uberAgent

Documentation

Contents
Contents
Previous document: Activity Monitoring Metrics Next document: Advanced Topics
Contents
Contents
  1. uberAgent
  2. 6.0
  3. Metrics
  4. Endpoint Security Analytics
  5. Scheduled Task Metrics

Scheduled Task Metrics

In this article

Scheduled Tasks

uberAgent collects detailed scheduled task information like the task name, the author as well as if it has actions.

Details

  • Source type: uberAgentESA:System:ScheduledTasks
  • Used in dashboards: Scheduled Tasks
  • Enabled through configuration setting: ScheduledTaskMonitoring
  • Related configuration settings: n/a

List of Fields in the Raw Agent Data

Field Description Data type Unit Example
TaskEventType Scheduled task event type. Possible values: 0, 1, 2. See also TaskEventDisplayName. Number 2
TaskFolder Folder where the scheduled task is stored String \Microsoft\Windows\Flighting\OneSettings
TaskName Scheduled task name String RefreshCache
TaskUserName Account that created, changed or deleted the task. Possible values: sys, lvc, nvc or any other user. The first three will be expanded in the field TaskPrincipalExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. String AD\JohnDoe
TaskPrincipal Account that is used when running the task. Possible values: sys, lvc, nvc or any other user. The first three will be expanded in the field UserNameExpanded through the lookup [systemusers] from the uberAgent UXM Splunk app. String sys
LogonType The logon type for the account configured in the field TaskPrincipal. Possible values: 0, 1, 2, 3, 4, 5, 6. See also LogonTypeDisplayName. Number 5
Elevated Indicates wether the task is running elevated or not. Possible values: 0, 1. Number 0
TaskAuthor Author that created the task. Can be any string and will often be empty. String Microsoft Corporation
TaskHidden Indicates if the task is hidden in the UI or not. Possible values: 0, 1 String 0
WakeToRun Indicates if the Task Scheduler will wake the computer when it is time to run the task. Possible values: 0, 1. String 0
HasActions Indicates if the task has actions. Actions are send seperately in the source type uberAgentESA:System:ScheduledTaskActions. Possible values: 0, 1. String 1

List of Calculated Fields

Field Description Data type Unit Example Where available
TaskPath TaskFolder + TaskName String \Microsoft\Windows\Flighting\OneSettings\RefreshCache Splunk data model
time _time Number 2020-04-06T14:48:01.394+02:00 Splunk data model
UserNameExpanded coalesce(UserNameExpanded,TaskUserName) String SYSTEM Splunk data model
LogonTypeDisplayName Expansion for the field LogonType based on the lookup scheduledtasks_logontypes. Possible values:
  • Unspecified: used for non-NT credentials.
  • UsePassword: use a password for logging on the user.
  • ServiceForUser: the service will log the user on using Service For User (S4U), and the task will run in a non-interactive desktop.
  • LogonInteractive: user must already be logged on. The task will be run only in an existing interactive session.
  • LogonGroup: group activation. The groupId field specifies the group.
  • ServiceAccount: indicates that a Local System, Local Service, or Network Service account is being used as a security context to run the task.
  • InteractiveOrPassword: not in use
String ServiceAccount Splunk data model, Splunk SPL
TaskEventDisplayName Expansion for the field TaskEventType based on the lookup scheduledtasks_eventtypes. Possible values: Created, Udated, Deleted String Updated Splunk data model, Splunk SPL

Scheduled Task Actions

uberAgent collects details about configured actions of scheduled tasks like the action type, the path to the exe as well as mail settings.

Details

  • Source type: uberAgentESA:System:ScheduledTaskActions
  • Used in dashboards: Scheduled Tasks
  • Enabled through configuration setting: ScheduledTaskMonitoring
  • Related configuration settings: n/a

List of Fields in the Raw Agent Data

Field Description Data type Unit Example
TaskPath Task path String \Microsoft\Windows\WindowsUpdate\Scheduled Start
IsDeprecated Indicates if the task is deprecated or not. Possible values: 0, 1 String 0
ActionType The configured action. Possible values: 0, 1, 2, 3. See also ActionTypeDisplayName. Number 2
ActionListIndex Represents the position in the list of configured actions. 1 means that the action is at the top of the list, 2 represents the second position, and so on. Number 1
ExePath Path to the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction. String C:\WINDOWS\system32\sc.exe
ExeArguments Arguments of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction. String start wuauserv
ExeWorkingDir Working dir of the executable which is run. Only filled if ActionTypeDisplayName is ExecutableAction. String C:\WINDOWS\system32
ComClsid COM action ID. Only filled if ActionTypeDisplayName is ComAction. String b1aebb5d-ead9-4476-b375-9c3ed9f32afc
ComData COM action data. Only filled if ActionTypeDisplayName is ComAction. String timer
ComBinary COM action binary. Only filled if ActionTypeDisplayName is ComAction. String %SystemRoot%\System32\sppcext.dll
ComHandlerDescription COM action handler description. Only filled if ActionTypeDisplayName is ComAction. String SppSvcRestartTaskHandler Class>
ComRemoteComputer COM action remote computer. Only filled if ActionTypeDisplayName is ComAction. String
ComServiceName COM action service name. Only filled if ActionTypeDisplayName is ComAction. String wuauserv
AutoElevated Indicates if the COM action runs auto-elevated. Only filled if ActionTypeDisplayName is ComAction. Possible values: 0, 1 String 0
EmailBcc Email Bcc value. Only filled if ActionTypeDisplayName is EmailAction. String johndoe@company.com
EmailCc Email Cc value. Only filled if ActionTypeDisplayName is EmailAction. String johndoe@company.com
EmailFrom Email sender. Only filled if ActionTypeDisplayName is EmailAction. String Alerting@company.com
EmailServer Email server. Only filled if ActionTypeDisplayName is EmailAction. String mail.company.com
EmailSubject Email subject. Only filled if ActionTypeDisplayName is EmailAction. String Very urgent altert
EmailTo Email recipient. Only filled if ActionTypeDisplayName is EmailAction. String alerts@company.com
MsgTitle Message title. Only filled if ActionTypeDisplayName is MessageAction. String Some title
MsgContent Message content. Only filled if ActionTypeDisplayName is MessageAction. String Some content

List of Calculated Fields

Field Description Data type Unit Example Where available
ActionTypeDisplayName Expansion of the field ActionType based on the lookup scheduledtasks_actiontypes. Possible values: ExecutableAction, ComAction, EmailAction, MessageAction. String ExecutableAction Splunk data model, Splunk SPL
time _time Number 2020-04-06T14:48:01.394+02:00 Splunk data model

Scheduled Task Triggers

uberAgent collects details about configured triggers of scheduled tasks like the trigger type as well as the repetition.

Details

  • Source type: uberAgentESA:System:ScheduledTaskTriggers
  • Used in dashboards: Scheduled Tasks
  • Enabled through configuration setting: ScheduledTaskMonitoring
  • Related configuration settings: n/a

List of Fields in the Raw Agent Data

Field Description Data type Unit Example
TaskPath Task path String \Microsoft\Windows\Device Information\Device
TriggerId Identifier for the trigger. Is often empty. String NightlyTrigger
TriggerType Trigger type. Possible values: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12. See also TriggerTypeDisplayName. Number 1
EventTriggerSubscription A query string that identifies the event that fires the trigger. String <QueryList><Query Id='1'><Select Path='System'>*[System/Level=2]</Select></Query></QueryList>
EventTriggerNumValues The number of queries specified on the mathing event. Number 2
TriggerUserId The ID of the user that fires the trigger (only in State-change trigger and logon trigger). String AD\JohnDoe
LogonTriggerPossiblyGroup The ID displayed in the field TriggerUserId is possibly the ID of user-group, instead of an individual user. Possible values: 0, 1. String 1
TriggerEnabled Indicates if the trigger is enabled or not. Possible values: 0, 1 String 1
TriggerStartBoundary The start date when the trigger is active String 2020-04-09 15:41:27.000 +0200
TriggerEndBoundary The end date after which the trigger is not active anymore String 2020-04-11 15:41:27.000 +0200
TriggerRepetitionDuration For how long the repetition pattern (Repetition interval) is repeated, see ISO8601 Durations String PT23H59M
TriggerRepetitionInterval The repetition pattern (e.g. daily,monthly, etc.), see ISO8601 Durations String PT2H
TriggerRepetitionStopAtDurationEnd Indicates whether a running task is stopped when the repetition pattern duration expires. Possible values: 0, 1. String 0
TriggerListIndex Represents the position in the list of configured triggers. 1 means that the trigger is at the top of the list, 2 represents the second position, and so on. Number 1
DayDisplayName Indicates on which days the trigger runs String Sunday
WeekDisplayName Indicates on which weeks the trigger runs String First;Second;Third;Fourth
MonthDisplayName Indicates in which months the trigger runs String Jan;Feb;Mar;Apr;May;Jun;Jul;Aug;Sep;Oct;Nov;Dec
DayOfMonthDisplayName Indicates on which days of a month the trigger runs String 1;15;30
DailyTriggerDaysInterval The number of days between subsequent firing of the daily trigger. Number 2
WeeklyTriggerWeeksInterval The number of weeks between subsequent firing of the weekly trigger. Number 3
MonthlyTriggerRunOnLastDayOfMonth Indicates if the monthly trigger is fired on the last day of the month. Possible values: 0, 1 String 1
MonthlyDowTriggerRunOnLastWeekOfMonth Indicates if the monthly day-of-week trigger is fired on the last week of the month. Possible values: 0, 1 String 1
StateChangeId User session state change ID. Only filled if TriggerTypeDisplayName is SessionStateChangeTrigger. Possible values: 0, 1, 2, 3, 4, 7, 8. See also StateChangeDisplayName. String 1
WnfTriggerStateName Windows Notification Facility (WNF) state name. Also see WnfIdDisplayName String 1192063AA3BC0875

List of Calculated Fields

Field Description Data type Unit Example Where available
StateChangeDisplayName Expansion of the field StateChange based on the lookup scheduledtasks_sessionstatechanges. Possible values: UndefinedStateChange0, ConsoleConnect, ConsoleDisconnect, RemoteConnect, RemoteDisconnect, UndefinedStateChange1, UndefinedStateChange2, SessionLock, SessionUnlock String ConsoleConnect Splunk data model, Splunk SPL
TriggerTypeDisplayName Expansion of the field TriggerType based on the lookup scheduledtasks_triggertypes. Possible values: EventTrigger, TimeTrigger, DailyTrigger, WeeklyTrigger, MonthlyTrigger, MonthlyDowTrigger, IdleTrigger, RegistrationTrigger, BootTrigger, LogonTrigger, UndefinedTrigger, SessionStateChangeTrigger, CustomTrigger01. Further explanations on these triggers are available in the lookup scheduledtasks_triggertypes. String SessionStateChangeTrigger Splunk data model, Splunk SPL
time _time Number 2020-04-06T14:48:01.394+02:00 Splunk data model
WnfIdDisplayName Expansion of the field WnfTriggerStateName based on the lookup wnf_ids. Further explanations on the collected WNF IDs are available in the lookup wnf_ids. String WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED Splunk data model, Splunk SPL

Previous document: Activity Monitoring Metrics Next document: Advanced Topics

Leave a Reply

Your email address will not be published. Required fields are marked *

Miscellaneous

Imprint
Privacy Policy