Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.
| Name | Channel |
|---|---|
| esxi:syslog | /var/log/vpxa.log task invocations tied to time configuration |
| fs:fileevents | /Library/LaunchDaemons/*.plist, ~/Library/LaunchAgents/*.plist |
| linux::cron | crontab or at job created within TimeWindow post time discovery |
| linux:cron | /var/log/syslog or journalctl |
| linux:cron | cron activity |
| macos:launchd | launchd.plist and logs |
| macos:unifiedlog | New/modified launchd plist (persistence/scheduling) within TimeWindow after time query |
| Scheduled Job | None |
| WinEventLog:System | EventCode=106, 200 |
| WinEventLog:TaskScheduler | Task registration/execution shortly after a time discovery event |