GIM Category: service
The Service category covers events related to the installation, configuration, and operation of system services or daemons. These events indicate when services are started, stopped, installed, removed, enabled, disabled, or reconfigured. They are generated by operating systems, service managers (such as Windows SCM or systemd), and security tools monitoring service state changes.
start
Events indicating that a system service or daemon was requested to start.
These may originate from user actions, process commands, or automated startup routines during system boot.
The outcome (success or failure) should be represented in the event_outcome field,
not by the event type itself.
Required Fields
event_outcomeservice_nameuser_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
210000 |
service |
service.start |
service started |
An attempt was made to start a system service or daemon, regardless of whether it succeeded. |
stop
Events indicating that a system service or daemon was requested to stop.
These may result from administrative actions, process terminations, system shutdown sequences,
or dependency resolution within the operating system's service manager.
The event type represents the intent to stop the service, while the outcome (success or failure)
is represented by the event_outcome field.
Required Fields
event_outcomeservice_nameuser_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
210100 |
service |
service.stop |
service stopped |
An attempt was made to stop a system service or daemon, regardless of whether it succeeded. |
configuration
Events indicating that a system service or daemon configuration was modified or a change was requested.
This may include adjustments to startup parameters, dependencies, execution credentials,
or the service’s run mode (for example, automatic vs. manual start).
These events describe the intent to alter configuration settings; the event_outcome field
should be used to determine whether the change succeeded or failed.
Required Fields
event_outcomeservice_nameuser_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
211000 |
service |
service.configuration |
service configuration change |
A configuration change was attempted for a system service or daemon, regardless of whether it succeeded. |
state
Events representing attempts to change the state of a system service or daemon.
This includes installing or removing a service, as well as enabling or disabling it
within the operating system’s service management framework.
The state subcategory captures lifecycle transitions that affect whether a service exists
or is allowed to run, but not its runtime configuration parameters.
The event_outcome field should indicate whether the state change succeeded or failed.
Required Fields
service_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
211500 |
service |
service.state |
service installed |
An attempt was made to install or register a system service or daemon. |
|
|
211501 |
service |
service.state |
service removed |
An attempt was made to remove or unregister a system service or daemon. |
|
|
211502 |
service |
service.state |
service enabled |
An attempt was made to enable a system service or daemon within the operating system's service manager. |
|
|
211503 |
service |
service.state |
service disabled |
An attempt was made to disable a system service or daemon within the operating system's service manager. |
|
|
211504 |
service |
service.state |
service error |
An error occurred while attempting to change the state of a system service or daemon. |
default
A generic category for events related to system services or daemons that do not match a more specific subcategory (such as start, stop, configuration, or state). These events may represent vendor-specific messages, informational logs, or unclassified service-related activity. The default subcategory ensures that all service-related events can be captured even if they cannot be normalized further.
Required Fields
service_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
219999 |
service |
service.default |
service message |
A general message related to a system service or daemon that does not map to a more specific subcategory. Used as a fallback for unclassified service-related activity. |
