This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Scheduled Task Metrics
Scheduled Tasks
uberAgent collects detailed scheduled task information like the task name, the author as well as if it has actions.
Details
- Source type:
uberAgentESA:System:ScheduledTasks
- Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring
- Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
TaskEventType | Scheduled task event type. Possible values: 0 , 1 , 2 . See also TaskEventDisplayName . |
Number | 2 | |
TaskFolder | Folder where the scheduled task is stored. | String | \Microsoft\Windows\Flighting\OneSettings | |
TaskName | Scheduled task name. | String | RefreshCache | |
TaskUserName | Account that created, changed, or deleted the task. Possible values: sys , lvc , nvc or any other user. The first three will be expanded in the field TaskPrincipalExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. |
String | AD\JohnDoe | |
TaskPrincipal | Account that is used when running the task. Possible values: sys , lvc , nvc or any other user. The first three will be expanded in the field UserNameExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. |
String | sys | |
LogonType | The logon type for the account configured in the field TaskPrincipal . Possible values: 0 , 1 , 2 , 3 , 4 , 5 , 6 . See also LogonTypeDisplayName . |
Number | 5 | |
Elevated | Indicates whether the task is running elevated or not. Possible values: 0 , 1 . |
Number | 0 | |
TaskAuthor | Author that created the task. Can be any string and will often be empty. | String | Microsoft Corporation | |
TaskHidden | Indicates if the task is hidden in the UI or not. Possible values: 0 , 1 . |
String | 0 | |
WakeToRun | Indicates if the Task Scheduler will wake the computer when it is time to run the task. Possible values: 0 , 1 . |
String | 0 | |
HasActions | Indicates if the task has actions. Actions are send separately in the source type uberAgentESA:System:ScheduledTaskActions . Possible values: 0 , 1 . |
String | 1 |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
TaskPath | TaskFolder + TaskName . |
String | \Microsoft\Windows\Flighting\OneSettings\RefreshCache | Splunk data model | |
time | _time . |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model | |
UserNameExpanded | coalesce(UserNameExpanded,TaskUserName). | String | SYSTEM | Splunk data model | |
LogonTypeDisplayName | Expansion for the field LogonType based on the lookup scheduledtasks_logontypes . Possible values:
|
String | ServiceAccount | Splunk data model, Splunk SPL | |
TaskEventDisplayName | Expansion for the field TaskEventType based on the lookup scheduledtasks_eventtypes . Possible values: Created , Updated , Deleted . |
String | Updated | Splunk data model, Splunk SPL |
Scheduled Task Actions
uberAgent collects details about configured actions of scheduled tasks like the action type, the path to the exe as well as mail settings.
Details
- Source type:
uberAgentESA:System:ScheduledTaskActions
- Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring
- Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
TaskPath | Task path. | String | \Microsoft\Windows\WindowsUpdate\Scheduled Start | |
IsDeprecated | Indicates if the task is deprecated or not. Possible values: 0 , 1 . |
String | 0 | |
ActionType | The configured action. Possible values: 0 , 1 , 2 , 3 . See also ActionTypeDisplayName . |
Number | 2 | |
ActionListIndex | Represents the position in the list of configured actions. 1 means that the action is at the top of the list, 2 represents the second position, and so on. | Number | 1 | |
ExePath | Path to the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction . |
String | C:\WINDOWS\system32\sc.exe | |
ExeArguments | Arguments of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction . |
String | start wuauserv | |
ExeWorkingDir | Working dir of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction . |
String | C:\WINDOWS\system32 | |
ComClsid | COM action ID. Only filled if ActionTypeDisplayName is ComAction . |
String | b1aebb5d-ead9-4476-b375-9c3ed9f32afc | |
ComData | COM action data. Only filled if ActionTypeDisplayName is ComAction . |
String | timer | |
ComBinary | COM action binary. Only filled if ActionTypeDisplayName is ComAction . |
String | %SystemRoot%\System32\sppcext.dll | |
ComHandlerDescription | COM action handler description. Only filled if ActionTypeDisplayName is ComAction . |
String | SppSvcRestartTaskHandler Class> | |
ComRemoteComputer | COM action remote computer. Only filled if ActionTypeDisplayName is ComAction . |
String | ||
ComServiceName | COM action service name. Only filled if ActionTypeDisplayName is ComAction . |
String | wuauserv | |
AutoElevated | Indicates if the COM action runs auto-elevated. Only filled if ActionTypeDisplayName is ComAction . Possible values: 0 , 1 . |
String | 0 | |
EmailBcc | Email Bcc value. Only filled if ActionTypeDisplayName is EmailAction . |
String | [email protected] | |
EmailCc | Email Cc value. Only filled if ActionTypeDisplayName is EmailAction . |
String | [email protected] | |
EmailFrom | Email sender. Only filled if ActionTypeDisplayName is EmailAction . |
String | [email protected] | |
EmailServer | Email server. Only filled if ActionTypeDisplayName is EmailAction . |
String | mail.company.com | |
EmailSubject | Email subject. Only filled if ActionTypeDisplayName is EmailAction . |
String | Very urgent altert | |
EmailTo | Email recipient. Only filled if ActionTypeDisplayName is EmailAction . |
String | [email protected] | |
MsgTitle | Message title. Only filled if ActionTypeDisplayName is MessageAction . |
String | Some title | |
MsgContent | Message content. Only filled if ActionTypeDisplayName is MessageAction . |
String | Some content |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
ActionTypeDisplayName | Expansion of the field ActionType based on the lookup scheduledtasks_actiontypes . Possible values: ExecutableAction , ComAction , EmailAction , MessageAction . |
String | ExecutableAction | Splunk data model, Splunk SPL | |
time | _time . |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model |
Scheduled Task Triggers
uberAgent collects details about configured triggers of scheduled tasks like the trigger type as well as the repetition.
Details
- Source type:
uberAgentESA:System:ScheduledTaskTriggers
- Used in dashboards: Scheduled Tasks
- Enabled through configuration setting:
ScheduledTaskMonitoring
- Related configuration settings: n/a
- Supported platform: Windows
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
TaskPath | Task path. | String | \Microsoft\Windows\Device Information\Device | |
TriggerId | Identifier for the trigger. Is often empty. | String | NightlyTrigger | |
TriggerType | Trigger type. Possible values: 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 . See also TriggerTypeDisplayName . |
Number | 1 | |
EventTriggerSubscription | A query string that identifies the event that fires the trigger. | String | <QueryList><Query Id='1'><Select Path='System'>*[System/Level=2]</Select></Query></QueryList> |
|
EventTriggerNumValues | The number of queries specified on the matching event. | Number | 2 | |
TriggerUserId | The ID of the user that fires the trigger (only in State-change trigger and logon trigger). | String | AD\JohnDoe |
|
LogonTriggerPossiblyGroup | The ID displayed in the field TriggerUserId is possibly the ID of user-group, instead of an individual user. Possible values: 0 , 1 . |
String | 1 | |
TriggerEnabled | Indicates if the trigger is enabled or not. Possible values: 0 , 1 . |
String | 1 | |
TriggerStartBoundary | The start date when the trigger is active. | String | 2020-04-09 15:41:27.000 +0200 | |
TriggerEndBoundary | The end date after which the trigger is not active anymore. | String | 2020-04-11 15:41:27.000 +0200 | |
TriggerRepetitionDuration | For how long the repetition pattern (repetition interval) is repeated, see ISO8601 Durations. | String | PT23H59M | |
TriggerRepetitionInterval | The repetition pattern (e.g. daily,monthly, etc.), see ISO8601 Durations. | String | PT2H | |
TriggerRepetitionStopAtDurationEnd | Indicates whether a running task is stopped when the repetition pattern duration expires. Possible values: 0 , 1 . |
String | 0 | |
TriggerListIndex | Represents the position in the list of configured triggers. 1 means that the trigger is at the top of the list, 2 represents the second position, and so on. | Number | 1 | |
DayDisplayName | Indicates on which days the trigger runs. | String | Sunday | |
WeekDisplayName | Indicates on which weeks the trigger runs. | String | First;Second;Third;Fourth | |
MonthDisplayName | Indicates in which months the trigger runs. | String | Jan;Feb;Mar;Apr;May;Jun;Jul;Aug;Sep;Oct;Nov;Dec | |
DayOfMonthDisplayName | Indicates on which days of a month the trigger runs. | String | 1;15;30 | |
DailyTriggerDaysInterval | The number of days between the subsequent firing of the daily trigger. | Number | 2 | |
WeeklyTriggerWeeksInterval | The number of weeks between the subsequent firing of the weekly trigger. | Number | 3 | |
MonthlyTriggerRunOnLastDayOfMonth | Indicates if the monthly trigger is fired on the last day of the month. Possible values: 0 , 1 . |
String | 1 | |
MonthlyDowTriggerRunOnLastWeekOfMonth | Indicates if the monthly day-of-week trigger is fired on the last week of the month. Possible values: 0 , 1 . |
String | 1 | |
StateChangeId | User session state change ID. Only filled if TriggerTypeDisplayName is SessionStateChangeTrigger . Possible values: 0 , 1 , 2 , 3 , 4 , 7 , 8 . See also StateChangeDisplayName . |
String | 1 | |
WnfTriggerStateName | Windows Notification Facility (WNF) state name. Also see WnfIdDisplayName . |
String | 1192063AA3BC0875 |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
StateChangeDisplayName | Expansion of the field StateChange based on the lookup scheduledtasks_sessionstatechanges . Possible values: UndefinedStateChange0 , ConsoleConnect , ConsoleDisconnect , RemoteConnect , RemoteDisconnect , UndefinedStateChange1 , UndefinedStateChange2 , SessionLock , SessionUnlock . |
String | ConsoleConnect | Splunk data model, Splunk SPL | |
TriggerTypeDisplayName | Expansion of the field TriggerType based on the lookup scheduledtasks_triggertypes . Possible values: EventTrigger , TimeTrigger , DailyTrigger , WeeklyTrigger , MonthlyTrigger , MonthlyDowTrigger , IdleTrigger , RegistrationTrigger , BootTrigger , LogonTrigger , UndefinedTrigger , SessionStateChangeTrigger , CustomTrigger01 . Further explanations on these triggers are available in the lookup scheduledtasks_triggertypes . |
String | SessionStateChangeTrigger | Splunk data model, Splunk SPL | |
time | _time . |
Number | 2020-04-06T14:48:01.394+02:00 | Splunk data model | |
WnfIdDisplayName | Expansion of the field WnfTriggerStateName based on the lookup wnf_ids . Further explanations on the collected WNF IDs are available in the lookup wnf_ids . |
String | WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED | Splunk data model, Splunk SPL |