Reputation: 1
Detect scheduled tasks with sysmon
How can I detect running scheduled tasks with sysmon in splunk?
There is a scheduled task running and I don't know since when it started how can I detect the scheduled task and when it first started?
I know that EventID 106 – stands for "new scheduled job" but is there a event id or something in the message that tells me that a process is comes from a scheduled task?
Thank you in advance
Upvotes: 0
Views: 2501
Answers (1)
Reputation: 11
I know you can check for Logon_Type=4 in Windows Security Logon Events (4624, 4625, 4634) which refer to "Batch / Scheduled Task" related logons.
Do you have the Scheduled Tasks Log being ingested into Splunk inputs.conf? https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_the_.22Full_Name.22_log_property_in_Event_Viewer_to_specify_complex_Event_Log_channel_names_properly
Upvotes: 0
Related Questions
- Filter list of scheduled tasks by taskname
- Splunk: Schedule alert to run every 10 minutes
- Filter list of scheduled tasks that contain specific string in Task To Run
- Windows Task Scheduler - is it possible to distinguish manual and time-based triggered run of task?
- how can i find the instanceid/correlation ID of the scheduled Task that started my process
- How to get the list of scheduled tasks using c#?
- Salesforce system scheduled job not executing
- Service Based Task Scheduler
- How can the state (active or not) of a scheduled task be queried?
- can I detect the status of a scheduled task like I do with services using serviceController?