kqlElastic-2.0from elastic/detection-rules

Unusual Scheduled Task Update

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1053 T1053.005

Rule sourcerules/windows/persistence_scheduled_task_updated.toml

event.category: "iam" and host.os.type:"windows" and event.code: "4702" and
  not winlog.event_data.SubjectUserSid : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
  not user.name : *$

Unusual Scheduled Task Update · KQL rule | DetectionLint