<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Account_Domain</span>
<span class="pill kill-chain">Account_Name</span>
<span class="pill kill-chain">ComputerName</span>
<span class="pill kill-chain">Error_Code</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventType</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">LogName</span>
<span class="pill kill-chain">Logon_ID</span>
<span class="pill kill-chain">Message</span>
<span class="pill kill-chain">OpCode</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">Security_ID</span>
<span class="pill kill-chain">SourceName</span>
<span class="pill kill-chain">Subject_Account_Domain</span>
<span class="pill kill-chain">Subject_Account_Name</span>
<span class="pill kill-chain">Subject_Logon_ID</span>
<span class="pill kill-chain">Subject_Security_ID</span>
<span class="pill kill-chain">TaskCategory</span>
<span class="pill kill-chain">Task_Content</span>
<span class="pill kill-chain">Task_Name</span>
<span class="pill kill-chain">Type</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">body</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_nt_domain</span>
<span class="pill kill-chain">dest_nt_host</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">member_dn</span>
<span class="pill kill-chain">member_id</span>
<span class="pill kill-chain">member_nt_domain</span>
<span class="pill kill-chain">name</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">session_id</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">severity_id</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src_nt_domain</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">ta_windows_action</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Windows Event Log Security 4698
Description
Logs an event when a new scheduled task is created
Details
| Property | Value |
|---|---|
| Source | XmlWinEventLog:Security |
| Sourcetype | XmlWinEventLog |
| Separator | EventCode |
Related Detections
Supported Apps
- Splunk Add-on for Microsoft Windows (version 10.0.1)
Event Fields
Fields
Example Log
104/26/2022 11:12:09 AM
Required Output Fields
- dest
Source: GitHub | Version: 3