uberAgent
Scheduled Task Metrics
Scheduled Tasks
uberAgent collects detailed scheduled task information like the task name, the author as well as if it has actions.
Details
- Source type:
uberAgentESA:System:ScheduledTasks
- Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring
- Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
TaskEventType | Scheduled task event type. Possible values: 0 , 1 , 2 . See also TaskEventDisplayName . |
Number | 2 | |
TaskFolder | Folder where the scheduled task is stored. | String | \Microsoft\Windows\Flighting\OneSettings | |
TaskName | Scheduled task name. | String | RefreshCache | |
TaskUserName | Account that created, changed, or deleted the task. Possible values: sys , lvc , nvc or any other user. The first three will be expanded in the field TaskPrincipalExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. |
String | AD\JohnDoe | |
TaskPrincipal | Account that is used when running the task. Possible values: sys , lvc , nvc or any other user. The first three will be expanded in the field UserNameExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. |
String | sys | |
LogonType | The logon type for the account configured in the field TaskPrincipal . Possible values: 0 , 1 , 2 , 3 , 4 , 5 , 6 . See also LogonTypeDisplayName . |
Number | 5 | |
Elevated | Indicates whether the task is running elevated or not. Possible values: 0 , 1 . |
Number | 0 | |
TaskAuthor | Author that created the task. Can be any string and will often be empty. | String | Microsoft Corporation | |
TaskHidden | Indicates if the task is hidden in the UI or not. Possible values: 0 , 1 . |
String | 0 | |
WakeToRun | Indicates if the Task Scheduler will wake the computer when it is time to run the task. Possible values: 0 , 1 . |
String | 0 | |
HasActions | Indicates if the task has actions. Actions are send separately in the source type uberAgentESA:System:ScheduledTaskActions . Possible values: 0 , 1 . |
String | 1 |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
TaskPath |
TaskFolder + TaskName . |
String | \Microsoft\Windows\Flighting\OneSettings\RefreshCache | Splunk data model | |
time |
_time . |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model | |
UserNameExpanded | coalesce(UserNameExpanded,TaskUserName). | String | SYSTEM | Splunk data model | |
LogonTypeDisplayName | Expansion for the field LogonType based on the lookup scheduledtasks_logontypes . Possible values: Unspecified : used for non-NT credentials.UsePassword : use a password for logging on the user.ServiceForUser : the service will log the user on using Service For User (S4U), and the task will run in a non-interactive desktop.LogonInteractive : user must already be logged on. The task will be run only in an existing interactive session.LogonGroup : group activation. The groupId field specifies the group.ServiceAccount : indicates that a Local System, Local Service, or Network Service account is being used as a security context to run the task.InteractiveOrPassword : not in use. |
String | ServiceAccount | Splunk data model, Splunk SPL | |
TaskEventDisplayName | Expansion for the field TaskEventType based on the lookup scheduledtasks_eventtypes . Possible values: Created , Updated , Deleted . |
String | Updated | Splunk data model, Splunk SPL |
Scheduled Task Actions
uberAgent collects details about configured actions of scheduled tasks like the action type, the path to the exe as well as mail settings.
Details
- Source type:
uberAgentESA:System:ScheduledTaskActions
- Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring
- Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
TaskPath | Task path. | String | \Microsoft\Windows\WindowsUpdate\Scheduled Start | |
IsDeprecated | Indicates if the task is deprecated or not. Possible values: 0 , 1 . |
String | 0 | |
ActionType | The configured action. Possible values: 0 , 1 , 2 , 3 . See also ActionTypeDisplayName . |
Number | 2 | |
ActionListIndex | Represents the position in the list of configured actions. 1 means that the action is at the top of the list, 2 represents the second position, and so on. | Number | 1 | |
ExePath | Path to the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction . |
String | C:\WINDOWS\system32\sc.exe | |
ExeArguments | Arguments of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction . |
String | start wuauserv | |
ExeWorkingDir | Working dir of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction . |
String | C:\WINDOWS\system32 | |
ComClsid | COM action ID. Only filled if ActionTypeDisplayName is ComAction . |
String | b1aebb5d-ead9-4476-b375-9c3ed9f32afc | |
ComData | COM action data. Only filled if ActionTypeDisplayName is ComAction . |
String | timer | |
ComBinary | COM action binary. Only filled if ActionTypeDisplayName is ComAction . |
String | %SystemRoot%\System32\sppcext.dll | |
ComHandlerDescription | COM action handler description. Only filled if ActionTypeDisplayName is ComAction . |
String | SppSvcRestartTaskHandler Class> | |
ComRemoteComputer | COM action remote computer. Only filled if ActionTypeDisplayName is ComAction . |
String | ||
ComServiceName | COM action service name. Only filled if ActionTypeDisplayName is ComAction . |
String | wuauserv | |
AutoElevated | Indicates if the COM action runs auto-elevated. Only filled if ActionTypeDisplayName is ComAction . Possible values: 0 , 1 . |
String | 0 | |
EmailBcc | Email Bcc value. Only filled if ActionTypeDisplayName is EmailAction . |
String | johndoe@company.com | |
EmailCc | Email Cc value. Only filled if ActionTypeDisplayName is EmailAction . |
String | johndoe@company.com | |
EmailFrom | Email sender. Only filled if ActionTypeDisplayName is EmailAction . |
String | Alerting@company.com | |
EmailServer | Email server. Only filled if ActionTypeDisplayName is EmailAction . |
String | mail.company.com | |
EmailSubject | Email subject. Only filled if ActionTypeDisplayName is EmailAction . |
String | Very urgent altert | |
EmailTo | Email recipient. Only filled if ActionTypeDisplayName is EmailAction . |
String | alerts@company.com | |
MsgTitle | Message title. Only filled if ActionTypeDisplayName is MessageAction . |
String | Some title | |
MsgContent | Message content. Only filled if ActionTypeDisplayName is MessageAction . |
String | Some content |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
ActionTypeDisplayName | Expansion of the field ActionType based on the lookup scheduledtasks_actiontypes . Possible values: ExecutableAction , ComAction , EmailAction , MessageAction . |
String | ExecutableAction | Splunk data model, Splunk SPL | |
time |
_time . |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model |
Scheduled Task Triggers
uberAgent collects details about configured triggers of scheduled tasks like the trigger type as well as the repetition.
Details
- Source type:
uberAgentESA:System:ScheduledTaskTriggers
- Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring
- Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
TaskPath | Task path. | String | \Microsoft\Windows\Device Information\Device | |
TriggerId | Identifier for the trigger. Is often empty. | String | NightlyTrigger | |
TriggerType | Trigger type. Possible values: 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 . See also TriggerTypeDisplayName . |
Number | 1 | |
EventTriggerSubscription | A query string that identifies the event that fires the trigger. | String | <query id='1'><select path='System'>*[System/Level=2]</select></query> |
|
EventTriggerNumValues | The number of queries specified on the matching event. | Number | 2 | |
TriggerUserId | The ID of the user that fires the trigger (only in State-change trigger and logon trigger). | String | AD\JohnDoe |
|
LogonTriggerPossiblyGroup | The ID displayed in the field TriggerUserId is possibly the ID of user-group, instead of an individual user. Possible values: 0 , 1 . |
String | 1 | |
TriggerEnabled | Indicates if the trigger is enabled or not. Possible values: 0 , 1 . |
String | 1 | |
TriggerStartBoundary | The start date when the trigger is active. | String | 2020-04-09 15:41:27.000 +0200 | |
TriggerEndBoundary | The end date after which the trigger is not active anymore. | String | 2020-04-11 15:41:27.000 +0200 | |
TriggerRepetitionDuration | For how long the repetition pattern (repetition interval) is repeated, see ISO8601 Durations. | String | PT23H59M | |
TriggerRepetitionInterval | The repetition pattern (e.g. daily,monthly, etc.), see ISO8601 Durations. | String | PT2H | |
TriggerRepetitionStopAtDurationEnd | Indicates whether a running task is stopped when the repetition pattern duration expires. Possible values: 0 , 1 . |
String | 0 | |
TriggerListIndex | Represents the position in the list of configured triggers. 1 means that the trigger is at the top of the list, 2 represents the second position, and so on. | Number | 1 | |
DayDisplayName | Indicates on which days the trigger runs. | String | Sunday | |
WeekDisplayName | Indicates on which weeks the trigger runs. | String | First;Second;Third;Fourth | |
MonthDisplayName | Indicates in which months the trigger runs. | String | Jan;Feb;Mar;Apr;May;Jun;Jul;Aug;Sep;Oct;Nov;Dec | |
DayOfMonthDisplayName | Indicates on which days of a month the trigger runs. | String | 1;15;30 | |
DailyTriggerDaysInterval | The number of days between the subsequent firing of the daily trigger. | Number | 2 | |
WeeklyTriggerWeeksInterval | The number of weeks between the subsequent firing of the weekly trigger. | Number | 3 | |
MonthlyTriggerRunOnLastDayOfMonth | Indicates if the monthly trigger is fired on the last day of the month. Possible values: 0 , 1 . |
String | 1 | |
MonthlyDowTriggerRunOnLastWeekOfMonth | Indicates if the monthly day-of-week trigger is fired on the last week of the month. Possible values: 0 , 1 . |
String | 1 | |
StateChangeId | User session state change ID. Only filled if TriggerTypeDisplayName is SessionStateChangeTrigger . Possible values: 0 , 1 , 2 , 3 , 4 , 7 , 8 . See also StateChangeDisplayName . |
String | 1 | |
WnfTriggerStateName | Windows Notification Facility (WNF) state name. Also see WnfIdDisplayName . |
String | 1192063AA3BC0875 |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
StateChangeDisplayName | Expansion of the field StateChange based on the lookup scheduledtasks_sessionstatechanges . Possible values: UndefinedStateChange0 , ConsoleConnect , ConsoleDisconnect , RemoteConnect , RemoteDisconnect , UndefinedStateChange1 , UndefinedStateChange2 , SessionLock , SessionUnlock . |
String | ConsoleConnect | Splunk data model, Splunk SPL | |
TriggerTypeDisplayName | Expansion of the field TriggerType based on the lookup scheduledtasks_triggertypes . Possible values: EventTrigger , TimeTrigger , DailyTrigger , WeeklyTrigger , MonthlyTrigger , MonthlyDowTrigger , IdleTrigger , RegistrationTrigger , BootTrigger , LogonTrigger , UndefinedTrigger , SessionStateChangeTrigger , CustomTrigger01 . Further explanations on these triggers are available in the lookup scheduledtasks_triggertypes . |
String | SessionStateChangeTrigger | Splunk data model, Splunk SPL | |
time |
_time . |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model | |
WnfIdDisplayName | Expansion of the field WnfTriggerStateName based on the lookup wnf_ids . Further explanations on the collected WNF IDs are available in the lookup wnf_ids . |
String | WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED | Splunk data model, Splunk SPL |
Scheduled Task Metrics
Copied!
Failed!