A scheduled task was updatededit

Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Legitimate scheduled tasks may be created during installation of new software.

Rule queryedit

iam where event.action == "scheduled-task-updated" and /* excluding
tasks created by the computer account */ not user.name : "*$" and
not winlog.event_data.TaskName :
("\\User_Feed_Synchronization-*", "\\OneDrive Reporting
Task-S-1-5-21*", "\\Hewlett-Packard\\HP Web Products
Detection", "\\Hewlett-Packard\\HPDeviceCheck")

Threat mappingedit