ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Add 'Start' Activity ID to Scheduled Job Activity

Open Noafr opened this issue 2 years ago • 2 comments

Problem The Scheduled Job Activity doesn`t contain an activity id to represent an event when the scheduled task is started

Suggestion Add 'Start' Activity ID to Scheduled Job Activity

Noafr avatar Sep 30 '22 10:09 Noafr

Here`s an example of a task start event (some information was removed). As part of this event, we are also reporting the process that caused this task to be executed so no further correlation is needed.

  {
    "agent.uuid": "d4109a56a94a40978bcbf02559911166",
    "event.type": "Task Start",
    "src.process.name": "svchost.exe"
    "event.time": 1665629398752,
    "src.process.uid": "D925897FF93E5A92",
    "src.process.storyline.id": "2E25897FF93E5A92",
    "src.process.user": "",
    "src.process.parent.uid": "8D25897FF93E5A92",
    "task.name": "\\GoogleUpdateTaskMachineUA{C0D7809A-C773-4DE4-884C-1E8FDCE6B5A9}",
    "task.path": "C:\\Program Files\\Google\\Update\\GoogleUpdate.exe"
  }

Noafr avatar Oct 12 '22 19:10 Noafr

We could use the Process Activity class. Based on the example data above, here is how the event could be translated to OCSF schema and using the Process Activity class. Note, we may not need to add the job object, instead we can use the process object.

{
  "category_uid": 1,
  "category_name": "System Activity",
  "class_uid": 1007,
  "class_name": "Process Activity",
  "type_uid": 100701,
  "type_name": "Process Activity: Launch",
  "activity_uid": 1,
  "activity_name": "Launch",
  "severity_id": 1,
  "severity": "Informational",
  "time": 1665629398752,
  "message": "Task Start",
  "metadata": {
    "version": "0.25.0",
    "product": {
      "vendor_name": "SentinelOne",
      "name": "Singularity For Endpoint",
      "lang": "en",
      "version": "2.0"
    },
    "profiles": [
      "host"
    ]
  },
  "actor_process": {
    "name": "svchost.exe",
    "uid": "D925897FF93E5A92",
    "parent_process": {
      "uid": "8D25897FF93E5A92"
    }
  },
  "process": {
    "name": "\\GoogleUpdateTaskMachineUA{C0D7809A-C773-4DE4-884C-1E8FDCE6B5A9}",
    "file": {
      "type_id": 1,
      "type": "Regular File",
      "name": "GoogleUpdate.exe",
      "parent_folder": "C:\\Program Files\\Google\\Update",
      "path": "C:\\Program Files\\Google\\Update\\GoogleUpdate.exe"
    }
  },
  "job": {
    "name": "\\GoogleUpdateTaskMachineUA{C0D7809A-C773-4DE4-884C-1E8FDCE6B5A9}",
    "file": {
      "type_id": 1,
      "type": "Regular File",
      "name": "GoogleUpdate.exe",
      "parent_folder": "C:\\Program Files\\Google\\Update",
      "path": "C:\\Program Files\\Google\\Update\\GoogleUpdate.exe"
    }
  }
}

rroupski avatar Oct 12 '22 21:10 rroupski