERVICE OBJECT" and ObjectName =~ "HealthService"
  // Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to "NU."
  | join kind=leftouter (
    | where EventID == 4624
  ) on TargetLogonId
  | project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(TargetAccount, @'\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\')[0])
  | extend timestamp = TimeGenerated  
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "workspace": {
      "type": "String"
  "resources": [
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae')]",
      "properties": {
        "alertRuleTemplateName": "2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae",
        "customDetails": null,
        "description": "'This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\n The query requires a SACL to audit for access request to the service.'\n",
        "displayName": "Starting or Stopping HealthService to Avoid Detection",
        "enabled": true,
        "entityMappings": [
            "entityType": "Account",
            "fieldMappings": [
                "columnName": "TargetAccount",
                "identifier": "FullName"
                "columnName": "AccountName",
                "identifier": "Name"
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
            "entityType": "Host",
            "fieldMappings": [
                "columnName": "Computer",
                "identifier": "FullName"
                "columnName": "HostName",
                "identifier": "HostName"
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
            "entityType": "IP",
            "fieldMappings": [
                "columnName": "IpAddress",
                "identifier": "Address"
        "OriginalUri": " Security Events/Analytic Rules/StartStopHealthService.yaml",
        "query": "SecurityEvent\n| where EventID == 4656\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\n| extend ObjectServer = column_ifexists('ObjectServer', \"\"), ObjectType = column_ifexists('ObjectType', \"\"), ObjectName = column_ifexists('ObjectName', \"\")\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\n| where ObjectServer =~ \"SC Manager\" and ObjectType =~ \"SERVICE OBJECT\" and ObjectName =~ \"HealthService\"\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \"NU.\"\n| join kind=leftouter (\n  SecurityEvent\n  | where EventID == 4624\n) on TargetLogonId\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(TargetAccount, @'\\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\\')[0])\n| extend timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
        "tags": [
        "techniques": [
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"