Scheduled Task Metrics
Scheduled Tasks
uberAgent collects detailed scheduled task information like the task name, the author as well as if it has actions.
Details
- Source type:
uberAgentESA:System:ScheduledTasks - Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring - Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Example |
|---|---|---|---|---|
| TaskEventType | Scheduled task event type. Possible values: 0, 1, 2. See also TaskEventDisplayName. |
Number | 2 | |
| TaskFolder | Folder where the scheduled task is stored. | String | \Microsoft\Windows\Flighting\OneSettings | |
| TaskName | Scheduled task name. | String | RefreshCache | |
| TaskUserName | Account that created, changed, or deleted the task. Possible values: sys, lvc, nvc or any other user. The first three will be expanded in the field TaskPrincipalExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. |
String | AD\JohnDoe | |
| TaskPrincipal | Account that is used when running the task. Possible values: sys, lvc, nvc or any other user. The first three will be expanded in the field UserNameExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. |
String | sys | |
| LogonType | The logon type for the account configured in the field TaskPrincipal. Possible values: 0, 1, 2, 3, 4, 5, 6. See also LogonTypeDisplayName. |
Number | 5 | |
| Elevated | Indicates whether the task is running elevated or not. Possible values: 0, 1. |
Number | 0 | |
| TaskAuthor | Author that created the task. Can be any string and will often be empty. | String | Microsoft Corporation | |
| TaskHidden | Indicates if the task is hidden in the UI or not. Possible values: 0, 1. |
String | 0 | |
| WakeToRun | Indicates if the Task Scheduler will wake the computer when it is time to run the task. Possible values: 0, 1. |
String | 0 | |
| HasActions | Indicates if the task has actions. Actions are send separately in the source type uberAgentESA:System:ScheduledTaskActions. Possible values: 0, 1. |
String | 1 |
List of Calculated Fields
| Field | Description | Data type | Unit | Example | Where available |
|---|---|---|---|---|---|
| TaskPath |
TaskFolder + TaskName. |
String | \Microsoft\Windows\Flighting\OneSettings\RefreshCache | Splunk data model | |
| time |
_time. |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model | |
| UserNameExpanded | coalesce(UserNameExpanded,TaskUserName). | String | SYSTEM | Splunk data model | |
| LogonTypeDisplayName | Expansion for the field LogonType based on the lookup scheduledtasks_logontypes. Possible values: Unspecified: used for non-NT credentials.UsePassword: use a password for logging on the user.ServiceForUser: the service will log the user on using Service For User (S4U), and the task will run in a non-interactive desktop.LogonInteractive: user must already be logged on. The task will be run only in an existing interactive session.LogonGroup: group activation. The groupId field specifies the group.ServiceAccount: indicates that a Local System, Local Service, or Network Service account is being used as a security context to run the task.InteractiveOrPassword: not in use. |
String | ServiceAccount | Splunk data model, Splunk SPL | |
| TaskEventDisplayName | Expansion for the field TaskEventType based on the lookup scheduledtasks_eventtypes. Possible values: Created, Updated, Deleted. |
String | Updated | Splunk data model, Splunk SPL |
Scheduled Task Actions
uberAgent collects details about configured actions of scheduled tasks like the action type, the path to the exe as well as mail settings.
Details
- Source type:
uberAgentESA:System:ScheduledTaskActions - Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring - Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Example |
|---|---|---|---|---|
| TaskPath | Task path. | String | \Microsoft\Windows\WindowsUpdate\Scheduled Start | |
| IsDeprecated | Indicates if the task is deprecated or not. Possible values: 0, 1. |
String | 0 | |
| ActionType | The configured action. Possible values: 0, 1, 2, 3. See also ActionTypeDisplayName. |
Number | 2 | |
| ActionListIndex | Represents the position in the list of configured actions. 1 means that the action is at the top of the list, 2 represents the second position, and so on. | Number | 1 | |
| ExePath | Path to the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction. |
String | C:\WINDOWS\system32\sc.exe | |
| ExeArguments | Arguments of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction. |
String | start wuauserv | |
| ExeWorkingDir | Working dir of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction. |
String | C:\WINDOWS\system32 | |
| ComClsid | COM action ID. Only filled if ActionTypeDisplayName is ComAction. |
String | b1aebb5d-ead9-4476-b375-9c3ed9f32afc | |
| ComData | COM action data. Only filled if ActionTypeDisplayName is ComAction. |
String | timer | |
| ComBinary | COM action binary. Only filled if ActionTypeDisplayName is ComAction. |
String | %SystemRoot%\System32\sppcext.dll | |
| ComHandlerDescription | COM action handler description. Only filled if ActionTypeDisplayName is ComAction. |
String | SppSvcRestartTaskHandler Class> | |
| ComRemoteComputer | COM action remote computer. Only filled if ActionTypeDisplayName is ComAction. |
String | ||
| ComServiceName | COM action service name. Only filled if ActionTypeDisplayName is ComAction. |
String | wuauserv | |
| AutoElevated | Indicates if the COM action runs auto-elevated. Only filled if ActionTypeDisplayName is ComAction. Possible values: 0, 1. |
String | 0 | |
| EmailBcc | Email Bcc value. Only filled if ActionTypeDisplayName is EmailAction. |
String | johndoe@company.com | |
| EmailCc | Email Cc value. Only filled if ActionTypeDisplayName is EmailAction. |
String | johndoe@company.com | |
| EmailFrom | Email sender. Only filled if ActionTypeDisplayName is EmailAction. |
String | Alerting@company.com | |
| EmailServer | Email server. Only filled if ActionTypeDisplayName is EmailAction. |
String | mail.company.com | |
| EmailSubject | Email subject. Only filled if ActionTypeDisplayName is EmailAction. |
String | Very urgent altert | |
| EmailTo | Email recipient. Only filled if ActionTypeDisplayName is EmailAction. |
String | alerts@company.com | |
| MsgTitle | Message title. Only filled if ActionTypeDisplayName is MessageAction. |
String | Some title | |
| MsgContent | Message content. Only filled if ActionTypeDisplayName is MessageAction. |
String | Some content |
List of Calculated Fields
| Field | Description | Data type | Unit | Example | Where available |
|---|---|---|---|---|---|
| ActionTypeDisplayName | Expansion of the field ActionType based on the lookup scheduledtasks_actiontypes. Possible values: ExecutableAction, ComAction, EmailAction, MessageAction. |
String | ExecutableAction | Splunk data model, Splunk SPL | |
| time |
_time. |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model |
Scheduled Task Triggers
uberAgent collects details about configured triggers of scheduled tasks like the trigger type as well as the repetition.
Details
- Source type:
uberAgentESA:System:ScheduledTaskTriggers - Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring - Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Example |
|---|---|---|---|---|
| TaskPath | Task path. | String | \Microsoft\Windows\Device Information\Device | |
| TriggerId | Identifier for the trigger. Is often empty. | String | NightlyTrigger | |
| TriggerType | Trigger type. Possible values: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12. See also TriggerTypeDisplayName. |
Number | 1 | |
| EventTriggerSubscription | A query string that identifies the event that fires the trigger. | String | <query id='1'><select path='System'>*[System/Level=2]</select></query> |
|
| EventTriggerNumValues | The number of queries specified on the matching event. | Number | 2 | |
| TriggerUserId | The ID of the user that fires the trigger (only in State-change trigger and logon trigger). | String | AD\JohnDoe |
|
| LogonTriggerPossiblyGroup | The ID displayed in the field TriggerUserId is possibly the ID of user-group, instead of an individual user. Possible values: 0, 1. |
String | 1 | |
| TriggerEnabled | Indicates if the trigger is enabled or not. Possible values: 0, 1. |
String | 1 | |
| TriggerStartBoundary | The start date when the trigger is active. | String | 2020-04-09 15:41:27.000 +0200 | |
| TriggerEndBoundary | The end date after which the trigger is not active anymore. | String | 2020-04-11 15:41:27.000 +0200 | |
| TriggerRepetitionDuration | For how long the repetition pattern (repetition interval) is repeated, see ISO8601 Durations. | String | PT23H59M | |
| TriggerRepetitionInterval | The repetition pattern (e.g. daily,monthly, etc.), see ISO8601 Durations. | String | PT2H | |
| TriggerRepetitionStopAtDurationEnd | Indicates whether a running task is stopped when the repetition pattern duration expires. Possible values: 0, 1. |
String | 0 | |
| TriggerListIndex | Represents the position in the list of configured triggers. 1 means that the trigger is at the top of the list, 2 represents the second position, and so on. | Number | 1 | |
| DayDisplayName | Indicates on which days the trigger runs. | String | Sunday | |
| WeekDisplayName | Indicates on which weeks the trigger runs. | String | First;Second;Third;Fourth | |
| MonthDisplayName | Indicates in which months the trigger runs. | String | Jan;Feb;Mar;Apr;May;Jun;Jul;Aug;Sep;Oct;Nov;Dec | |
| DayOfMonthDisplayName | Indicates on which days of a month the trigger runs. | String | 1;15;30 | |
| DailyTriggerDaysInterval | The number of days between the subsequent firing of the daily trigger. | Number | 2 | |
| WeeklyTriggerWeeksInterval | The number of weeks between the subsequent firing of the weekly trigger. | Number | 3 | |
| MonthlyTriggerRunOnLastDayOfMonth | Indicates if the monthly trigger is fired on the last day of the month. Possible values: 0, 1. |
String | 1 | |
| MonthlyDowTriggerRunOnLastWeekOfMonth | Indicates if the monthly day-of-week trigger is fired on the last week of the month. Possible values: 0, 1. |
String | 1 | |
| StateChangeId | User session state change ID. Only filled if TriggerTypeDisplayName is SessionStateChangeTrigger. Possible values: 0, 1, 2, 3, 4, 7, 8. See also StateChangeDisplayName. |
String | 1 | |
| WnfTriggerStateName | Windows Notification Facility (WNF) state name. Also see WnfIdDisplayName. |
String | 1192063AA3BC0875 |
List of Calculated Fields
| Field | Description | Data type | Unit | Example | Where available |
|---|---|---|---|---|---|
| StateChangeDisplayName | Expansion of the field StateChange based on the lookup scheduledtasks_sessionstatechanges. Possible values: UndefinedStateChange0, ConsoleConnect, ConsoleDisconnect, RemoteConnect, RemoteDisconnect, UndefinedStateChange1, UndefinedStateChange2, SessionLock, SessionUnlock. |
String | ConsoleConnect | Splunk data model, Splunk SPL | |
| TriggerTypeDisplayName | Expansion of the field TriggerType based on the lookup scheduledtasks_triggertypes. Possible values: EventTrigger, TimeTrigger, DailyTrigger, WeeklyTrigger, MonthlyTrigger, MonthlyDowTrigger, IdleTrigger, RegistrationTrigger, BootTrigger, LogonTrigger, UndefinedTrigger, SessionStateChangeTrigger, CustomTrigger01. Further explanations on these triggers are available in the lookup scheduledtasks_triggertypes. |
String | SessionStateChangeTrigger | Splunk data model, Splunk SPL | |
| time |
_time. |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model | |
| WnfIdDisplayName | Expansion of the field WnfTriggerStateName based on the lookup wnf_ids. Further explanations on the collected WNF IDs are available in the lookup wnf_ids. |
String | WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED | Splunk data model, Splunk SPL |
Scheduled Task Metrics
Copied!
Failed!