1 - I’ve looked and see no events on the lem when we clear the event log
That's odd - but if they are in the event log and for some reason not being captured, that's fixable on the connectors side.
2 - We are not sure what you mean..
My question is, I suppose, whether you already have log data you're looking for that shows this that you want to automate, or if you're looking for ways that you could detect it. If you've already got events in mind, we can automate that.
4 - So we need to look at the registry and not the log files?
To my knowledge this won't appear in log files - but if you have evidence otherwise, again, we can automate that. Based on what I know and have seen in the field, the log WILL show when a new service starts, but it WON'T show when a new service is created but not yet started. Since that data does exist in the registry, you can use LEM's built in File Integrity Monitoring to look for it there. Or, if knowing when a service starts is sufficient, you can do that, but to do that you'd want to build a list of "known" services.
5 - We can’t rely on the AV tell us that it’s been disabled. We can’t see those service stopped events reaching the LEM
That's true - so the question is back to what log data you do have that shows you that.