I hope this is the right place to post this if not please let me know where to post it. There are multiple use-cases for Task Scheduler in the SSE app, my question pertains to all that are based on EventID=4698 None of these searches seem to work in my environment out of box, I checked and my Windows TA is up to date. Not sure if there is another TA required? Here is on as an example and how I fixed it: `wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter` To fix this query I ended up changing line 2 to: | xmlkv TaskContent And line 4 to: | stats count min(_time) as firstTime max(_time) as lastTime by dest, TaskName, Command, Author, Enabled, Hidden, Arguments I dont know if I am missing something or if this is broken out of the box, if so is there somewhere to report this?
... View more