From what you described i dont think you want a risk based rule. as risk based rules will trigger based on theasholds and weightings assigned to assets. what you said you wanted is an alarm when a service or application goes down.
if its a service you can monitor it using the following type of rule:
Signature ID in 43-216070360
Command in Stopped
Application in "Application or Service display name"