[Enhancement] Windows: Add scheduled task parsing support

[w0rk3r]

Proposed commit message

windows, system: parse Security scheduled task XML

Extract selected TaskContent XML fields into winlog.scheduled_task.* for
Security scheduled task events. Add pipeline tests, field definitions,
generated docs, and a pipeline benchmark for the hot parsing path.

Summary

Related issue: github.com/elastic/ia-trade-team/issues/892

Windows Security scheduled task events expose high-value task definition metadata primarily as raw XML in winlog.event_data.TaskContent and winlog.event_data.TaskContentNew. This makes scheduled-task detection and tuning rely too heavily on TaskName, which is attacker-controlled and easy to masquerade.

This PR parses selected scheduled task XML fields into winlog.scheduled_task.* for Security scheduled task events in the System and Windows forwarded integrations.

Why

Windows scheduled tasks are a common mechanism for persistence, remote execution, privilege abuse, and ransomware deployment. Security events already capture useful scheduled task metadata, but most of the task definition is stored as raw XML in winlog.event_data.TaskContent and winlog.event_data.TaskContentNew, with TaskName being the only readily queryable field today.

That XML contains the behavioral details needed to understand the task: what it runs, when it runs, which account it uses, and whether it is configured in suspicious ways such as hidden execution or elevated run level. Today, those details are not available as structured fields for search, visualization, tuning, or reliable detection logic.

As a result, some detections have to rely on TaskName, which is attacker-controlled and easy to make look benign. This weakens detection quality and can make detections bypassable.

This PR extracts scheduled task metadata into structured winlog.scheduled_task.* fields. That makes scheduled task activity easier to investigate and enables more durable detections based on what the task actually does, not just what it is called.

What changed

This PR adds scheduled task XML parsing for Windows Security events in both the System security data stream and the Windows forwarded data stream.

The new parsing extracts selected task definition metadata from TaskContent and TaskContentNew into winlog.scheduled_task.*, including:

• task URI and name
• configured actions
• executable command, arguments, and working directory
• COM handler class ID
• run-as user or group
• logon type and run level
• trigger type and enabled state
• repetition interval, duration, and stop-at-duration-end setting
• selected task settings such as hidden and enabled

The pipeline handles scheduled task creation, update, enable, disable, and delete events. Delete events do not contain task XML, so they continue to populate the scheduled task name from TaskName only.

Performance

A dedicated system/security pipeline benchmark was added for the scheduled task parsing path. The benchmark uses Security scheduled task events where every document triggers the new XML parser, so it represents the expected worst-case ingest cost for this change.

Warm-run results from the same local environment:

Target	EPS	Processing time	Scheduled task parser avg	Scheduled task parser share
main	17,241.38	0.14s	n/a	n/a
This branch	9,578.54	0.26s	18.8µs/doc	18.01%

This is a worst-case benchmark because every event in the fixture set is a scheduled task event with task XML. In normal Security event streams, the impact should scale with the proportion of events that are scheduled task events carrying TaskContent or TaskContentNew.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Run the System security pipeline tests:

cd packages/system
elastic-package test pipeline --data-streams security

Run the Windows forwarded pipeline tests:

cd packages/windows
elastic-package test pipeline --data-streams forwarded

Run the dedicated pipeline benchmark for the scheduled task parsing path:

cd packages/system
elastic-package stack up -d --services=elasticsearch
elastic-package benchmark pipeline --data-streams security --use-test-samples=false
elastic-package stack down

Screenshots

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 211584c

History

• 💚 Build #43465 succeeded c2ea342

cc @w0rk3r

[infra-vault-gh-plugin-prod]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)