This analytic rule for Splunk detects when a Windows service's start type is changed to disabled by monitoring Windows Event Log System Event Code 7040. Such modifications can be indicative of malicious activity, where threat actors attempt to disrupt security services to establish persistence on a compromised system. The rule incorporates a search query that filters through the event logs to count occurrences and find the first and last time this alteration was noted, organizing results based on the affected computer, event code, service name, and user ID involved. An implementation guide advises on log ingestion requirements to ensure the rule effectively identifies these events. While useful, there are known false positives related to legitimate system occurrences, such as service updates, necessitating careful filtering in practical applications.