During an incident investigation, a security analyst notices suspicious outbound traffic from a Windows 10 workstation every 15 minutes. The analyst suspects a malicious scheduled task is triggering the activity and examines the Windows Security log. Which of the following Event IDs would BEST confirm that a new scheduled task was created on the system?
4698 - A scheduled task was created.
5156 - The Windows Filtering Platform permitted a connection.
4624 - An account was successfully logged on.
4648 - A logon was attempted using explicit credentials.
Windows logs Event ID 4698 whenever a new scheduled task is created. Monitoring this ID in the Security log helps analysts spot attacker persistence through rogue tasks. The other IDs relate to successful logons (4624), explicit-credential logons (4648), and permitted network connections (5156), none of which specifically confirm task creation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Event ID 4698?
Open an interactive chat with Bash
How can monitoring Event ID 4698 help detect malicious activity?
Open an interactive chat with Bash
What tools can be used to monitor Windows Security logs for Event ID 4698?