This analytic rule detects shutdown events from the Windows Event Log service specifically through the use of Windows Event ID 1100. Each time the service stops—be it during a standard system shutdown or potentially due to malicious intent—this event is recorded. Tracking this event is vital, as an unauthorized shutdown can indicate attempts by an attacker to disable logging mechanisms, thus making it easier for them to conceal illicit actions on the affected system. If the shutdown is unexpected and not part of regular system maintenance, it likely warrants further investigation. During the analysis of alerts triggering from this rule, security analysts should verify if the shutdown was a planned action and cross-reference it with other suspicious indicators within the environment.