Rule enhancement: Add "user" field to rule: WinEvent Scheduled Task Created Within Public Path

[isakhansson]

Is your feature request related to a problem? Please describe.
I think it would be a good idea to add the "user" field to this rule https://research.splunk.com/endpoint/5d9c6eee-988c-11eb-8253-acde48001122/?query=public So that you can see which user created the scheduled task.

Describe the solution you'd like

Adding user in the SPL like this for example:

wineventlog_security` EventCode=4698 TaskContent IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent, user | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter