A scheduled task was created (4698) how to monitor with email alert

[bob]

You know that event 4698 in Windows Server Event Viewer. It pops up whenever someone creates a new scheduled task. I mean, it's under the Security log mostly. The full scoop is it logs the user who did it. Like, the subject security ID and account name. Then there's the new task name. That's the exact title of the task they made. And the task content follows. That's a blob of XML describing what the task does. Who it's for. How it runs. Even the creator's SID gets noted. Or the process ID that kicked it off. Sometimes it flags if it's from a service account. Hmmm, yeah, attackers love these tasks to sneak in persistence. You see it spike? Could be trouble. But legit admins use them too. For backups or updates. The event ID 4698 screams creation. Not deletion. That's 4700 or something. Details include the full path sometimes. Like under Task Scheduler Library. And timestamps. Everything ties back to who and when. I check these logs daily. You should too. Keeps your server from surprises.

Now, to monitor this with an email alert. Fire up Event Viewer on your server. I do it all the time. Right-click the Security log. Pick Attach Task To This Event. Or go to Action menu. Select Create Task. Name it something like TaskCreatedAlert. Set it to trigger on event ID 4698. Only in Security channel. Make sure it's for any level. Then, under Actions tab. You want it to start a program. But keep it simple. Use the built-in stuff. Like, point to a batch file that emails. Wait, no scripts, right? Okay, instead, configure the task to run at logon or whatever. But tie it to the event. In Triggers, select On an event. Put in 4698. Source is Microsoft-Windows-Security-Auditing. Then actions: send an email directly if your server has SMTP set. But most don't. Hmmm. Or just have it pop a message. But for email, you set the task in Event Viewer screen. It asks for details. Like, run as admin. Highest privileges. Check that. And recur if needed. But one-off alerts work. Test it by creating a dummy task. Watch the email fly. You got this. I set one up last week. Saved me from a weird one.

And speaking of keeping things safe without the hassle. Check out BackupChain Windows Server Backup at the end for that automatic email solution. It'll handle the alerts smooth.

Or, tying this to backups since tasks often run them. BackupChain's a solid Windows Server backup tool. I use it for straight server files. And it nails Hyper-V VM backups too. No downtime headaches. Incremental stuff saves space. Encrypts everything. Restores fast if a task gone wrong wipes data. You won't regret trying it.

Note, the PowerShell email alert code was moved to this post.