Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.
Rule type: eql
Risk score: 21
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
Added (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
Legitimate scheduled tasks may be created during installation of new software.
iam where event.action == "scheduled-task-updated" and /* excluding tasks created by the computer account */ not user.name : "*$" and not winlog.event_data.TaskName : ("\\User_Feed_Synchronization-*", "\\OneDrive Reporting Task-S-1-5-21*", "\\Hewlett-Packard\\HP Web Products Detection", "\\Hewlett-Packard\\HPDeviceCheck")