This isnt straight forward. because it depends on the events and the data source. I am not sure ePO will send and event when it gets disabled. i will have to look into it. But depending on if you collect the windows logs from the systems (which most the time we will for certain servers but not all endpoints) then you could create a rule that monitors the windows event service.
so for example, you could create a rule that uses Sig ID 43-216070360, the command is in stopped and the application is McAfee mcshield. can you test that and see if it works for your use case?
I did a search for Sig ID 43-216070360, got results with "Service $1 entered state $2". State $2 includes both stop and running. Also, this ID includes a lot of other services, how do I weed them out and only alert on McAfee Virus Scan Enterprise?
Testing this now. Will update with result. Thanks again!
I created the correlation rule with that Sig ID (43-216070360) and the parameters for Command and Application. However, somehow this rule is triggering every time a successful logon is detected (4624), even though I don't have the Sig ID for that event anywhere in the rule. Any idea?
Just came across this post of yours and wanted to ask if you had a success implementing the rule?
Thanks in advance.